diff options
Diffstat (limited to 'system/linde.nix')
-rw-r--r-- | system/linde.nix | 172 |
1 files changed, 161 insertions, 11 deletions
diff --git a/system/linde.nix b/system/linde.nix index f255bc30..c0af9144 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -13,13 +13,22 @@ let net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-rdnsip = "2a01:4f8:c012:23a4::53"; + net-acmeip = "2a01:4f8:c012:23a4::715"; net-mask6 = "64"; net-gw6 = "fe80::1"; + domain = "alanpearce.eu"; ts-domain = "hydra-pinecone.ts.net"; + golink = (builtins.getFlake (toString <golink>)).nixosModules.default; in { imports = [ + <personal/modules/nixos/laminar.nix> + <personal/modules/nixos/goatcounter.nix> + <home-manager/nixos> + <agenix/modules/age.nix> + <searchix/nix/modules> + golink # Include the results of the hardware scan. ./linde-hardware.nix @@ -67,7 +76,6 @@ in environment.systemPackages = with pkgs; [ htop lsof - gitMinimal powerdns sqlite-interactive knot-dns @@ -150,6 +158,7 @@ in networking = { hostName = hostname; + inherit domain; useDHCP = false; dhcpcd.enable = false; nameservers = [ @@ -162,6 +171,7 @@ in ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-rdnsip} = [ "dns" ]; + ${net-acmeip} = [ "acme" ]; }; firewall = { enable = true; @@ -219,6 +229,7 @@ in address = [ "${net-ip6}/${net-mask6}" "${net-rdnsip}/${net-mask6}" + "${net-acmeip}/${net-mask6}" ]; addresses = [{ Address = "${net-ip4}/${net-mask4}"; @@ -304,7 +315,7 @@ in users.users.root.shell = "${pkgs.fish}/bin/fish"; users.users.alan = { shell = "${pkgs.fish}/bin/fish"; - extraGroups = [ "wheel" "caddy" "docker" ]; + extraGroups = [ "wheel" "caddy" "docker" "laminar" ]; isNormalUser = true; home = "/home/alan"; createHome = true; @@ -313,6 +324,9 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8VIII+598QOBxi/52O1Kb19RdUdX0aZmS1/dNoyqc5 alan@hetzner.strongbox" ]; }; + home-manager = { + users.alan = import ../user/server.nix; + }; users.users.nixremote = { shell = "/bin/sh"; @@ -336,11 +350,24 @@ in # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? + services.goatcounter = { + enable = true; + listenAddress = "localhost"; + port = 8082; + package = (import <personal> { inherit pkgs; }).goatcounter; + settings = { + tls = "proxy"; + websocket = true; + automigrate = true; + smtp = "smtp://localhost:25"; + }; + }; + services.powerdns = let inherit (lib.lists) flatten; inherit (lib.strings) concatStringsSep; - he = rec { + he = { notify = "216.218.130.2"; axfr = [ "216.218.133.2" @@ -437,6 +464,24 @@ in }; }; + services.postfix = + let + localUser = "alan"; + forwardingAddress = "alan@alanpearce.eu"; + in + { + enable = true; + destination = [ ]; + domain = config.networking.domain; + virtual = '' + @${config.networking.hostName}.${config.networking.domain} ${localUser} + ${localUser} ${forwardingAddress} + ''; + config = { + inet_interfaces = "loopback-only"; + }; + }; + services.kresd = { enable = true; # package = pkgs.knot-resolver.override { extraFeatures = true; }; @@ -572,11 +617,37 @@ in }; }; + services.acme-dns = { + enable = true; + settings = + let + me = "acme.${domain}"; + in + { + general = { + listen = "[${net-acmeip}]:53"; + protocol = "both6"; + domain = me; + nsname = me; + nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email; + records = [ + "${me}. AAAA ${net-acmeip}" + "${me}. NS ${me}." + ]; + }; + api = { + ip = "[${net-acmeip}]"; + tls = "letsencrypt"; + port = 443; + notification-email = config.security.acme.defaults.email; + }; + }; + }; + security.acme = { defaults = { email = "alan@alanpearce.eu"; - dnsProvider = "pdns"; - dnsResolver = "1.1.1.1:53"; + dnsProvider = "acme-dns"; credentialsFile = config.age.secrets.acme.path; reloadServices = [ "caddy" ]; validMinDays = 32; @@ -589,6 +660,9 @@ in reloadServices = map (x: "kresd@${toString x}") (range 1 config.services.kresd.instances); group = "knot-resolver"; }; + certs."stats.alanpearce.eu" = { + extraDomainNames = [ "*.stats.alanpearce.eu" ]; + }; }; users.groups.acme.members = [ "caddy" @@ -676,7 +750,10 @@ in extraConfig = '' encode zstd gzip ${security-headers {}} - reverse_proxy localhost${config.services.ntfy-sh.settings.listen-http} + reverse_proxy localhost${config.services.ntfy-sh.settings.listen-http} { + health_uri /v1/health + health_body `"healthy":true` + } ''; }; "searchix.alanpearce.eu" = { @@ -705,10 +782,41 @@ in ns = config.services.nix-serve; in { + useACMEHost = "alanpearce.eu"; extraConfig = '' reverse_proxy ${ns.bindAddress}:${toString ns.port} ''; }; + "ci.alanpearce.eu" = + let + srv = config.services.laminar; + in + { + useACMEHost = "alanpearce.eu"; + extraConfig = '' + reverse_proxy ${srv.settings.bindHTTP} + ''; + }; + "stats.alanpearce.eu" = + let + srv = config.services.goatcounter; + in + { + useACMEHost = "stats.alanpearce.eu"; + serverAliases = [ "*.stats.alanpearce.eu" ]; + extraConfig = '' + reverse_proxy ${srv.listenAddress}:${toString srv.port} + ''; + }; + "go.alanpearce.eu" = { + useACMEHost = "alanpearce.eu"; + extraConfig = '' + encode zstd gzip + ${security-headers {}} + root * /srv/http/go + file_server + ''; + }; }; }; systemd.services.caddy.serviceConfig = { @@ -906,17 +1014,17 @@ in { script-src = [ (baseURL + "/static/") - "https://gc.zgo.at" + "https://searchix.stats.alanpearce.eu" "https://js-de.sentry-cdn.com" "https://browser.sentry-cdn.com" ]; img-src = [ self - "https://gc.zgo.at" + "https://searchix.stats.alanpearce.eu" ]; connect-src = [ self - "https://searchix.goatcounter.com/count" + "https://searchix.stats.alanpearce.eu/count" "*.sentry.io" ]; worker-src = [ @@ -927,8 +1035,8 @@ in <script async src="https://js-de.sentry-cdn.com/d735e99613a86e1625fb85d0e8e762de.min.js" crossorigin="anonymous"></script> - <script data-goatcounter="https://searchix.goatcounter.com/count" - async src="//gc.zgo.at/count.v4.js" + <script data-goatcounter="https://searchix.stats.alanpearce.eu/count" + async src="//searchix.stats.alanpearce.eu/count.v4.js" crossorigin="anonymous" integrity="sha384-nRw6qfbWyJha9LhsOtSb2YJDyZdKvvCFh0fJYlkquSFjUxp9FVNugbfy8q1jdxI+"></script> ''; @@ -958,4 +1066,46 @@ in }; }; }; + + programs.git = { + enable = true; + package = pkgs.gitMinimal; + config = { + advice = { + detachedHead = false; + mergeConflict = false; + }; + }; + }; + + systemd.services.laminar.environment = { + NIX_PATH = "nixpkgs=${<nixpkgs>}"; + }; + services.laminar = { + enable = true; + path = with pkgs; [ + bash + coreutils + git + cached-nix-shell + nix + config.programs.ssh.package + flock + just + ]; + settings = { + bindHTTP = "[::1]:8002"; + keepRundirs = 1; + }; + }; + users.users.laminar = { + homeMode = "770"; + }; + + virtualisation.containers = { + enable = true; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + }; + }; } |