config/hosts/fra1-a/configuration.nix

159 lines
3.8 KiB
Nix
Raw Normal View History

2023-08-26 07:18:27 +03:00
{
2024-01-20 14:49:58 +02:00
lib,
2023-08-26 07:18:27 +03:00
config,
2024-01-20 12:13:58 +02:00
pkgs,
2023-08-26 07:18:27 +03:00
myData,
modulesPath,
...
}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
zfs-root = {
boot = {
enable = true;
devNodes = "/dev/disk/by-id/";
bootDevices = ["scsi-0QEMU_QEMU_HARDDISK_36151096"];
immutable = false;
availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" "virtio_gpu"];
removableEfi = true;
kernelParams = ["console=tty"];
sshUnlock = {
enable = true;
authorizedKeys =
(builtins.attrValues myData.people_pubkeys)
++ [
myData.hosts."vno1-oh2.servers.jakst".publicKey
];
};
};
};
mj = {
stateVersion = "23.05";
timeZone = "UTC";
base = {
2024-02-04 16:18:47 +02:00
users = {
enable = true;
passwd = {
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
motiejus.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
2023-08-26 07:18:27 +03:00
};
2024-01-25 14:48:17 +02:00
2023-08-26 07:18:27 +03:00
unitstatus = {
enable = true;
email = "motiejus+alerts@jakstys.lt";
};
2024-01-25 14:48:17 +02:00
snapshot = {
enable = true;
mountpoints = ["/var/lib"];
};
zfsborg = {
enable = true;
passwordPath = config.age.secrets.borgbackup-password.path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
dirs = [
{
mountpoint = "/var/lib";
repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = ["private/e11sync-backend"];
backup_at = "*-*-* 01:00:00 UTC";
}
];
};
2023-08-26 07:18:27 +03:00
};
services = {
node_exporter.enable = true;
2023-09-14 06:41:16 +03:00
sshguard.enable = true;
tailscale.enable = true;
2023-08-26 07:18:27 +03:00
postfix = {
enable = true;
saslPasswdPath = config.age.secrets.sasl-passwd.path;
};
deployerbot = {
follower = {
inherit (myData.hosts."vno1-oh2.servers.jakst") publicKey;
2023-10-01 23:14:05 +03:00
2023-08-26 07:18:27 +03:00
enable = true;
2023-09-18 20:49:17 +03:00
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
2023-08-26 07:18:27 +03:00
uidgid = myData.uidgid.updaterbot-deployee;
};
};
2023-08-26 23:45:03 +03:00
zfsunlock = {
2023-09-12 12:25:30 +03:00
enable = false;
2023-08-26 23:45:03 +03:00
targets."vno1-oh2.servers.jakst" = let
host = myData.hosts."vno1-oh2.servers.jakst";
in {
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
startAt = "*-*-* *:00/5:00";
};
};
2023-08-26 07:18:27 +03:00
};
};
2024-01-17 13:17:19 +02:00
e11sync = {
2023-08-26 23:45:03 +03:00
enable = true;
2024-01-17 13:17:19 +02:00
migrateOnStart = true;
secretKeyPath = config.age.secrets.e11sync-secret-key.path;
vhost = "11sync.net";
};
services = {
caddy = {
enable = true;
email = "motiejus+acme@jakstys.lt";
globalConfig = ''
servers {
metrics
}
'';
2024-01-20 12:13:58 +02:00
virtualHosts = {
"www.11sync.net".extraConfig = ''
redir https://11sync.net
'';
2024-01-20 14:49:58 +02:00
"11sync.net".extraConfig = lib.mkForce ''
2024-01-25 10:37:18 +02:00
redir /admin/* http://admin.11sync.net{uri}
2024-01-20 14:49:58 +02:00
${builtins.readFile "${pkgs.e11sync-caddyfile}"}
'';
2024-01-20 14:36:34 +02:00
"http://admin.11sync.net".extraConfig = ''
2024-01-20 12:13:58 +02:00
@denied not remote_ip ${myData.subnets.tailscale.cidr}
2024-01-20 14:36:34 +02:00
redir / /admin/
${builtins.readFile "${pkgs.e11sync-caddyfile}"}
2024-01-20 12:13:58 +02:00
'';
};
2024-01-17 13:17:19 +02:00
};
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
};
2023-08-26 23:45:03 +03:00
};
};
2023-08-26 07:18:27 +03:00
networking = {
hostId = "bed6fa0b";
hostName = "fra1-a";
domain = "servers.jakst";
useDHCP = true;
firewall = {
2024-01-17 13:17:19 +02:00
allowedUDPPorts = [53 443];
allowedTCPPorts = [22 53 80 443];
2023-08-26 07:18:27 +03:00
};
};
nixpkgs.hostPlatform = "aarch64-linux";
}