forked from hacc/haccfiles
stuebinm
62917423e3
This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.
99 lines
2.2 KiB
Nix
99 lines
2.2 KiB
Nix
{ config, lib, pkgs, sources, modules, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../common
|
|
./hardware.nix
|
|
modules.encboot
|
|
modules.nopersist
|
|
./nftables.nix
|
|
./nextcloud.nix
|
|
./mattermost.nix
|
|
./murmur.nix
|
|
./hedgedoc-hacc.nix
|
|
./hedgedoc-i4f.nix
|
|
./mail.nix
|
|
./forgejo.nix
|
|
./nginx-pages.nix
|
|
./vaultwarden.nix
|
|
./tracktrain.nix
|
|
./uffd.nix
|
|
./lxc.nix
|
|
];
|
|
|
|
hacc.bindToPersist = [ "/var/lib/acme" ];
|
|
|
|
hacc.encboot = {
|
|
enable = true;
|
|
dataset = "-a";
|
|
networkDrivers = [ "igb" ];
|
|
};
|
|
|
|
sops.defaultSopsFile = ../secrets.yaml;
|
|
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
|
|
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
networking.hostId = "b2867696";
|
|
networking.useDHCP = true;
|
|
networking.nftables.enable = true;
|
|
|
|
networking.hostName = "parsons";
|
|
|
|
networking.interfaces.enp35s0.ipv6.addresses = [{
|
|
address = "2a01:4f9:3a:2ddb::1";
|
|
prefixLength = 64;
|
|
}];
|
|
networking.defaultGateway6 = {
|
|
address = "fe80::1";
|
|
interface = "enp35s0";
|
|
};
|
|
boot = {
|
|
kernelModules = [ "nf_nat_ftp" ];
|
|
kernel.sysctl = {
|
|
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
|
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"parsons.hacc.space" = {
|
|
default = true;
|
|
locations."/".return = "404";
|
|
};
|
|
"hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "302 https://hacc.earth";
|
|
};
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.restic.backups.tardis = {
|
|
passwordFile = "/run/secrets/restic/system";
|
|
environmentFile = "/run/secrets/restic/s3creds.env";
|
|
paths = [
|
|
"/home"
|
|
"/persist"
|
|
];
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 5"
|
|
"--keep-monthly 3"
|
|
];
|
|
repository = "b2:tardis-parsons:system";
|
|
};
|
|
|
|
sops.secrets = {
|
|
"restic/system" = {};
|
|
"restic/s3creds.env" = {};
|
|
};
|
|
|
|
system.stateVersion = "21.05";
|
|
}
|