diff --git a/machines/bin-cache/default.nix b/machines/bin-cache/default.nix new file mode 100644 index 0000000..c145ff8 --- /dev/null +++ b/machines/bin-cache/default.nix @@ -0,0 +1,140 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware.nix + ../../users/julien.nix + ../../users/default.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "bin-cache"; + + time.timeZone = "Europe/Paris"; + + environment.systemPackages = [ pkgs.tailscale ]; + services.tailscale.enable = true; + networking.firewall.checkReversePath = "loose"; + + services.nginx.enable = true; + services.nginx.recommendedGzipSettings = true; + services.nginx.recommendedOptimisation = true; + services.nginx.recommendedProxySettings = true; + services.nginx.recommendedTlsSettings = true; + + services.nginx.virtualHosts."cache.julienmalka.me" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + + security.acme.certs."uptime.luj".server = "https://ca.luj:8444/acme/acme/directory"; + + services.nginx.virtualHosts."uptime.luj" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + + networking.nameservers = [ "100.100.45.5" "9.9.9.9" ]; + environment.etc."resolv.conf" = with lib; with pkgs; { + source = writeText "resolv.conf" '' + ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)} + options edns0 + ''; + }; + + + + services.atticd = { + enable = true; + # Replace with absolute path to your credentials file + credentialsFile = "/etc/atticd.env"; + + settings = { + listen = "[::]:8080"; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + }; + }; + + + + security.acme.acceptTerms = true; + security.acme.defaults.email = "julien@malka.sh"; + + + security.pki.certificates = [ + ''-----BEGIN CERTIFICATE----- +MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw +EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X +DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u +TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 +7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ +BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja +mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG +SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc +oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== +-----END CERTIFICATE-----'' + ''-----BEGIN CERTIFICATE----- +MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES +MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe +Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v +bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 +BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw +EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC +jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf +VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= +-----END CERTIFICATE-----'' + ]; + + + services.openssh = { + enable = true; + ports = [ 45 ]; + permitRootLogin = "yes"; + openFirewall = true; + }; + + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k julien@enigma.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" + ]; + + networking.firewall.allowedTCPPorts = [ 443 80 8428 ]; + networking.firewall.allowedUDPPorts = [ 443 80 8428 ]; + system.stateVersion = "22.11"; +} diff --git a/machines/bin-cache/hardware.nix b/machines/bin-cache/hardware.nix new file mode 100644 index 0000000..aca781a --- /dev/null +++ b/machines/bin-cache/hardware.nix @@ -0,0 +1,31 @@ +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/60c91357-1fe9-41da-8fb4-2f601d53ccab"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}