snowfield/machines/gustave/default.nix

{
  pkgs,
  inputs,
  profiles,
  lib,
  ...
}:
{
  imports = [
    ./hardware.nix
    ./home-julien.nix
    ./nsd.nix
    ./borg.nix
    # Performance is not as good as we expected, wait for pages v3
    #    ./pages.nix
    ./readeck.nix
    ./plausible.nix
    ./nextcloud.nix
    ./glance.nix
    ./syncthing.nix
    "${inputs.unstable}/nixos/modules/services/web-apps/readeck.nix"
  ];

  users.users.julien.linger = true;

  services.openssh.extraConfig = ''
    HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
    HostKey /etc/ssh/ssh_host_ed25519_key
    TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
    MaxAuthTries 20
  '';

  machine.meta = {
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
    profiles = with profiles; [
      vm-simple-network
      server
      behind-sniproxy
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.90";
      vpn.ipv4 = "100.100.45.24";
      public.ipv6 = "2a01:e0a:de4:a0e1:eb2:aaaa::45";
      vpn.ipv6 = "fd7a:115c:a1e0::18";
    };

  };

  luj.docs = {
    enable = true;
    nginx.enable = true;
    nginx.subdomain = "docs";
  };

  security.polkit.enable = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  programs.fuse.userAllowOther = true;

  deployment.tags = [ "server" ];

  disko = import ./disko.nix;

  nixpkgs.config.permittedInsecurePackages = [
    "dotnet-sdk-6.0.428"
    "aspnetcore-runtime-6.0.36"
  ];

  systemd.network.netdevs = {
    "20-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
        MTUBytes = "1300";
      };
      wireguardConfig = {
        PrivateKeyFile = "/srv/wg-private";
        ListenPort = 51820;
      };
      wireguardPeers = [
        {
          PublicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw=";
          AllowedIPs = [ "0.0.0.0/0" ];
          Endpoint = "[${lib.snowfield.akhaten.ips.public.ipv6}]:51821";
          PersistentKeepalive = 25;
        }
      ];
    };
  };
  systemd.network.networks."30-wg0" = {
    matchConfig.Name = "wg0";
    addresses = [
      {
        Address = "10.100.45.2/24";
        AddPrefixRoute = false;
      }
    ];
    routes = [
      {
        Gateway = "10.100.45.1";
        Destination = "10.100.45.0/24";
      }
    ];
    DHCP = "no";
    networkConfig = {
      IPv6AcceptRA = false;
    };
  };

  services.forgejo = {
    enable = true;
    package = pkgs.unstable.forgejo;
    settings = {
      server = {
        ROOT_URL = "https://git.luj.fr/";
        LANDING_PAGE = "luj";
      };
    };
  };

  services.openssh.ports = [ 22 ];

  services.nginx.virtualHosts."git.luj.fr" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:3000";
      proxyWebsockets = true;
    };
  };

  environment.persistence."/persistent" = {
    hideMounts = true;
    directories = [
      "/var/lib"
      "/var/log"
      "/srv"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
  };

  fileSystems."/srv".neededForBoot = true;

  environment.systemPackages = [ pkgs.tailscale ];

  services.tailscale.enable = true;

  luj.irc = {
    enable = true;
    nginx = {
      enable = true;
      subdomain = "irc";
    };
  };

  luj.homepage.enable = true;
  luj.mediaserver = {
    enable = true;
    tv.enable = true;
    music.enable = false;
  };
  luj.deluge.interface = "wg0";

  networking.firewall.allowedTCPPorts = [ 51820 ];
  networking.firewall.allowedUDPPorts = [ 51820 ];

  services.roundcube = {
    enable = true;
    plugins = [
      "managesieve"
    ];
    hostName = "webmail.luj.fr";
    extraConfig = ''
      # starttls needed for authentication, so the fqdn required to match
      # the certificate
      $config['smtp_server'] = "tls://mail.luj.fr";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
      $config['imap_host'] = 'ssl://mail.luj.fr';
    '';
  };

  system.stateVersion = "23.11";
}
feat: intro vm-simple-network profile 2024-08-14 22:13:13 +02:00			`{`
			`pkgs,`
			`inputs,`
			`profiles,`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`lib,`
feat: intro vm-simple-network profile 2024-08-14 22:13:13 +02:00			`...`
			`}:`
create gustave 2024-04-05 00:34:14 +02:00			`{`
feat: init gustave 2024-05-09 00:52:39 +02:00			`imports = [`
			`./hardware.nix`
			`./home-julien.nix`
feat: add dns module 2024-08-12 18:15:30 +02:00			`./nsd.nix`
feat: init backup module 2024-09-03 22:03:09 +02:00			`./borg.nix`
fix(perf): deploy personal page using s3 2025-01-12 00:52:54 +01:00			`# Performance is not as good as we expected, wait for pages v3`
			`# ./pages.nix`
chore(gustave): intro readeck 2024-11-01 22:43:02 +01:00			`./readeck.nix`
feat(gustave): init plausible 2024-12-06 17:13:46 +01:00			`./plausible.nix`
feat(gustave): bootstrap a new nextcloud 2024-12-23 21:47:44 +01:00			`./nextcloud.nix`
feat(gustave): init glance 2025-01-10 02:33:26 +01:00			`./glance.nix`
feat(gustave): init syncthing 2025-01-19 22:54:03 +01:00			`./syncthing.nix`
feat(gustave): use upstream readeck 2025-02-02 17:44:03 +01:00			`"${inputs.unstable}/nixos/modules/services/web-apps/readeck.nix"`
feat: init gustave 2024-05-09 00:52:39 +02:00			`];`
create gustave 2024-04-05 00:34:14 +02:00
chore: some fix to gustave 2025-03-13 00:15:46 +01:00			`users.users.julien.linger = true;`

			`services.openssh.extraConfig = ''`
			`HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub`
			`HostKey /etc/ssh/ssh_host_ed25519_key`
			`TrustedUserCAKeys /etc/ssh/ssh_user_key.pub`
			`MaxAuthTries 20`
			`'';`

chore: use meta module 2024-08-10 17:56:30 +02:00			`machine.meta = {`
			`arch = "x86_64-linux";`
			`nixpkgs_version = inputs.nixpkgs;`
			`hm_version = inputs.home-manager;`
feat: setup arkheon 2024-09-02 16:42:35 +02:00			`profiles = with profiles; [`
			`vm-simple-network`
			`server`
fix(perf): deploy personal page using s3 2025-01-12 00:52:54 +01:00			`behind-sniproxy`
feat: setup arkheon 2024-09-02 16:42:35 +02:00			`];`
chore: rewrite ips meta 2024-08-12 18:12:00 +02:00			`ips = {`
			`public.ipv4 = "82.67.34.230";`
			`local.ipv4 = "192.168.0.90";`
			`vpn.ipv4 = "100.100.45.24";`
			`public.ipv6 = "2a01:e0a:de4:a0e1:eb2:aaaa::45";`
			`vpn.ipv6 = "fd7a:115c:a1e0::18";`
chore: use meta module 2024-08-10 17:56:30 +02:00			`};`

			`};`

chore: enable hedgedoc on akhaten 2024-09-05 10:55:09 +02:00			`luj.docs = {`
			`enable = true;`
			`nginx.enable = true;`
			`nginx.subdomain = "docs";`
			`};`
chore: add dns records for agorakit 2024-09-27 18:43:23 +02:00
chore: some fix to gustave 2025-03-13 00:15:46 +01:00			`security.polkit.enable = true;`
create gustave 2024-04-05 00:34:14 +02:00			`boot.loader.systemd-boot.enable = true;`
			`boot.loader.efi.canTouchEfiVariables = true;`
chore: activate syncthing on several machines 2025-01-25 16:49:42 +01:00			`programs.fuse.userAllowOther = true;`
create gustave 2024-04-05 00:34:14 +02:00
chore: filter configurations through colmena tags 2024-05-26 20:24:00 +02:00			`deployment.tags = [ "server" ];`

create gustave 2024-04-05 00:34:14 +02:00			`disko = import ./disko.nix;`

fix: fix sonarr + jackett on gustave 2025-01-03 00:16:39 +01:00			`nixpkgs.config.permittedInsecurePackages = [`
			`"dotnet-sdk-6.0.428"`
			`"aspnetcore-runtime-6.0.36"`
			`];`

feat: wireguard tunnel from gustave to lisac 2024-05-25 19:25:49 +02:00			`systemd.network.netdevs = {`
			`"20-wg0" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "wg0";`
			`MTUBytes = "1300";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = "/srv/wg-private";`
			`ListenPort = 51820;`
			`};`
			`wireguardPeers = [`
			`{`
fix(eval): silence some eval warnings 2024-12-01 17:58:31 +01:00			`PublicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw=";`
			`AllowedIPs = [ "0.0.0.0/0" ];`
			`Endpoint = "[${lib.snowfield.akhaten.ips.public.ipv6}]:51821";`
			`PersistentKeepalive = 25;`
feat: wireguard tunnel from gustave to lisac 2024-05-25 19:25:49 +02:00			`}`
			`];`
			`};`
			`};`
			`systemd.network.networks."30-wg0" = {`
			`matchConfig.Name = "wg0";`
			`addresses = [`
			`{`
fix(eval): silence some eval warnings 2024-12-01 17:58:31 +01:00			`Address = "10.100.45.2/24";`
			`AddPrefixRoute = false;`
feat: wireguard tunnel from gustave to lisac 2024-05-25 19:25:49 +02:00			`}`
			`];`
fix: fix routes on gustave 2024-07-08 16:45:48 +02:00			`routes = [`
			`{`
fix(eval): silence some eval warnings 2024-12-01 17:58:31 +01:00			`Gateway = "10.100.45.1";`
			`Destination = "10.100.45.0/24";`
fix: fix routes on gustave 2024-07-08 16:45:48 +02:00			`}`
			`];`
feat: wireguard tunnel from gustave to lisac 2024-05-25 19:25:49 +02:00			`DHCP = "no";`
			`networkConfig = {`
			`IPv6AcceptRA = false;`
			`};`
			`};`

feat: enable forgejo 2024-07-04 22:25:24 +02:00			`services.forgejo = {`
			`enable = true;`
chore: forgejo switch to unstable 2024-09-02 18:24:46 +02:00			`package = pkgs.unstable.forgejo;`
chore: add some forgejo settings 2024-07-06 18:40:12 +02:00			`settings = {`
			`server = {`
			`ROOT_URL = "https://git.luj.fr/";`
			`LANDING_PAGE = "luj";`
			`};`
			`};`
feat: enable forgejo 2024-07-04 22:25:24 +02:00			`};`

chore: openssh on port 22 too for gustave bc of git server 2024-07-08 11:22:27 +02:00			`services.openssh.ports = [ 22 ];`

feat: enable forgejo 2024-07-04 22:25:24 +02:00			`services.nginx.virtualHosts."git.luj.fr" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:3000";`
			`proxyWebsockets = true;`
			`};`
			`};`

feat: init gustave 2024-05-09 00:52:39 +02:00			`environment.persistence."/persistent" = {`
			`hideMounts = true;`
feat: persist important things on gustave 2024-05-22 15:03:22 +02:00			`directories = [`
fix: gustave preserved paths 2024-05-22 16:33:09 +02:00			`"/var/lib"`
			`"/var/log"`
chore: persist /srv on gustave 2024-05-25 19:33:42 +02:00			`"/srv"`
feat: persist important things on gustave 2024-05-22 15:03:22 +02:00			`];`
feat: init gustave 2024-05-09 00:52:39 +02:00			`files = [`
feat: persist important things on gustave 2024-05-22 15:03:22 +02:00			`"/etc/machine-id"`
feat: init gustave 2024-05-09 00:52:39 +02:00			`"/etc/ssh/ssh_host_ed25519_key"`
			`"/etc/ssh/ssh_host_ed25519_key.pub"`
			`];`
create gustave 2024-04-05 00:34:14 +02:00			`};`

chore: persist /srv on gustave 2024-05-25 19:33:42 +02:00			`fileSystems."/srv".neededForBoot = true;`

chore: remove bottom from gustave 2024-09-02 16:43:33 +02:00			`environment.systemPackages = [ pkgs.tailscale ];`
feat: enable tailscale on gustave 2024-05-22 15:03:02 +02:00
			`services.tailscale.enable = true;`

feat: move irc to gustave 2024-05-22 15:02:00 +02:00			`luj.irc = {`
			`enable = true;`
			`nginx = {`
			`enable = true;`
			`subdomain = "irc";`
			`};`
			`};`

chore: migrate homepage on gustave 2024-05-23 00:20:28 +02:00			`luj.homepage.enable = true;`
chore: move mediaserver to gustave 2024-05-23 19:27:59 +02:00			`luj.mediaserver = {`
			`enable = true;`
			`tv.enable = true;`
chore(gustave/songs): disable 2024-12-13 21:22:49 +01:00			`music.enable = false;`
chore: move mediaserver to gustave 2024-05-23 19:27:59 +02:00			`};`
feat: choose interface for deluge 2024-05-25 19:07:53 +02:00			`luj.deluge.interface = "wg0";`
chore: migrate homepage on gustave 2024-05-23 00:20:28 +02:00
feat: wireguard tunnel from gustave to lisac 2024-05-25 19:25:49 +02:00			`networking.firewall.allowedTCPPorts = [ 51820 ];`
			`networking.firewall.allowedUDPPorts = [ 51820 ];`

chore: roundcube on gustave + patch stalwart 2025-03-10 14:18:43 +01:00			`services.roundcube = {`
			`enable = true;`
			`plugins = [`
			`"managesieve"`
			`];`
			`hostName = "webmail.luj.fr";`
			`extraConfig = ''`
			`# starttls needed for authentication, so the fqdn required to match`
			`# the certificate`
			`$config['smtp_server'] = "tls://mail.luj.fr";`
			`$config['smtp_user'] = "%u";`
			`$config['smtp_pass'] = "%p";`
			`$config['imap_host'] = 'ssl://mail.luj.fr';`
			`'';`
			`};`

feat: init gustave 2024-05-09 00:52:39 +02:00			`system.stateVersion = "23.11";`
create gustave 2024-04-05 00:34:14 +02:00			`}`