Tristan Daniël Maat
7095ab2631
This has fallen into disuse since the big Java vulnerability, and I have ideas for better ways of doing this. Meanwhile it's making maintenance and refactoring more difficult. Hence I'll remove the server completely for the time being.
101 lines
2.2 KiB
Nix
101 lines
2.2 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
imports = [
|
|
./services/gitea.nix
|
|
./services/nextcloud.nix
|
|
./services/webserver.nix
|
|
./services/starbound.nix
|
|
./ids.nix
|
|
];
|
|
|
|
nix = {
|
|
# Enable flakes
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
|
|
# Enable remote builds from tlater
|
|
trustedUsers = ["@wheel"];
|
|
};
|
|
|
|
nixpkgs.config.allowUnfreePredicate = pkg:
|
|
builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];
|
|
|
|
sops = {
|
|
defaultSopsFile = ../keys/external.yaml;
|
|
secrets.steam = {};
|
|
};
|
|
|
|
boot.kernelParams = ["highres=off" "nohz=off"];
|
|
|
|
networking = {
|
|
hostName = "tlaternet";
|
|
|
|
usePredictableInterfaceNames = false;
|
|
useDHCP = false;
|
|
interfaces.eth0.useDHCP = true;
|
|
|
|
firewall.allowedTCPPorts = [80 443 2222 2221 21025];
|
|
};
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
users.users.tlater = {
|
|
isNormalUser = true;
|
|
extraGroups = ["wheel"];
|
|
openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
allowSFTP = false;
|
|
passwordAuthentication = false;
|
|
permitRootLogin = "no";
|
|
ports = [2222];
|
|
startWhenNeeded = true;
|
|
gatewayPorts = "yes";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
clientMaxBodySize = "10G";
|
|
domain = "tlater.net";
|
|
|
|
virtualHosts = let
|
|
host = port: extra:
|
|
lib.recursiveUpdate {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
|
|
extraConfig = ''
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
'';
|
|
}
|
|
extra;
|
|
domain = config.services.nginx.domain;
|
|
in {
|
|
"${domain}" = host 3002 {serverAliases = ["www.${domain}"];};
|
|
"gitea.${domain}" = host 3000 {};
|
|
"nextcloud.${domain}" = host 3001 {};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
email = "tm@tlater.net";
|
|
acceptTerms = true;
|
|
};
|
|
|
|
virtualisation.oci-containers.backend = "podman";
|
|
|
|
system.stateVersion = "20.09";
|
|
}
|