config/hosts/fra1-b/configuration.nix

154 lines
3.2 KiB
Nix
Raw Normal View History

2024-07-30 21:19:40 +00:00
{
config,
myData,
modulesPath,
...
}:
2024-07-30 20:06:33 +00:00
let
disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_50294864";
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
age.secrets = {
2024-08-27 05:57:17 +00:00
motiejus-passwd-hash.file = ../../secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ../../secrets/root_passwd_hash.age;
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
ssh8022-server = {
file = ../../secrets/ssh8022.age;
owner = "spiped";
path = "/var/lib/spiped/ssh8022.key";
};
};
2024-07-30 20:06:33 +00:00
boot = {
loader.systemd-boot.enable = true;
initrd = {
kernelModules = [ "usb_storage" ];
availableKernelModules = [
"xhci_pci"
"virtio_scsi"
"sr_mod"
];
};
};
2024-07-30 21:04:07 +00:00
fileSystems = {
"/boot" = {
device = "${disk}-part1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/" = {
device = "${disk}-part3";
fsType = "btrfs";
options = [
"compress=zstd"
"noatime"
];
};
2024-07-30 20:06:33 +00:00
};
swapDevices = [ { device = "${disk}-part2"; } ];
mj = {
stateVersion = "24.05";
timeZone = "UTC";
username = "motiejus";
base = {
users = {
enable = true;
2024-07-30 21:18:48 +00:00
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
2024-07-30 20:06:33 +00:00
};
unitstatus = {
enable = true;
email = "motiejus+alerts@jakstys.lt";
};
};
services = {
node_exporter.enable = true;
ping_exporter.enable = true;
2024-07-30 20:06:33 +00:00
tailscale.enable = true;
ssh8022.server = {
enable = true;
keyfile = config.age.secrets.ssh8022-server.path;
openGlobalFirewall = false;
};
2024-07-30 20:06:33 +00:00
remote-builder.server = {
enable = true;
uidgid = myData.uidgid.remote-builder;
sshAllowSubnet = myData.subnets.tailscale.sshPattern;
publicKeys = map (h: myData.hosts.${h}.publicKey) [
2025-03-08 21:47:31 +00:00
"vno1-gdrx.jakst.vpn"
"fwminex.jakst.vpn"
"mtworx.jakst.vpn"
2024-07-30 20:06:33 +00:00
];
};
2024-07-30 21:24:37 +00:00
postfix = {
enable = true;
saslPasswdPath = config.age.secrets.sasl-passwd.path;
};
2024-07-30 20:06:33 +00:00
deployerbot = {
follower = {
2025-03-08 21:47:31 +00:00
publicKeys = [ myData.hosts."fwminex.jakst.vpn".publicKey ];
2024-07-30 20:06:33 +00:00
enable = true;
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
};
};
services = {
nsd = {
enable = true;
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};
};
};
2025-02-19 20:16:22 +00:00
powerManagement.cpuFreqGovernor = "performance";
2024-07-30 20:06:33 +00:00
networking = {
hostName = "fra1-b";
2025-03-08 21:47:31 +00:00
domain = "jakst.vpn";
2024-07-30 20:06:33 +00:00
useDHCP = true;
2025-01-18 18:37:26 +00:00
interfaces.enp1s0.ipv6.addresses = [
2025-01-18 18:31:59 +00:00
{
address = "2a01:4f8:c012:1ba::";
prefixLength = 64;
}
];
2025-01-18 18:37:26 +00:00
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
2024-07-30 20:06:33 +00:00
firewall = {
allowedUDPPorts = [ 53 ];
2024-08-27 05:36:02 +00:00
allowedTCPPorts = [ 53 ];
2024-07-30 20:06:33 +00:00
};
};
nixpkgs.hostPlatform = "aarch64-linux";
}