{ pkgs, lib, config, ... }: let state = builtins.import ../state.nix; mkVirtHost = lib.attrsets.recursiveUpdate { forceSSL = true; enableACME = true; }; in { imports = [ ../hardware/netcup-vps-200-g10.nix ../modules/nginx-reverse-proxy.nix ]; config = { boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; networking.hostId = "94d74a20"; networking.hostName = "granodomus-lima"; networking.interfaces.ens3.useDHCP = true; settings.ssh.openOutsideVPN = true; users.users = { root = { hashedPassword = "$6$Yb1gdlKIpY1hRW1X$uUcNFuNnK2JFFN55Tkc.fPV.4I7RJvIfLEQayVP1utfkmjF0f/EHjtypxq11jR5NUUIJFQLW6ffajjduA2689."; }; }; sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; services.fail2ban = { enable = true; ignoreIP = let vpn = (builtins.import ../state.nix).vpn; extractIPs = _: config: [config.v4 config.v6]; in lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn); }; # Run radicale with infcloud interface for me and Marie services.radicaleWithInfcloud.enable = true; services.nginx.virtualHosts = let services = state.services; removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external); createVirtHost = name: config: { name = "${name}.tammena.me"; value = mkVirtHost { locations."/" = { proxyPass = "http://${config.host}:${builtins.toString config.port}"; proxyWebsockets = true; }; }; }; in lib.mapAttrs' createVirtHost (removeUnexposed services); services.nginx.appendConfig = '' stream { upstream ssh { server ${state.services.git.host}:22; } server { listen 22222; # server_name git.tammena.me; proxy_pass ssh; } } ''; sops.secrets = lib.mapAttrs' (name: _: { name = "certificate-key-${name}-tammena-me"; value = { owner = "nginx"; mode = "0400"; }; }) (builtins.import ../state.nix).services; services.qemuGuest.enable = true; services.bind = { enable = true; cacheNetworks = ["any"]; forwarders = ["100.100.100.100"]; listenOn = ["any"]; listenOnIpv6 = ["any"]; zones."home" = let granodomus-lima = config.state.vpn.machine.granodomus-lima; faunus-ater = config.state.vpn.machine.faunus-ater; point = domain: host: '' ${domain} AAAA ${host.ipv6} ${domain} A ${host.ipv4} ''; in { master = true; # TODO: Fix TTLs file = pkgs.writeText "home-zone" '' $TTL 1 @ IN SOA home. malte.home. ( 5 ; Serial 1 ; Refresh 1 ; Retry 1 ; Expire 1) ; Negative Cache TTL @ NS home. ${point "home." granodomus-lima} ${point "cal" granodomus-lima} ${point "mc" granodomus-lima} ${point "foto" faunus-ater} ${point "doc" faunus-ater} ${point "sheet" faunus-ater} ${point "media" faunus-ater} ${point "file" faunus-ater} ${point "stats" faunus-ater} ${point "cache" faunus-ater} ${point "hydra" faunus-ater} ${point "git" faunus-ater} ${point "read" faunus-ater} ${point "note" faunus-ater} ${point "time" faunus-ater} ${point "todo" faunus-ater} ${point "support" faunus-ater} ${point "config" faunus-ater} ${point "listen" faunus-ater} ''; }; }; networking.firewall.allowedTCPPorts = [53 22222]; networking.firewall.allowedUDPPorts = [53]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? }; }