motiejus/config
1
Fork 0
Code Packages Releases Activity

structure the configuration.nix a bit

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-01-04 10:06:52 +02:00
parent 9f8bc58439
commit e1e7a4ea43
1 changed files with 140 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
configuration.nix
View File

@ -13,39 +13,42 @@ let ssh_pubkeys = {
/etc/nixos/hardware-configuration.nix /etc/nixos/zfs.nix /etc/nixos/hardware-configuration.nix /etc/nixos/zfs.nix
]; ];
boot.initrd.network.enable = true; boot.initrd.network = {
boot.initrd.network.ssh = { enable = true;
ssh = {
enable = true; enable = true;
port = 22; port = 22;
authorizedKeys = builtins.attrValues ssh_pubkeys; authorizedKeys = builtins.attrValues ssh_pubkeys;
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
}; };
services.zfs.autoSnapshot = {
enable = true;
frequent = 0;
hourly = 24;
daily = 7;
weekly = 0;
monthly = 0;
}; };
services.zfs.autoScrub.enable = true; security.sudo = {
services.zfs.trim.enable = true; wheelNeedsPassword = false;
services.zfs.expandOnBoot = "all"; execWheelOnly = true;
};
networking.hostName = "hel1-a";
time.timeZone = "UTC"; time.timeZone = "UTC";
users.users.motiejus = { users = {
mutableUsers = false;
users = {
git = {
description = "Gitea Service";
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
motiejus = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ ssh_pubkeys.motiejus ];
};
};
}; };
users.users.motiejus.openssh.authorizedKeys.keys = [ ssh_pubkeys.motiejus ];
users.mutableUsers = false;
security.sudo.wheelNeedsPassword = false;
security.sudo.execWheelOnly = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jq jq
@ -67,8 +70,25 @@ let ssh_pubkeys = {
]; ];
programs.mtr.enable = true; programs.mtr.enable = true;
programs.mosh.enable = true;
services.openssh = { services = {
zfs = {
autoSnapshot = {
enable = true;
frequent = 0;
hourly = 24;
daily = 7;
weekly = 0;
monthly = 0;
};
autoScrub.enable = true;
trim.enable = true;
expandOnBoot = "all";
};
openssh = {
enable = true; enable = true;
passwordAuthentication = false; passwordAuthentication = false;
permitRootLogin = "no"; permitRootLogin = "no";
@ -77,13 +97,13 @@ let ssh_pubkeys = {
''; '';
}; };
services.locate = { locate = {
enable = true; enable = true;
locate = pkgs.plocate; locate = pkgs.plocate;
localuser = null; localuser = null;
}; };
services.headscale = { headscale = {
enable = true; enable = true;
serverUrl = "https://vpn.jakstys.lt"; serverUrl = "https://vpn.jakstys.lt";
openIdConnect = { openIdConnect = {
@ -101,9 +121,9 @@ let ssh_pubkeys = {
}; };
}; };
services.tailscale.enable = true; tailscale.enable = true;
services.gitea = { gitea = {
enable = true; enable = true;
user = "git"; user = "git";
database.user = "git"; database.user = "git";
@ -129,23 +149,12 @@ let ssh_pubkeys = {
service.ENABLE_USER_HEATMAP = false; service.ENABLE_USER_HEATMAP = false;
service.SHOW_MILESTONES_DASHBOARD_PAGE = false; service.SHOW_MILESTONES_DASHBOARD_PAGE = false;
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
"service.explore".REQUIRE_SIGNIN_VIEW = true;
"service.explore".DISABLE_USERS_PAGE = true;
}; };
#service.explore.REQUIRE_SIGNIN_VIEW = true; does not work as of writing
extraConfig = ''
[service.explore]
REQUIRE_SIGNIN_VIEW = true;
DISABLE_USERS_PAGE = true;
'';
};
users.users.git = {
description = "Gitea Service";
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
}; };
services.caddy = { caddy = {
enable = true; enable = true;
email = "motiejus+acme@jakstys.lt"; email = "motiejus+acme@jakstys.lt";
virtualHosts."vpn.jakstys.lt".extraConfig = '' virtualHosts."vpn.jakstys.lt".extraConfig = ''
@ -155,26 +164,30 @@ let ssh_pubkeys = {
reverse_proxy 127.0.0.1:3000 reverse_proxy 127.0.0.1:3000
''; '';
}; };
};
programs.mosh.enable = true; networking = {
networking.firewall.allowedTCPPorts = [ 80 443 ]; hostName = "hel1-a";
networking.firewall.allowedUDPPorts = [ 443 ]; firewall = {
# tailscale insists on this allowedTCPPorts = [ 80 443 ];
networking.firewall.checkReversePath = "loose"; allowedUDPPorts = [ 443 ];
checkReversePath = "loose"; # tailscale insists on this
};
};
system.copySystemConfiguration = true; system = {
copySystemConfiguration = true;
system.autoUpgrade.enable = true; autoUpgrade.enable = true;
system.autoUpgrade = { autoUpgrade = {
allowReboot = true; allowReboot = true;
rebootWindow = { rebootWindow = {
lower = "00:00"; lower = "00:00";
upper = "00:30"; upper = "00:30";
}; };
}; };
};
# do not change # Do not change
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11";
} }