nixos/hosts/granodomus-lima.nix

146 lines
4.5 KiB
Nix
Raw Normal View History

2023-09-21 16:05:17 +02:00
{
pkgs,
lib,
config,
...
}: let
state = builtins.import ../state.nix;
mkVirtHost = lib.attrsets.recursiveUpdate {
forceSSL = true;
enableACME = true;
};
2023-09-21 16:05:17 +02:00
in {
imports = [
../hardware/netcup-vps-200-g10.nix
../modules/nginx-reverse-proxy.nix
];
config = {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
2023-01-15 16:52:17 +01:00
networking.hostId = "94d74a20";
networking.hostName = "granodomus-lima";
networking.interfaces.ens3.useDHCP = true;
2023-01-15 16:52:17 +01:00
settings.ssh.openOutsideVPN = true;
2023-01-15 16:52:17 +01:00
users.users = {
root = {
hashedPassword = "$6$Yb1gdlKIpY1hRW1X$uUcNFuNnK2JFFN55Tkc.fPV.4I7RJvIfLEQayVP1utfkmjF0f/EHjtypxq11jR5NUUIJFQLW6ffajjduA2689.";
};
2023-01-15 16:52:17 +01:00
};
sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
2023-01-15 16:52:17 +01:00
2023-10-30 15:35:55 +01:00
services.fail2ban = {
enable = true;
ignoreIP = let
vpn = (builtins.import ../state.nix).vpn;
extractIPs = _: config: [config.v4 config.v6];
2023-10-30 15:35:55 +01:00
in
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
};
# Run radicale with infcloud interface for me and Marie
services.radicaleWithInfcloud.enable = true;
2023-01-15 16:52:17 +01:00
2023-10-30 15:35:55 +01:00
services.nginx.virtualHosts = let
services = state.services;
removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
2023-10-30 15:35:55 +01:00
createVirtHost = name: config: {
name = "${name}.tammena.me";
value = mkVirtHost {
2023-10-30 15:35:55 +01:00
locations."/" = {
proxyPass = "http://${config.host}:${builtins.toString config.port}";
proxyWebsockets = true;
};
2023-10-30 00:31:58 +01:00
};
};
2023-10-30 15:35:55 +01:00
in
lib.mapAttrs' createVirtHost (removeUnexposed services);
services.nginx.appendConfig = ''
stream {
upstream ssh {
server ${state.services.git.host}:22;
}
server {
listen 22222;
# server_name git.tammena.me;
proxy_pass ssh;
}
}
'';
2023-10-30 15:35:55 +01:00
sops.secrets =
lib.mapAttrs' (name: _: {
2023-10-30 15:35:55 +01:00
name = "certificate-key-${name}-tammena-me";
value = {
owner = "nginx";
mode = "0400";
2023-10-30 00:31:58 +01:00
};
2023-10-30 15:35:55 +01:00
})
(builtins.import ../state.nix).services;
services.qemuGuest.enable = true;
2023-01-15 16:52:17 +01:00
services.bind = {
enable = true;
cacheNetworks = ["any"];
forwarders = ["100.100.100.100"];
listenOn = ["any"];
listenOnIpv6 = ["any"];
zones."home" = let
2023-10-30 00:31:58 +01:00
granodomus-lima = config.state.vpn.machine.granodomus-lima;
faunus-ater = config.state.vpn.machine.faunus-ater;
point = domain: host: ''
2023-10-30 00:31:58 +01:00
${domain} AAAA ${host.ipv6}
${domain} A ${host.ipv4}
'';
in {
master = true;
# TODO: Fix TTLs
file = pkgs.writeText "home-zone" ''
$TTL 1
@ IN SOA home. malte.home. (
5 ; Serial
1 ; Refresh
1 ; Retry
1 ; Expire
1) ; Negative Cache TTL
@ NS home.
${point "home." granodomus-lima}
${point "cal" granodomus-lima}
${point "mc" granodomus-lima}
${point "foto" faunus-ater}
${point "doc" faunus-ater}
${point "sheet" faunus-ater}
${point "media" faunus-ater}
${point "file" faunus-ater}
${point "stats" faunus-ater}
${point "cache" faunus-ater}
${point "hydra" faunus-ater}
${point "git" faunus-ater}
${point "read" faunus-ater}
${point "note" faunus-ater}
${point "time" faunus-ater}
${point "todo" faunus-ater}
${point "support" faunus-ater}
2023-09-10 00:34:14 +02:00
${point "config" faunus-ater}
2023-10-30 00:31:58 +01:00
${point "listen" faunus-ater}
'';
2023-01-15 16:52:17 +01:00
};
};
networking.firewall.allowedTCPPorts = [53 22222];
networking.firewall.allowedUDPPorts = [53];
2023-01-15 16:52:17 +01:00
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
};
2023-01-15 16:52:17 +01:00
}