haccfiles/hosts/parsons/configuration.nix
stuebinm 98c3c807c4
shortcut domains for services
as per Zauberberg's idea in mattermost last night [1], this adds an
extra domain, which just exists to make links to the various services
shorter, using a nix to keep the whole thing easily changable.

In particular, the "shortdomain" binding should be set to some domain we
actually own before anyone deploys this (I've set it to "i4f.de" as a
dummy value for now).

Potential caveats:
 - this uses ACME to get a certificate for each of the redirect domains,
   which may run into rate limits if we have too many of them.
 - there's nothing on the shortdomain itself. I suggest we could either
   use it as a general linkshortener, or generate a list of available
   domain shortcuts into html from nix

[1] https://mattermost.infra4future.de/hacc/pl/xks5naezcbn8myh79bq3dehmso
2021-10-07 17:50:50 +02:00

97 lines
2.4 KiB
Nix

{ config, lib, pkgs, sources, modules, ... }:
{
imports = [
../../common
./hardware.nix
modules.encboot
modules.network.nftables modules.nftnat
((import sources.nix-hexchen) {}).profiles.nopersist
../../services/nextcloud
../../services/mattermost.nix
../../services/thelounge.nix
../../services/murmur.nix
../../services/hedgedoc-hacc.nix
../../services/hedgedoc-i4f.nix
../../services/mail.nix
../../services/syncthing.nix
../../services/gitlab.nix
../../services/nginx-pages.nix
../../services/gitlab-runner.nix
../../services/unifi.nix
../../services/lantifa.nix
../../services/vaultwarden.nix
../../services/shortdomains.nix
./lxc.nix
];
hexchen.encboot = {
enable = true;
dataset = "-a";
networkDrivers = [ "igb" ];
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "b2867696";
networking.useDHCP = true;
networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.interfaces.enp35s0.ipv6.addresses = [{
address = "2a01:4f9:3a:2ddb::1";
prefixLength = 64;
}];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp35s0";
};
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"parsons.hacc.space" = {
default = true;
locations."/".return = "404";
};
"hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".return = "302 https://hacc.earth";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.restic.backups.tardis = {
passwordFile = "/persist/restic/system";
s3CredentialsFile = "/persist/restic/system.s3creds";
paths = [
"/home"
"/persist"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 3"
];
repository = "b2:tardis-parsons:system";
};
system.stateVersion = "21.05";
}