ghost: split config

This commit is contained in:
Leonardo Eugênio 2023-10-26 11:27:09 -03:00
parent b8081cf4c6
commit 884d02f003
10 changed files with 183 additions and 155 deletions

View file

@ -146,7 +146,7 @@
}; };
ghost = lib.nixosSystem { ghost = lib.nixosSystem {
inherit system specialArgs; inherit system specialArgs;
modules = [ ./hosts/ghost.nix ]; modules = [ ./hosts/ghost ];
}; };
}; };

View file

@ -1,154 +0,0 @@
{ config, pkgs, inputs, ... }: {
imports = [
"${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
inputs.agenix.nixosModules.default
../system/nix.nix
];
# Use more aggressive compression then the default.
virtualisation.digitalOceanImage.compressionMethod = "bzip2";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Sao_Paulo";
# Select internationalisation properties.
i18n.defaultLocale = "pt_BR.utf8";
security.rtkit.enable = true;
services.openssh = {
enable = true;
ports = [ 9022 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# Define a user account. Don't forget to set a password with passwd.
users.mutableUsers = false;
users.users.lelgenio = {
isNormalUser = true;
description = "Leonardo Eugênio";
hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
};
users.users.root = {
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
};
security.sudo.wheelNeedsPassword = false;
programs.fish.enable = true;
environment.systemPackages = with pkgs; [
git
];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "cloud.lelgenio.xyz";
https = true;
config = {
adminpassFile = config.age.secrets.ghost-nextcloud.path;
};
};
services.mastodon = {
enable = true;
localDomain = "social.lelgenio.xyz";
configureNginx = true;
smtp.fromAddress = "lelgenio@disroot.org";
extraConfig.SINGLE_USER_MODE = "true";
};
services.writefreely = {
enable = true;
acme.enable = true;
nginx.enable = true;
nginx.forceSSL = true;
host = "blog.lelgenio.xyz";
admin.name = "lelgenio";
admin.initialPasswordFile = config.age.secrets.ghost-writefreely.path;
settings.app = {
site_name = "Leo's blog";
single_user = true;
};
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "lelgenio@disroot.org";
};
services.syncthing = {
enable = true;
dataDir = "/var/lib/syncthing-data";
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.nginx.virtualHosts."syncthing.lelgenio.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;" +
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;"
;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
swapDevices = [{
device = "/swap/swapfile";
size = (1024 * 2); # 2 GB
}];
age = {
identityPaths = [ "/root/.ssh/id_rsa" ];
secrets.ghost-nextcloud = {
file = ../secrets/ghost-nextcloud.age;
mode = "400";
owner = "nextcloud";
group = "nextcloud";
};
secrets.ghost-writefreely = {
file = ../secrets/ghost-writefreely.age;
mode = "400";
owner = "writefreely";
group = "writefreely";
};
};
fileSystems."/var" = {
device = "/dev/disk/by-uuid/b19e7272-8fd1-4999-93eb-abc6d5c0a1cc";
fsType = "btrfs";
options = [ "subvol=@var" ];
};
system.stateVersion = "23.05"; # Never change this
}

30
hosts/ghost/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, inputs, ... }: {
imports = [
"${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
inputs.agenix.nixosModules.default
../../system/nix.nix
./hardware-config.nix
./mastodon.nix
./nextcloud.nix
./nginx.nix
./syncthing.nix
./users.nix
./writefreely.nix
];
# Use more aggressive compression then the default.
virtualisation.digitalOceanImage.compressionMethod = "bzip2";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Sao_Paulo";
# Select internationalisation properties.
i18n.defaultLocale = "pt_BR.utf8";
age = {
identityPaths = [ "/root/.ssh/id_rsa" ];
};
system.stateVersion = "23.05"; # Never change this
}

View file

@ -0,0 +1,13 @@
{ config, pkgs, inputs, ... }: {
swapDevices = [{
device = "/swap/swapfile";
size = (1024 * 2); # 2 GB
}];
fileSystems."/var" = {
device = "/dev/disk/by-uuid/b19e7272-8fd1-4999-93eb-abc6d5c0a1cc";
fsType = "btrfs";
options = [ "subvol=@var" ];
};
}

15
hosts/ghost/mastodon.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, inputs, ... }: {
services.mastodon = {
enable = true;
localDomain = "social.lelgenio.xyz";
configureNginx = true;
smtp.fromAddress = "lelgenio@disroot.org";
extraConfig.SINGLE_USER_MODE = "true";
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
}

22
hosts/ghost/nextcloud.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, pkgs, inputs, ... }: {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "cloud.lelgenio.xyz";
https = true;
config = {
adminpassFile = config.age.secrets.ghost-nextcloud.path;
};
};
age = {
secrets.ghost-nextcloud = {
file = ../../secrets/ghost-nextcloud.age;
mode = "400";
owner = "nextcloud";
group = "nextcloud";
};
};
}

15
hosts/ghost/nginx.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, inputs, ... }: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "lelgenio@disroot.org";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

24
hosts/ghost/syncthing.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, pkgs, inputs, ... }: {
services.syncthing = {
enable = true;
dataDir = "/var/lib/syncthing-data";
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
services.nginx.virtualHosts."syncthing.lelgenio.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;" +
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;"
;
};
};
}

38
hosts/ghost/users.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs, ... }: {
security.rtkit.enable = true;
services.openssh = {
enable = true;
ports = [ 9022 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# Define a user account. Don't forget to set a password with passwd.
users.mutableUsers = false;
users.users.lelgenio = {
isNormalUser = true;
description = "Leonardo Eugênio";
hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
};
users.users.root = {
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
};
security.sudo.wheelNeedsPassword = false;
programs.fish.enable = true;
environment.systemPackages = with pkgs; [
git
];
}

View file

@ -0,0 +1,25 @@
{ config, pkgs, inputs, ... }: {
services.writefreely = {
enable = true;
acme.enable = true;
nginx.enable = true;
nginx.forceSSL = true;
host = "blog.lelgenio.xyz";
admin.name = "lelgenio";
admin.initialPasswordFile = config.age.secrets.ghost-writefreely.path;
settings.app = {
site_name = "Leo's blog";
single_user = true;
};
};
age = {
secrets.ghost-writefreely = {
file = ../../secrets/ghost-writefreely.age;
mode = "400";
owner = "writefreely";
group = "writefreely";
};
};
}