ctucx.git: nixfiles

ctucx' nixfiles

commit cfc5215e0173e1203a9628f5398aa63983579e81
parent defdafde1dce202cb68d11c75e63ce163eba4ad8
Author: Leah (ctucx) <leah@ctu.cx>
Date: Fri, 21 Jan 2022 14:21:35 +0100

add host: desastro

4 files changed, 170 insertions(+), 0 deletions(-)
A
machines/desastro/configuration.nix
|
89
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
machines/desastro/hardware-configuration.nix
|
27
+++++++++++++++++++++++++++
A
machines/desastro/restic-server.nix
|
28
++++++++++++++++++++++++++++
A
machines/desastro/syncthing.nix
|
26
++++++++++++++++++++++++++
diff --git a/machines/desastro/configuration.nix b/machines/desastro/configuration.nix
@@ -0,0 +1,89 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../configurations/common.nix
+    ./restic-server.nix
+    ./syncthing.nix
+  ];
+
+  boot = {
+    kernel.sysctl."net.ipv4.ip_forward"          = true;
+    kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
+
+    loader = {
+      grub.enable                = true;
+      grub.version               = 2;
+      grub.efiSupport            = true;
+      grub.efiInstallAsRemovable = true;
+      grub.device                = "nodev";
+    };
+
+    initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22222;
+        hostKeys = [ /var/src/secrets/initrd-ecdsa-hostkey ];
+        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      };
+
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+  };
+
+
+
+  networking = {
+    hostName                         = "desastro";
+    domain                           = "wolfsburg.petabyte.dev";
+    useDHCP                          = false;
+	resolvconf.useLocalResolver      = lib.mkForce false;
+
+    interfaces.enp1s0.useDHCP        = true;
+
+    wireguard = {
+      enable = true;
+
+      interfaces.wg0 = {
+        listenPort             = 51820;
+        privateKeyFile         = "/root/wg0-privkey";
+        generatePrivateKeyFile = true;
+        postSetup              = "ip link set dev wg0 mtu 1500";
+
+        peers          = [
+          {
+	        allowedIPs = [ "195.39.246.32/28" "2a0f:4ac0:acab::1/62" ];
+	        publicKey  = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY=";
+          }
+#          {
+#          	allowedIPs = [ "195.39.247.51/32" "2a0f:4ac0:acab:1234::51/128" ];
+#          	publicKey  = "g8u4m8Lvj8tVOWWCnH4pWFJsAG53yLZP84bQ/hFbGXs=";
+#          }
+        ];
+      };
+    };
+
+    firewall = {
+      allowedUDPPorts = [ 51820 ];
+    };
+  };
+
+  services = {
+    vnstat.enable = true;
+    deluge = {
+      enable       = false;
+      openFirewall = true;
+      user         = "leah";
+      web = {
+        enable = true;
+      };
+    };
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+  home-manager.users.leah.home.stateVersion = "20.09";
+}

diff --git a/machines/desastro/hardware-configuration.nix b/machines/desastro/hardware-configuration.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/39a948ca-fa39-436d-b9df-d07e71106200";
+      fsType = "xfs";
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/0c98d781-09e4-4ed9-9916-4579e178394b";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8758-6FD1";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+}

diff --git a/machines/desastro/restic-server.nix b/machines/desastro/restic-server.nix
@@ -0,0 +1,28 @@
+{config, lib, pkgs, ...}:
+
+{
+  services.restic.server = {
+    enable     = true;
+    appendOnly = true;
+    extraFlags = [ "--no-auth" ];
+    dataDir    = "/var/lib/restic";
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."restic.desastro.ctu.cx" = {
+      enableACME = true;
+      forceSSL   = true;
+      locations."/" = {
+        proxyPass   = "http://127.0.0.1:8000/";
+        extraConfig = ''
+          client_max_body_size 10G;
+          auth_basic           Auth;
+          auth_basic_user_file /var/src/secrets/restic-auth;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts  = [ 80 443 ];
+}

diff --git a/machines/desastro/syncthing.nix b/machines/desastro/syncthing.nix
@@ -0,0 +1,26 @@
+{config, lib, pkgs, ...}:
+
+{
+  imports = [
+    ../../configurations/programs/syncthing.nix
+  ];
+
+  services = {
+    syncthing = {
+      guiAddress = "0.0.0.0:8384";
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts."syncthing.desastro.ctu.cx" = {
+        enableACME = true;
+        forceSSL   = true;
+        locations."/" = {
+          proxyPass   = "http://127.0.0.1:8384/";
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts  = [ 80 443 ];
+}