forked from hacc/haccfiles
stuebinm
62917423e3
This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.
100 lines
2.2 KiB
Nix
100 lines
2.2 KiB
Nix
{ config, lib, pkgs, sources, modules, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../common
|
|
./hardware.nix
|
|
modules.encboot
|
|
modules.nopersist
|
|
./nftables.nix
|
|
./nextcloud.nix
|
|
./mattermost.nix
|
|
./murmur.nix
|
|
./hedgedoc-hacc.nix
|
|
./hedgedoc-i4f.nix
|
|
./mail.nix
|
|
./forgejo.nix
|
|
./nginx-pages.nix
|
|
./vaultwarden.nix
|
|
./tracktrain.nix
|
|
./uffd.nix
|
|
./lxc.nix
|
|
];
|
|
|
|
hacc.bindToPersist = [ "/var/lib/acme" ];
|
|
|
|
hacc.encboot = {
|
|
enable = true;
|
|
dataset = "-a";
|
|
networkDrivers = [ "igb" ];
|
|
};
|
|
|
|
sops.defaultSopsFile = ../secrets.yaml;
|
|
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
|
|
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
networking.hostId = "b2867696";
|
|
networking.useDHCP = true;
|
|
networking.nftables.enable = true;
|
|
|
|
networking.hostName = "parsons";
|
|
|
|
networking.interfaces.enp35s0.ipv6.addresses = [{
|
|
address = "2a01:4f9:3a:2ddb::1";
|
|
prefixLength = 64;
|
|
}];
|
|
networking.defaultGateway6 = {
|
|
address = "fe80::1";
|
|
interface = "enp35s0";
|
|
};
|
|
boot = {
|
|
kernelModules = [ "nf_nat_ftp" ];
|
|
kernel.sysctl = {
|
|
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
|
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"parsons.hacc.space" = {
|
|
default = true;
|
|
locations."/".return = "404";
|
|
};
|
|
"hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "302 https://hacc.earth";
|
|
};
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.restic.backups.tardis = {
|
|
passwordFile = "/run/secrets/restic/system";
|
|
environmentFile = "/run/secrets/restic/s3creds.env";
|
|
paths = [
|
|
"/home"
|
|
"/persist"
|
|
];
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 5"
|
|
"--keep-monthly 3"
|
|
];
|
|
repository = "b2:tardis-parsons:system";
|
|
};
|
|
|
|
sops.secrets = {
|
|
"restic/system" = {};
|
|
"restic/s3creds.env" = {};
|
|
};
|
|
|
|
system.stateVersion = "21.05";
|
|
}
|