nixos-config/hosts/ghost.nix
2023-10-24 10:57:44 -03:00

155 lines
5 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, inputs, ... }: {
imports = [
"${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
inputs.agenix.nixosModules.default
../system/nix.nix
];
# Use more aggressive compression then the default.
virtualisation.digitalOceanImage.compressionMethod = "bzip2";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Sao_Paulo";
# Select internationalisation properties.
i18n.defaultLocale = "pt_BR.utf8";
security.rtkit.enable = true;
services.openssh = {
enable = true;
ports = [ 9022 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# Define a user account. Don't forget to set a password with passwd.
users.mutableUsers = false;
users.users.lelgenio = {
isNormalUser = true;
description = "Leonardo Eugênio";
hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
};
users.users.root = {
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
];
initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
};
security.sudo.wheelNeedsPassword = false;
programs.fish.enable = true;
environment.systemPackages = with pkgs; [
git
];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "cloud.lelgenio.xyz";
https = true;
config = {
adminpassFile = config.age.secrets.ghost-nextcloud.path;
};
};
services.mastodon = {
enable = true;
localDomain = "social.lelgenio.xyz";
configureNginx = true;
smtp.fromAddress = "lelgenio@disroot.org";
extraConfig.SINGLE_USER_MODE = "true";
};
services.writefreely = {
enable = true;
acme.enable = true;
nginx.enable = true;
nginx.forceSSL = true;
host = "blog.lelgenio.xyz";
admin.name = "lelgenio";
admin.initialPasswordFile = config.age.secrets.ghost-writefreely.path;
settings.app = {
site_name = "Leo's blog";
single_user = true;
};
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "lelgenio@disroot.org";
};
services.syncthing = {
enable = true;
dataDir = "/var/lib/syncthing-data";
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.nginx.virtualHosts."syncthing.lelgenio.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;" +
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;"
;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
swapDevices = [{
device = "/swap/swapfile";
size = (1024 * 2); # 2 GB
}];
age = {
identityPaths = [ "/root/.ssh/id_rsa" ];
secrets.ghost-nextcloud = {
file = ../secrets/ghost-nextcloud.age;
mode = "400";
owner = "nextcloud";
group = "nextcloud";
};
secrets.ghost-writefreely = {
file = ../secrets/ghost-writefreely.age;
mode = "400";
owner = "writefreely";
group = "writefreely";
};
};
fileSystems."/var" = {
device = "/dev/disk/by-uuid/b19e7272-8fd1-4999-93eb-abc6d5c0a1cc";
fsType = "btrfs";
options = [ "subvol=@var" ];
};
system.stateVersion = "23.05"; # Never change this
}