tlaternet-server/etc/nixos/configuration.nix

{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ./linode.nix
  ];

  networking = {
    hostName = "tlater.net";

    # useDHCP is deprecated
    useDHCP = false;
    interfaces.eth0.useDHCP = true;

    firewall = {
      enable = true;
      allowedTCPPorts = [
        80
        443
        2222
        3022
      ];
    };
  };

  time.timeZone = "Europe/London";

  users.users = {
    tlater = {
      isNormalUser = true;
      extraGroups = [ "wheel" "docker" ];
      openssh.authorizedKeys.keyFiles = [ ./keys/tlater.pub ];
    };

    lauren = {
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [ ./keys/lauren.pub ];
    };
  };

  environment.systemPackages = with pkgs; [
  ];

  services = {
    openssh = {
      enable = true;
      allowSFTP = false;
      passwordAuthentication = false;
      permitRootLogin = "no";
      ports = [ 2222 ];
      startWhenNeeded = true;
    };
  };

  virtualisation.docker = {
    enable = true;
    autoPrune.enable = true;
  };

  docker-containers = {
    ## nginx proxy
    nginx-proxy = {
      image = "jwilder/nginx-proxy:alpine";
      ports = [
        "80:80"
        "443:443"
      ];
      volumes = [
        # So that we can watch new containers come up
        "/var/run/docker.sock:/tmp/docker.sock:ro"
        # So that we can access generated certs
        "nginx-certs:/etc/nginx/certs:ro"
        # So that we can write challenge files for letsencrypt auth
        "nginx-challenges:/usr/share/nginx/html"
        # So that we can modify config on-the-fly to set up challenge
        # files
        "nginx-conf:/etc/nginx/vhost.d"
      ];
      environment = {
        DHPARAM_GENERATION = "false"; # Provided by nginx-proxy-letsencrypt
      };
      extraDockerOptions = [
        "--network=webproxy"
      ];
    };

    nginx-proxy-letsencrypt = {
      image = "jrcs/letsencrypt-nginx-proxy-companion";
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock:ro"
        "nginx-certs:/etc/nginx/certs"
      ];
      environment = {
        DEFAULT_EMAIL = "tm@tlater.net";
      };
      extraDockerOptions = [
        "--volumes-from" "docker-nginx-proxy.service"
      ];
    };

    ## GitLab
    gitlab = {
      image = "gitlab/gitlab-ce:latest";
      ports = [
        "3022:22"
      ];
      volumes = [
        "gitlab-data:/var/opt/gitlab:Z"
        "gitlab-logs:/var/log/gitlab:Z"
        "gitlab-config:/etc/gitlab:Z"
      ];
      environment = {
        VIRTUAL_HOST = "gitlab.tlater.net";
        LETSENCRYPT_HOST = "gitlab.tlater.net";
        GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [""] (builtins.readFile ./configs/gitlab.rb);
      };
      extraDockerOptions = [
        "--network=webproxy"
      ];
    };
  };

  system.stateVersion = "19.09";
}