mirror of
https://github.com/JulienMalka/snowfield.git
synced 2025-03-30 08:40:52 +02:00
199 lines
6.1 KiB
Nix
199 lines
6.1 KiB
Nix
{ config, pkgs, ... }:
|
||
|
||
{
|
||
imports =
|
||
[
|
||
./hardware.nix
|
||
../../users/julien.nix
|
||
../../users/default.nix
|
||
];
|
||
|
||
# Use the systemd-boot EFI boot loader.
|
||
boot.loader.systemd-boot.enable = true;
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
|
||
networking.hostName = "lambda"; # Define your hostname.
|
||
|
||
# Set your time zone.
|
||
# time.timeZone = "Europe/Amsterdam";
|
||
|
||
# Select internationalisation properties.
|
||
# i18n.defaultLocale = "en_US.UTF-8";
|
||
# console = {
|
||
# font = "Lat2-Terminus16";
|
||
# keyMap = "us";
|
||
# useXkbConfig = true; # use xkbOptions in tty.
|
||
# };
|
||
|
||
# Enable the X11 windowing system.
|
||
# services.xserver.enable = true;
|
||
|
||
environment.systemPackages = [ pkgs.tailscale ];
|
||
services.tailscale.enable = true;
|
||
networking.firewall.checkReversePath = "loose";
|
||
|
||
services.nginx.enable = true;
|
||
services.nginx.recommendedGzipSettings = true;
|
||
services.nginx.recommendedOptimisation = true;
|
||
services.nginx.recommendedProxySettings = true;
|
||
services.nginx.recommendedTlsSettings = true;
|
||
|
||
services.uptime-kuma.enable = true;
|
||
services.uptime-kuma.settings = {
|
||
NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
|
||
};
|
||
|
||
services.ntfy-sh.enable = true;
|
||
services.ntfy-sh.settings = {
|
||
listen-http = ":8080";
|
||
behind-proxy = true;
|
||
upstream-base-url = "https://ntfy.sh";
|
||
base-url = "https://notifications.julienmalka.me";
|
||
auth-file = "/srv/ntfy/user.db";
|
||
auth-default-access = "deny-all";
|
||
};
|
||
|
||
services.nginx.virtualHosts."status.julienmalka.me" = {
|
||
forceSSL = true;
|
||
enableACME = true;
|
||
locations."/" = {
|
||
proxyPass = "http://localhost:3001";
|
||
proxyWebsockets = true;
|
||
};
|
||
};
|
||
|
||
security.acme.certs."uptime.luj".server = "https://ca.luj:8444/acme/acme/directory";
|
||
|
||
services.nginx.virtualHosts."uptime.luj" = {
|
||
forceSSL = true;
|
||
enableACME = true;
|
||
locations."/" = {
|
||
proxyPass = "http://localhost:3001";
|
||
proxyWebsockets = true;
|
||
};
|
||
};
|
||
|
||
|
||
services.nginx.virtualHosts."notifications.julienmalka.me" = {
|
||
forceSSL = true;
|
||
enableACME = true;
|
||
locations."/" = {
|
||
proxyPass = "http://localhost:8080";
|
||
proxyWebsockets = true;
|
||
};
|
||
};
|
||
|
||
|
||
|
||
security.acme.acceptTerms = true;
|
||
security.acme.defaults.email = "julien@malka.sh";
|
||
|
||
|
||
security.pki.certificates = [
|
||
''-----BEGIN CERTIFICATE-----
|
||
MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
|
||
EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
|
||
DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
|
||
TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
|
||
zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
|
||
7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
|
||
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
|
||
mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
|
||
SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
|
||
oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
|
||
-----END CERTIFICATE-----''
|
||
''-----BEGIN CERTIFICATE-----
|
||
MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
|
||
MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
|
||
Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
|
||
bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
|
||
hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
|
||
BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
|
||
EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
|
||
jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
|
||
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
|
||
-----END CERTIFICATE-----''
|
||
];
|
||
|
||
|
||
|
||
|
||
# Configure keymap in X11
|
||
# services.xserver.layout = "us";
|
||
# services.xserver.xkbOptions = {
|
||
# "eurosign:e";
|
||
# "caps:escape" # map caps to escape.
|
||
# };
|
||
|
||
# Enable CUPS to print documents.
|
||
# services.printing.enable = true;
|
||
|
||
# Enable sound.
|
||
# sound.enable = true;
|
||
# hardware.pulseaudio.enable = true;
|
||
|
||
# Enable touchpad support (enabled default in most desktopManager).
|
||
# services.xserver.libinput.enable = true;
|
||
|
||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||
# users.users.alice = {
|
||
# isNormalUser = true;
|
||
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||
# packages = with pkgs; [
|
||
# firefox
|
||
# thunderbird
|
||
# ];
|
||
# };
|
||
|
||
# List packages installed in system profile. To search, run:
|
||
# $ nix search wget
|
||
# environment.systemPackages = with pkgs; [
|
||
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||
# wget
|
||
# ];
|
||
|
||
# Some programs need SUID wrappers, can be configured further or are
|
||
# started in user sessions.
|
||
# programs.mtr.enable = true;
|
||
# programs.gnupg.agent = {
|
||
# enable = true;
|
||
# enableSSHSupport = true;
|
||
# };
|
||
|
||
services.openssh = {
|
||
enable = true;
|
||
ports = [ 45 ];
|
||
permitRootLogin = "yes";
|
||
openFirewall = true;
|
||
};
|
||
|
||
|
||
# List services that you want to enable:
|
||
|
||
# Enable the OpenSSH daemon.
|
||
|
||
users.users.root.openssh.authorizedKeys.keys = [
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k julien@enigma.local"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||
];
|
||
|
||
# Open ports in the firewall.
|
||
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
||
networking.firewall.allowedUDPPorts = [ 443 80 ];
|
||
# Or disable the firewall altogether.
|
||
# networking.firewall.enable = false;
|
||
|
||
# Copy the NixOS configuration file and link it from the resulting system
|
||
# (/run/current-system/configuration.nix). This is useful in case you
|
||
# accidentally delete configuration.nix.
|
||
# system.copySystemConfiguration = true;
|
||
|
||
# This value determines the NixOS release from which the default
|
||
# settings for stateful data, like file locations and database versions
|
||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||
# this value at the release version of the first install of this system.
|
||
# Before changing this value read the documentation for this option
|
||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||
system.stateVersion = "22.11"; # Did you read the comment?
|
||
|
||
}
|