{
pkgs,
inputs,
profiles,
lib,
...
}:
{
imports = [
./hardware.nix
./home-julien.nix
./nsd.nix
./borg.nix
# Performance is not as good as we expected, wait for pages v3
# ./pages.nix
./readeck.nix
./plausible.nix
./nextcloud.nix
./glance.nix
./syncthing.nix
"${inputs.unstable}/nixos/modules/services/web-apps/readeck.nix"
];
users.users.julien.linger = true;
services.openssh.extraConfig = ''
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
HostKey /etc/ssh/ssh_host_ed25519_key
TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
MaxAuthTries 20
'';
machine.meta = {
arch = "x86_64-linux";
nixpkgs_version = inputs.nixpkgs;
hm_version = inputs.home-manager;
profiles = with profiles; [
vm-simple-network
server
behind-sniproxy
];
ips = {
public.ipv4 = "82.67.34.230";
local.ipv4 = "192.168.0.90";
vpn.ipv4 = "100.100.45.24";
public.ipv6 = "2a01:e0a:de4:a0e1:eb2:aaaa::45";
vpn.ipv6 = "fd7a:115c:a1e0::18";
};
};
luj.docs = {
enable = true;
nginx.enable = true;
nginx.subdomain = "docs";
};
security.polkit.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
programs.fuse.userAllowOther = true;
deployment.tags = [ "server" ];
disko = import ./disko.nix;
nixpkgs.config.permittedInsecurePackages = [
"dotnet-sdk-6.0.428"
"aspnetcore-runtime-6.0.36"
];
systemd.network.netdevs = {
"20-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "/srv/wg-private";
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw=";
AllowedIPs = [ "0.0.0.0/0" ];
Endpoint = "[${lib.snowfield.akhaten.ips.public.ipv6}]:51821";
PersistentKeepalive = 25;
}
];
};
};
systemd.network.networks."30-wg0" = {
matchConfig.Name = "wg0";
addresses = [
{
Address = "10.100.45.2/24";
AddPrefixRoute = false;
}
];
routes = [
{
Gateway = "10.100.45.1";
Destination = "10.100.45.0/24";
}
];
DHCP = "no";
networkConfig = {
IPv6AcceptRA = false;
};
};
services.forgejo = {
enable = true;
package = pkgs.unstable.forgejo;
settings = {
server = {
ROOT_URL = "https://git.luj.fr/";
LANDING_PAGE = "luj";
};
};
};
services.openssh.ports = [ 22 ];
services.nginx.virtualHosts."git.luj.fr" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
};
};
environment.persistence."/persistent" = {
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/srv"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
};
fileSystems."/srv".neededForBoot = true;
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
luj.irc = {
enable = true;
nginx = {
enable = true;
subdomain = "irc";
};
};
luj.homepage.enable = true;
luj.mediaserver = {
enable = true;
tv.enable = true;
music.enable = false;
};
luj.deluge.interface = "wg0";
networking.firewall.allowedTCPPorts = [ 51820 ];
networking.firewall.allowedUDPPorts = [ 51820 ];
services.roundcube = {
enable = true;
plugins = [
"managesieve"
];
hostName = "webmail.luj.fr";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://mail.luj.fr";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
$config['imap_host'] = 'ssl://mail.luj.fr';
'';
};
system.stateVersion = "23.11";
}