forked from hacc/haccfiles
stuebinm
98c3c807c4
as per Zauberberg's idea in mattermost last night [1], this adds an extra domain, which just exists to make links to the various services shorter, using a nix to keep the whole thing easily changable. In particular, the "shortdomain" binding should be set to some domain we actually own before anyone deploys this (I've set it to "i4f.de" as a dummy value for now). Potential caveats: - this uses ACME to get a certificate for each of the redirect domains, which may run into rate limits if we have too many of them. - there's nothing on the shortdomain itself. I suggest we could either use it as a general linkshortener, or generate a list of available domain shortcuts into html from nix [1] https://mattermost.infra4future.de/hacc/pl/xks5naezcbn8myh79bq3dehmso
97 lines
2.4 KiB
Nix
97 lines
2.4 KiB
Nix
{ config, lib, pkgs, sources, modules, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../../common
|
|
./hardware.nix
|
|
modules.encboot
|
|
modules.network.nftables modules.nftnat
|
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
|
|
|
../../services/nextcloud
|
|
../../services/mattermost.nix
|
|
../../services/thelounge.nix
|
|
../../services/murmur.nix
|
|
../../services/hedgedoc-hacc.nix
|
|
../../services/hedgedoc-i4f.nix
|
|
../../services/mail.nix
|
|
../../services/syncthing.nix
|
|
../../services/gitlab.nix
|
|
../../services/nginx-pages.nix
|
|
../../services/gitlab-runner.nix
|
|
../../services/unifi.nix
|
|
../../services/lantifa.nix
|
|
../../services/vaultwarden.nix
|
|
../../services/shortdomains.nix
|
|
|
|
./lxc.nix
|
|
];
|
|
|
|
hexchen.encboot = {
|
|
enable = true;
|
|
dataset = "-a";
|
|
networkDrivers = [ "igb" ];
|
|
};
|
|
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.version = 2;
|
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
networking.hostId = "b2867696";
|
|
networking.useDHCP = true;
|
|
networking.nftables.enable = true;
|
|
hexchen.nftables.nat.enable = true;
|
|
networking.nat.internalInterfaces = ["ve-+"];
|
|
networking.nat.externalInterface = "enp35s0";
|
|
|
|
networking.interfaces.enp35s0.ipv6.addresses = [{
|
|
address = "2a01:4f9:3a:2ddb::1";
|
|
prefixLength = 64;
|
|
}];
|
|
networking.defaultGateway6 = {
|
|
address = "fe80::1";
|
|
interface = "enp35s0";
|
|
};
|
|
boot = {
|
|
kernelModules = [ "nf_nat_ftp" ];
|
|
kernel.sysctl = {
|
|
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
|
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"parsons.hacc.space" = {
|
|
default = true;
|
|
locations."/".return = "404";
|
|
};
|
|
"hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "302 https://hacc.earth";
|
|
};
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.restic.backups.tardis = {
|
|
passwordFile = "/persist/restic/system";
|
|
s3CredentialsFile = "/persist/restic/system.s3creds";
|
|
paths = [
|
|
"/home"
|
|
"/persist"
|
|
];
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 5"
|
|
"--keep-monthly 3"
|
|
];
|
|
repository = "b2:tardis-parsons:system";
|
|
};
|
|
|
|
system.stateVersion = "21.05";
|
|
}
|