2024-07-30 21:19:40 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
myData,
|
|
|
|
|
modulesPath,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2024-07-30 20:06:33 +00:00
|
|
|
let
|
|
|
|
|
disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_50294864";
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
|
|
|
|
2024-08-27 05:50:57 +00:00
|
|
|
age.secrets = {
|
2024-08-27 05:57:17 +00:00
|
|
|
motiejus-passwd-hash.file = ../../secrets/motiejus_passwd_hash.age;
|
|
|
|
|
root-passwd-hash.file = ../../secrets/root_passwd_hash.age;
|
|
|
|
|
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
|
2024-08-27 05:50:57 +00:00
|
|
|
ssh8022-server = {
|
|
|
|
|
file = ../../secrets/ssh8022.age;
|
|
|
|
|
owner = "spiped";
|
|
|
|
|
path = "/var/lib/spiped/ssh8022.key";
|
|
|
|
|
};
|
|
|
|
|
|
2024-08-25 08:37:56 +00:00
|
|
|
};
|
|
|
|
|
|
2024-07-30 20:06:33 +00:00
|
|
|
boot = {
|
|
|
|
|
loader.systemd-boot.enable = true;
|
|
|
|
|
initrd = {
|
|
|
|
|
kernelModules = [ "usb_storage" ];
|
|
|
|
|
availableKernelModules = [
|
|
|
|
|
"xhci_pci"
|
|
|
|
|
"virtio_scsi"
|
|
|
|
|
"sr_mod"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-07-30 21:04:07 +00:00
|
|
|
fileSystems = {
|
|
|
|
|
"/boot" = {
|
|
|
|
|
device = "${disk}-part1";
|
|
|
|
|
fsType = "vfat";
|
|
|
|
|
options = [
|
|
|
|
|
"fmask=0022"
|
|
|
|
|
"dmask=0022"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
"/" = {
|
|
|
|
|
device = "${disk}-part3";
|
|
|
|
|
fsType = "btrfs";
|
|
|
|
|
options = [
|
|
|
|
|
"compress=zstd"
|
|
|
|
|
"noatime"
|
|
|
|
|
];
|
|
|
|
|
};
|
2024-07-30 20:06:33 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
swapDevices = [ { device = "${disk}-part2"; } ];
|
|
|
|
|
|
|
|
|
|
mj = {
|
|
|
|
|
stateVersion = "24.05";
|
|
|
|
|
timeZone = "UTC";
|
|
|
|
|
username = "motiejus";
|
|
|
|
|
|
|
|
|
|
base = {
|
|
|
|
|
users = {
|
|
|
|
|
enable = true;
|
2024-07-30 21:18:48 +00:00
|
|
|
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
|
|
|
|
|
user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
|
2024-07-30 20:06:33 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
unitstatus = {
|
|
|
|
|
enable = true;
|
|
|
|
|
email = "motiejus+alerts@jakstys.lt";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
node_exporter.enable = true;
|
2024-09-16 11:49:07 +00:00
|
|
|
ping_exporter.enable = true;
|
2024-07-30 20:06:33 +00:00
|
|
|
tailscale.enable = true;
|
|
|
|
|
|
2024-08-25 08:37:56 +00:00
|
|
|
ssh8022.server = {
|
|
|
|
|
enable = true;
|
|
|
|
|
keyfile = config.age.secrets.ssh8022-server.path;
|
2024-08-27 05:39:32 +00:00
|
|
|
openGlobalFirewall = false;
|
2024-08-25 08:37:56 +00:00
|
|
|
};
|
|
|
|
|
|
2024-07-30 20:06:33 +00:00
|
|
|
remote-builder.server = {
|
|
|
|
|
enable = true;
|
|
|
|
|
uidgid = myData.uidgid.remote-builder;
|
|
|
|
|
sshAllowSubnet = myData.subnets.tailscale.sshPattern;
|
|
|
|
|
publicKeys = map (h: myData.hosts.${h}.publicKey) [
|
2025-03-08 21:47:31 +00:00
|
|
|
"vno1-gdrx.jakst.vpn"
|
|
|
|
|
"fwminex.jakst.vpn"
|
|
|
|
|
"mtworx.jakst.vpn"
|
2024-07-30 20:06:33 +00:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
2024-07-30 21:24:37 +00:00
|
|
|
postfix = {
|
|
|
|
|
enable = true;
|
|
|
|
|
saslPasswdPath = config.age.secrets.sasl-passwd.path;
|
|
|
|
|
};
|
2024-07-30 20:06:33 +00:00
|
|
|
|
|
|
|
|
deployerbot = {
|
|
|
|
|
follower = {
|
2025-03-08 21:47:31 +00:00
|
|
|
publicKeys = [ myData.hosts."fwminex.jakst.vpn".publicKey ];
|
2024-07-30 20:06:33 +00:00
|
|
|
|
|
|
|
|
enable = true;
|
|
|
|
|
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
|
|
|
|
|
uidgid = myData.uidgid.updaterbot-deployee;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
nsd = {
|
|
|
|
|
enable = true;
|
|
|
|
|
interfaces = [
|
|
|
|
|
"0.0.0.0"
|
|
|
|
|
"::"
|
|
|
|
|
];
|
|
|
|
|
zones = {
|
|
|
|
|
"jakstys.lt.".data = myData.jakstysLTZone;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2025-02-19 20:16:22 +00:00
|
|
|
powerManagement.cpuFreqGovernor = "performance";
|
|
|
|
|
|
2024-07-30 20:06:33 +00:00
|
|
|
networking = {
|
|
|
|
|
hostName = "fra1-b";
|
2025-03-08 21:47:31 +00:00
|
|
|
domain = "jakst.vpn";
|
2024-07-30 20:06:33 +00:00
|
|
|
useDHCP = true;
|
2025-01-18 18:37:26 +00:00
|
|
|
interfaces.enp1s0.ipv6.addresses = [
|
2025-01-18 18:31:59 +00:00
|
|
|
{
|
|
|
|
|
address = "2a01:4f8:c012:1ba::";
|
|
|
|
|
prefixLength = 64;
|
|
|
|
|
}
|
|
|
|
|
];
|
2025-01-18 18:37:26 +00:00
|
|
|
defaultGateway6 = {
|
|
|
|
|
address = "fe80::1";
|
|
|
|
|
interface = "enp1s0";
|
|
|
|
|
};
|
2024-07-30 20:06:33 +00:00
|
|
|
firewall = {
|
|
|
|
|
allowedUDPPorts = [ 53 ];
|
2024-08-27 05:36:02 +00:00
|
|
|
allowedTCPPorts = [ 53 ];
|
2024-07-30 20:06:33 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nixpkgs.hostPlatform = "aarch64-linux";
|
|
|
|
|
}
|
