2021-07-29 20:31:52 +00:00
|
|
|
{ config, lib, pkgs, sources, modules, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
imports = [
|
2021-08-06 18:54:40 +00:00
|
|
|
../../common
|
2021-07-29 20:31:52 +00:00
|
|
|
./hardware.nix
|
|
|
|
modules.encboot
|
2021-08-04 13:59:35 +00:00
|
|
|
modules.network.nftables modules.nftnat
|
2021-07-29 20:31:52 +00:00
|
|
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
2021-08-06 17:40:57 +00:00
|
|
|
|
|
|
|
../../services/nextcloud
|
2021-08-07 12:27:49 +00:00
|
|
|
../../services/mattermost.nix
|
|
|
|
../../services/thelounge.nix
|
2021-08-07 13:14:15 +00:00
|
|
|
../../services/murmur.nix
|
2021-08-07 18:27:04 +00:00
|
|
|
../../services/hedgedoc-hacc.nix
|
|
|
|
../../services/hedgedoc-i4f.nix
|
2021-08-07 21:26:56 +00:00
|
|
|
../../services/mail.nix
|
2021-08-08 10:27:08 +00:00
|
|
|
../../services/syncthing.nix
|
2021-08-08 22:09:37 +00:00
|
|
|
../../services/gitlab.nix
|
|
|
|
../../services/nginx-pages.nix
|
2021-08-18 17:08:24 +00:00
|
|
|
../../services/gitlab-runner.nix
|
2021-08-23 18:43:23 +00:00
|
|
|
../../services/unifi.nix
|
2021-08-23 18:33:42 +00:00
|
|
|
../../services/lantifa.nix
|
init keytracker on hainich.
This is a first attempt to package octycs' keytracker [1] application.
It's more a quick-and-dirty approach, so there are a couple things to note:
- the config file is just generated by Nix as whatever the module got in
its config option stuffed into a toml file. There are no default values,
so all values must be set by hand – or rather, we just write the default
values in the config.
- I couldn't figure out how to actually make this thing work. It looks like
it /should/ work, but gets hung up every time on loading key information
via the web interface. Then again, it appears our current config on
libocedrus also doesn't conform to what the readme says, so perhaps I just
missed something that's as-yet undocumented.
- The module just calls python instead of an actual server as backend. This
is recommended just for development/testing, not actual deploys [2], but
since the project is missing a setup.py which afaik are required to package
these things more sensibly [3], that's it for now.
- keys and corresponding tokens are currently baked into the nix store. This
seems a bad idea, and I'll fix it as soon as I find the time.
[1] https://gitlab.infra4future.de/octycs/keytracker
[2] https://gitlab.infra4future.de/octycs/keytracker/-/blob/master/server/Readme.md
[3] https://flask.palletsprojects.com/en/1.1.x/tutorial/deploy/
2021-03-15 14:08:45 +00:00
|
|
|
../../services/keytracker.nix
|
2021-08-11 20:31:25 +00:00
|
|
|
|
|
|
|
./lxc.nix
|
2021-07-29 20:31:52 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
hexchen.encboot = {
|
|
|
|
enable = true;
|
|
|
|
dataset = "-a";
|
|
|
|
networkDrivers = [ "igb" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
boot.loader.grub.enable = true;
|
|
|
|
boot.loader.grub.version = 2;
|
|
|
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
|
|
|
|
networking.hostId = "b2867696";
|
|
|
|
networking.useDHCP = true;
|
2021-08-04 13:59:35 +00:00
|
|
|
networking.nftables.enable = true;
|
|
|
|
hexchen.nftables.nat.enable = true;
|
|
|
|
networking.nat.internalInterfaces = ["ve-+"];
|
|
|
|
networking.nat.externalInterface = "enp35s0";
|
2021-07-29 20:31:52 +00:00
|
|
|
|
2021-08-07 19:19:06 +00:00
|
|
|
networking.interfaces.enp35s0.ipv6.addresses = [{
|
|
|
|
address = "2a01:4f9:3a:2ddb::1";
|
|
|
|
prefixLength = 64;
|
|
|
|
}];
|
|
|
|
networking.defaultGateway6 = {
|
|
|
|
address = "fe80::1";
|
|
|
|
interface = "enp35s0";
|
|
|
|
};
|
2021-08-18 17:08:24 +00:00
|
|
|
boot = {
|
|
|
|
kernelModules = [ "nf_nat_ftp" ];
|
|
|
|
kernel.sysctl = {
|
|
|
|
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
|
|
|
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
|
|
|
};
|
|
|
|
};
|
2021-08-07 19:19:06 +00:00
|
|
|
|
2021-08-07 19:24:59 +00:00
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"parsons.hacc.space" = {
|
|
|
|
default = true;
|
|
|
|
locations."/".return = "404";
|
|
|
|
};
|
|
|
|
"hacc.space" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/".return = "302 https://hacc.earth";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2021-08-06 17:40:57 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
|
2021-08-06 18:49:27 +00:00
|
|
|
services.restic.backups.tardis = {
|
|
|
|
passwordFile = "/persist/restic/system";
|
|
|
|
s3CredentialsFile = "/persist/restic/system.s3creds";
|
|
|
|
paths = [
|
|
|
|
"/home"
|
|
|
|
"/persist"
|
|
|
|
];
|
|
|
|
pruneOpts = [
|
|
|
|
"--keep-daily 7"
|
|
|
|
"--keep-weekly 5"
|
|
|
|
"--keep-monthly 3"
|
|
|
|
];
|
|
|
|
repository = "b2:tardis-parsons:system";
|
|
|
|
};
|
|
|
|
|
2021-07-29 20:31:52 +00:00
|
|
|
system.stateVersion = "21.05";
|
|
|
|
}
|