configuration.nix

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
{ config, lib, pkgs, ... }:

{

  #this enables the following services: dns
  deployment.tags          = [ "dnsServer" ];

  imports = [
    ./hardware-configuration.nix

    # monitoring
    ./prometheus.nix
    ./grafana

    # cal- and card-dav server
    ./radicale.nix

    # git server (gitolite+stagit)
    ./git.nix

    # vaultwarden password-store
    ./vaultwarden.nix

    # communication
    ./fedi
    ./matrix
    ./mail

    ./websites
    ./grocy.nix
    ./travelynx2fedi.nix
  ];

  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP);

  age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
  age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age;

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    initrd.network = {
      enable = true;
      ssh    = {
        enable         = true;
        port           = 22;
        hostKeys       = [ /etc/ssh/ssh_host_rsa_key ];
        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
      };

      postCommands = ''
        ip link set dev ens3 up
        ip addr add ${config.networking.primaryIP}/128 dev ens3
        ip route add default via fe80::1 dev ens3 onlink

        ip addr add ${config.networking.primaryIP4}/22 dev ens3
        ip route add default via ${config.networking.defaultGateway.address} dev ens3 onlink
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };
  };

  networking = {
    primaryIP    = "2a03:4000:50:e8::1";
    primaryIP4   = "94.16.104.148";

    resolvconf.enable = false;
    nameservers       = [ "8.8.8.8" "1.1.1.1" ];

    defaultGateway  = {
      interface = "ens3";
      address    = "94.16.104.1";
    };
    defaultGateway6 = {
      interface = "ens3";
      address   = "fe80::1";
    };

    interfaces.ens3 = {
      ipv4.addresses = [{
        address = config.networking.primaryIP4;
        prefixLength = 22;
      }];
      ipv6.addresses = [{
        address      = config.networking.primaryIP;
        prefixLength = 64;
      }];
    };

    nftables.enable = true;
  };

  services.email-notify.enable = true;

  system.stateVersion = "23.11";
  home-manager.users.leah.home.stateVersion = "23.11";

}