hosts: add phantom
This commit is contained in:
parent
c60e22b26a
commit
7ab7a3459a
|
@ -161,6 +161,10 @@
|
||||||
inherit system specialArgs;
|
inherit system specialArgs;
|
||||||
modules = [ ./hosts/ghost ];
|
modules = [ ./hosts/ghost ];
|
||||||
};
|
};
|
||||||
|
phantom = lib.nixosSystem {
|
||||||
|
inherit system specialArgs;
|
||||||
|
modules = [ ./hosts/phantom ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
homeConfigurations.lelgenio = inputs.home-manager.lib.homeManagerConfiguration {
|
homeConfigurations.lelgenio = inputs.home-manager.lib.homeManagerConfiguration {
|
||||||
|
|
41
hosts/phantom/default.nix
Normal file
41
hosts/phantom/default.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
imports = [
|
||||||
|
./vpsadminos.nix
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
../../system/nix.nix
|
||||||
|
./hardware-config.nix
|
||||||
|
./mastodon.nix
|
||||||
|
./nextcloud.nix
|
||||||
|
./nginx.nix
|
||||||
|
./syncthing.nix
|
||||||
|
./users.nix
|
||||||
|
./writefreely.nix
|
||||||
|
./renawiki.nix
|
||||||
|
./email.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# # Enable networking
|
||||||
|
# networking.networkmanager.enable = true;
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "America/Sao_Paulo";
|
||||||
|
# Select internationalisation properties.
|
||||||
|
i18n.defaultLocale = "pt_BR.utf8";
|
||||||
|
|
||||||
|
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
identityPaths = [ "/root/.ssh/id_rsa" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
system.autoUpgrade = {
|
||||||
|
enable = true;
|
||||||
|
dates = "04:40";
|
||||||
|
allowReboot = true;
|
||||||
|
operation = "switch";
|
||||||
|
flags = [ "--update-input" "nixpkgs" "--no-write-lock-file" "-L" ];
|
||||||
|
flake = "github:lelgenio/nixos-config#phantom";
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "23.05"; # Never change this
|
||||||
|
}
|
||||||
|
|
35
hosts/phantom/email.nix
Normal file
35
hosts/phantom/email.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ pkgs, inputs, ... }: {
|
||||||
|
# It's important to let Digital Ocean set the hostname so we get rDNS to work
|
||||||
|
networking.hostName = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
inputs.nixos-mailserver.nixosModules.mailserver
|
||||||
|
];
|
||||||
|
|
||||||
|
mailserver = {
|
||||||
|
enable = true;
|
||||||
|
fqdn = "mail.lelgenio.xyz";
|
||||||
|
domains = [ "lelgenio.xyz" ];
|
||||||
|
certificateScheme = "acme-nginx";
|
||||||
|
loginAccounts = {
|
||||||
|
"lelgenio@lelgenio.xyz" = {
|
||||||
|
hashedPassword = "$2y$05$z5s7QCXcs5uTFsfyYpwNJeWzb3RmzgWxNgcPCr0zjSytkLFF/qZmS";
|
||||||
|
aliases = [ "postmaster@lelgenio.xyz" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Webmail
|
||||||
|
services.roundcube = rec {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.roundcube.withPlugins (p: [ p.carddav ]);
|
||||||
|
hostName = "mail.lelgenio.xyz";
|
||||||
|
extraConfig = ''
|
||||||
|
$config['smtp_host'] = "tls://${hostName}:587";
|
||||||
|
$config['smtp_user'] = "%u";
|
||||||
|
$config['smtp_pass'] = "%p";
|
||||||
|
$config['plugins'] = [ "carddav" ];
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
7
hosts/phantom/hardware-config.nix
Normal file
7
hosts/phantom/hardware-config.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
swapDevices = [{
|
||||||
|
device = "/swap/swapfile";
|
||||||
|
size = (1024 * 2); # 2 GB
|
||||||
|
}];
|
||||||
|
}
|
||||||
|
|
10
hosts/phantom/mastodon.nix
Normal file
10
hosts/phantom/mastodon.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
services.mastodon = {
|
||||||
|
enable = true;
|
||||||
|
configureNginx = true;
|
||||||
|
localDomain = "social.lelgenio.xyz";
|
||||||
|
smtp.fromAddress = "lelgenio@disroot.org";
|
||||||
|
streamingProcesses = 2;
|
||||||
|
extraConfig.SINGLE_USER_MODE = "true";
|
||||||
|
};
|
||||||
|
}
|
22
hosts/phantom/nextcloud.nix
Normal file
22
hosts/phantom/nextcloud.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
services.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.nextcloud27;
|
||||||
|
hostName = "cloud.lelgenio.xyz";
|
||||||
|
https = true;
|
||||||
|
config = {
|
||||||
|
adminpassFile = config.age.secrets.ghost-nextcloud.path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
age = {
|
||||||
|
secrets.ghost-nextcloud = {
|
||||||
|
file = ../../secrets/ghost-nextcloud.age;
|
||||||
|
mode = "400";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
||||||
|
|
15
hosts/phantom/nginx.nix
Normal file
15
hosts/phantom/nginx.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "lelgenio@disroot.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
}
|
||||||
|
|
23
hosts/phantom/renawiki.nix
Normal file
23
hosts/phantom/renawiki.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
services.mediawiki = {
|
||||||
|
enable = true;
|
||||||
|
name = "Rena Wiki";
|
||||||
|
|
||||||
|
webserver = "nginx";
|
||||||
|
nginx.hostName = "renawiki.lelgenio.xyz";
|
||||||
|
passwordFile = config.age.secrets.ghost-renawiki.path;
|
||||||
|
|
||||||
|
extensions.VisualEditor = null;
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."renawiki.lelgenio.xyz" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets.ghost-renawiki = {
|
||||||
|
file = ../../secrets/ghost-renawiki.age;
|
||||||
|
mode = "400";
|
||||||
|
owner = "mediawiki";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
24
hosts/phantom/syncthing.nix
Normal file
24
hosts/phantom/syncthing.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
|
||||||
|
services.syncthing = {
|
||||||
|
enable = true;
|
||||||
|
dataDir = "/var/lib/syncthing-data";
|
||||||
|
guiAddress = "0.0.0.0:8384";
|
||||||
|
openDefaultPorts = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."syncthing.lelgenio.xyz" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8384";
|
||||||
|
extraConfig =
|
||||||
|
# required when the target is also TLS server with multiple hosts
|
||||||
|
"proxy_ssl_server_name on;" +
|
||||||
|
# required when the server wants to use HTTP Authentication
|
||||||
|
"proxy_pass_header Authorization;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
38
hosts/phantom/users.nix
Normal file
38
hosts/phantom/users.nix
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
security.rtkit.enable = true;
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [ 9022 ];
|
||||||
|
settings = {
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||||
|
users.mutableUsers = false;
|
||||||
|
users.users.lelgenio = {
|
||||||
|
isNormalUser = true;
|
||||||
|
description = "Leonardo Eugênio";
|
||||||
|
hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
|
||||||
|
extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
|
||||||
|
shell = pkgs.fish;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
users.users.root = {
|
||||||
|
shell = pkgs.fish;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
|
||||||
|
];
|
||||||
|
initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
|
||||||
|
};
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
programs.fish.enable = true;
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
git
|
||||||
|
];
|
||||||
|
}
|
67
hosts/phantom/vpsadminos.nix
Normal file
67
hosts/phantom/vpsadminos.nix
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# This file provides compatibility for NixOS to run in a container on vpsAdminOS
|
||||||
|
# hosts.
|
||||||
|
#
|
||||||
|
# If you're experiencing issues, try updating this file to the latest version
|
||||||
|
# from vpsAdminOS repository:
|
||||||
|
#
|
||||||
|
# https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
nameservers = [
|
||||||
|
"1.1.1.1"
|
||||||
|
"2606:4700:4700::1111"
|
||||||
|
];
|
||||||
|
in {
|
||||||
|
networking.nameservers = mkDefault nameservers;
|
||||||
|
services.resolved = mkDefault { fallbackDns = nameservers; };
|
||||||
|
networking.dhcpcd.extraConfig = "noipv4ll";
|
||||||
|
|
||||||
|
systemd.services.systemd-sysctl.enable = false;
|
||||||
|
systemd.services.systemd-oomd.enable = false;
|
||||||
|
systemd.sockets."systemd-journald-audit".enable = false;
|
||||||
|
systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ];
|
||||||
|
systemd.services.rpc-gssd.enable = false;
|
||||||
|
|
||||||
|
# Due to our restrictions in /sys, the default systemd-udev-trigger fails
|
||||||
|
# on accessing PCI devices, etc. Override it to match only network devices.
|
||||||
|
# In addition, boot.isContainer prevents systemd-udev-trigger.service from
|
||||||
|
# being enabled at all, so add it explicitly.
|
||||||
|
systemd.additionalUpstreamSystemUnits = [
|
||||||
|
"systemd-udev-trigger.service"
|
||||||
|
];
|
||||||
|
systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = [
|
||||||
|
""
|
||||||
|
"-udevadm trigger --subsystem-match=net --action=add"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.isContainer = true;
|
||||||
|
boot.enableContainers = mkDefault true;
|
||||||
|
boot.loader.initScript.enable = true;
|
||||||
|
boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs";
|
||||||
|
boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0";
|
||||||
|
|
||||||
|
# Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
|
||||||
|
documentation.enable = mkOverride 500 true;
|
||||||
|
documentation.nixos.enable = mkOverride 500 true;
|
||||||
|
networking.useHostResolvConf = mkOverride 500 false;
|
||||||
|
services.openssh.startWhenNeeded = mkOverride 500 false;
|
||||||
|
|
||||||
|
# Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
|
||||||
|
systemd.services.networking-setup = {
|
||||||
|
description = "Load network configuration provided by the vpsAdminOS host";
|
||||||
|
before = [ "network.target" ];
|
||||||
|
wantedBy = [ "network.target" ];
|
||||||
|
after = [ "network-pre.target" ];
|
||||||
|
path = [ pkgs.iproute2 ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
|
||||||
|
ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
|
||||||
|
};
|
||||||
|
unitConfig.ConditionPathExists = "/ifcfg.add";
|
||||||
|
restartIfChanged = false;
|
||||||
|
};
|
||||||
|
}
|
25
hosts/phantom/writefreely.nix
Normal file
25
hosts/phantom/writefreely.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ config, pkgs, inputs, ... }: {
|
||||||
|
services.writefreely = {
|
||||||
|
enable = true;
|
||||||
|
acme.enable = true;
|
||||||
|
nginx.enable = true;
|
||||||
|
nginx.forceSSL = true;
|
||||||
|
host = "blog.lelgenio.xyz";
|
||||||
|
admin.name = "lelgenio";
|
||||||
|
admin.initialPasswordFile = config.age.secrets.ghost-writefreely.path;
|
||||||
|
settings.app = {
|
||||||
|
site_name = "Leo's blog";
|
||||||
|
single_user = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
age = {
|
||||||
|
secrets.ghost-writefreely = {
|
||||||
|
file = ../../secrets/ghost-writefreely.age;
|
||||||
|
mode = "400";
|
||||||
|
owner = "writefreely";
|
||||||
|
group = "writefreely";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue