bonfire/nixosConfigurations/catarina/default.nix
L-Nafaryus 1dc04e92b2
All checks were successful
nix / check (push) Successful in 4m46s
catarina: metrics
2024-10-10 12:43:33 +05:00

316 lines
6.4 KiB
Nix

{
config,
pkgs,
lib,
bonPkgs,
...
}: {
system.stateVersion = "23.11";
imports = [
./hardware.nix
./users.nix
# ./services/papermc.nix # disabled
./services/gitea.nix
./services/radio.nix
./services/matrix.nix
./services/metrics.nix
];
# Nix settings
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
trusted-users = ["l-nafaryus"];
allowed-users = ["l-nafaryus" "hydra" "hydra-www"];
substituters = [
"https://cache.elnafo.ru"
"https://bonfire.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.elnafo.ru:j3VD+Hn+is2Qk3lPXDSdPwHJQSatizk7V82iJ2RP1yo="
"bonfire.cachix.org-1:mzAGBy/Crdf8NhKail5ciK7ZrGRbPJJobW6TwFb7WYM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
auto-optimise-store = true;
allowed-uris = [
"github:"
"git+https://github.com/"
"git+ssh://github.com/"
"git+https://vcs.elnafo.ru/"
"git+ssh://vcs.elnafo.ru/"
];
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 28d";
};
};
# Nix packages
nixpkgs = {
hostPlatform = lib.mkDefault "x86_64-linux";
config.allowUnfree = true;
config.cudaSupport = false;
};
# Services
services.printing.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
services.openssh = {
enable = true;
startWhenNeeded = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
services.blueman.enable = true;
services.fail2ban = {
enable = true;
maxretry = 12;
ignoreIP = [
"192.168.0.0/16"
];
bantime = "3h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h";
overalljails = true;
};
};
bonfire.withSecrets = true;
sops = config.bonfire.secrets.catarina.sops;
security.acme = {
acceptTerms = true;
defaults.email = "l.nafaryus@elnafo.ru";
defaults.group = "nginx";
certs = {
"elnafo.ru" = {
extraDomainNames = ["*.elnafo.ru"];
dnsProvider = "webnames";
credentialsFile = config.sops.secrets."dns".path;
webroot = null;
};
};
};
services.nginx = {
enable = true;
package = pkgs.nginx.override {withMail = true;};
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "5G";
virtualHosts = {
"elnafo.ru" = {
forceSSL = true;
enableACME = true;
root = "/var/www";
};
"*.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
globalRedirect = "elnafo.ru";
};
"www.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
globalRedirect = "elnafo.ru";
};
"bonfire.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/".root = "${bonPkgs.bonfire-docs}";
};
"hydra.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/".proxyPass = "http://127.0.0.1:3000";
};
"cache.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
mailserver = {
enable = true;
fqdn = "elnafo.ru";
domains = ["elnafo.ru"];
certificateScheme = "acme-nginx";
enableImapSsl = true;
openFirewall = true;
localDnsResolver = true;
loginAccounts = config.bonfire.secrets.catarina.mailAccounts;
};
services.spoofdpi.enable = true;
services.btrfs.autoScrub = {
enable = true;
interval = "monthly";
fileSystems = ["/"];
};
services.btrbk = {
instances."catarina" = {
onCalendar = "daily";
settings = {
snapshot_preserve_min = "2d";
snapshot_preserve = "14d";
snapshot_dir = "/media/btrbk-snapshots";
target_preserve_min = "no";
target_preserve = "14d 8w *m";
volume."/" = {
target = "/media/btrbk-backups";
subvolume = {
"var/lib/gitea" = {};
"var/lib/postgresql" = {};
"var/lib/postfix" = {};
"var/vmail" = {};
};
};
};
};
};
services.transmission = {
enable = true;
openRPCPort = true;
settings = {
rpc-bind-address = "0.0.0.0";
rpc-whitelist = "127.0.0.1,192.168.156.101";
download-dir = "/media/storage/downloads";
incomplete-dir = "/media/storage/downloads/incomplete";
};
};
services.oscuro = {
enable = true;
discordTokenFile = config.sops.secrets.discordToken.path;
};
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
};
services.hydra = {
enable = true;
listenHost = "127.0.0.1";
port = 3000;
hydraURL = "http://127.0.0.1:3000";
smtpHost = "elnafo.ru";
useSubstitutes = true;
notificationSender = "hydra@elnafo.ru";
buildMachinesFiles = [];
};
services.nix-serve = {
enable = true;
secretKeyFile = config.sops.secrets."nix-store/cache-key".path;
};
users.users."nix-serve" = {
description = "Nix-Serve Service";
createHome = false;
group = "nix-serve";
isSystemUser = true;
};
users.groups."nix-serve" = {};
# Packages
environment.systemPackages = with pkgs; [
wget
ntfs3g
sshfs
exfat
btrfs-progs
btrbk
lm_sensors
git
ripgrep
fd
lazygit
unzip
gnumake
fishPlugins.fzf-fish
fishPlugins.tide
fishPlugins.grc
fishPlugins.hydro
nnn
fzf
grc
cachix
gnupg
nnn
htop
];
programs = {
fish.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
programs.ssh.extraConfig = ''
Host astora
HostName 192.168.156.101
Port 22
User l-nafaryus
Host catarina
HostName 192.168.156.102
Port 22
User l-nafaryus
'';
programs.direnv.enable = true;
}