summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/linde.nix60
-rwxr-xr-xsystem/nanopi.nix44
-rw-r--r--system/settings/configuration/nix.nix4
-rw-r--r--system/settings/user-interface.nix2
4 files changed, 54 insertions, 56 deletions
diff --git a/system/linde.nix b/system/linde.nix
index e5880491..ba88075d 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,7 +13,7 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
-  net-acmeip = "2a01:4f8:c012:23a4::715";
+  net-redisip = "2a01:4f8:c012:23a4::6379";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -43,6 +43,7 @@ in
     binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
+    redis-website.file = ../secrets/redis-website.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -163,7 +164,7 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
-      ${net-acmeip} = [ "acme" ];
+      ${net-redisip} = [ "redis" ];
     };
     firewall = {
       enable = true;
@@ -176,6 +177,7 @@ in
         443
         53
         853
+        6379
         9418
         6922
       ];
@@ -221,7 +223,7 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
-          "${net-acmeip}/${net-mask6}"
+          "${net-redisip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -610,37 +612,11 @@ in
     };
   };
 
-  services.acme-dns = {
-    enable = true;
-    settings =
-      let
-        me = "acme.${domain}";
-      in
-      {
-        general = {
-          listen = "[${net-acmeip}]:53";
-          protocol = "both6";
-          domain = me;
-          nsname = me;
-          nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email;
-          records = [
-            "${me}. AAAA ${net-acmeip}"
-            "${me}. NS ${me}."
-          ];
-        };
-        api = {
-          ip = "[${net-acmeip}]";
-          tls = "letsencrypt";
-          port = 443;
-          notification-email = config.security.acme.defaults.email;
-        };
-      };
-  };
-
   security.acme = {
     defaults = {
       email = "alan@alanpearce.eu";
-      dnsProvider = "acme-dns";
+      dnsProvider = "pdns";
+      dnsResolver = "1.1.1.1:53";
       credentialsFile = config.age.secrets.acme.path;
       reloadServices = [ "caddy" ];
       validMinDays = 32;
@@ -656,6 +632,9 @@ in
     certs."stats.alanpearce.eu" = {
       extraDomainNames = [ "*.stats.alanpearce.eu" ];
     };
+    certs."redis.alanpearce.eu" = {
+      group = "redis-website";
+    };
   };
   users.groups.acme.members = [
     "caddy"
@@ -988,6 +967,25 @@ in
     Requires = [ "etcd.service" ];
   };
 
+  services.redis = {
+    servers = {
+      website = {
+        enable = true;
+        port = 0;
+        bind = net-redisip;
+        databases = 1;
+        maxclients = 6;
+        requirePassFile = config.age.secrets.redis-website.path;
+        settings = {
+          tls-port = 6379;
+          tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem";
+          tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem";
+          tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+          tls-auth-clients = false;
+        };
+      };
+    };
+  };
 
   services.syncthing = {
     enable = true;
diff --git a/system/nanopi.nix b/system/nanopi.nix
index 3a95ebfc..3a0b55e3 100755
--- a/system/nanopi.nix
+++ b/system/nanopi.nix
@@ -11,9 +11,6 @@ in
 {
   imports = [
     ./nanopi-hardware.nix
-    <agenix/modules/age.nix>
-    <nixos-hardware/friendlyarm/nanopi-r5s>
-    <home-manager/nixos>
   ];
 
   age.secrets = {
@@ -616,7 +613,6 @@ in
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvcW4Z9VxOQgEJjsRC1uSMwEJ4vru9BwjT+Z50nawp4 lan"
     ];
   };
-  home-manager.users.alan = import ../user/nanopi.nix;
 
   users.groups = {
     linde.members = [ ];
@@ -765,34 +761,34 @@ in
 
   services.samba = {
     enable = true;
-    enableNmbd = false;
-    extraConfig = ''
-      log level = 1
+    nmbd.enable = false;
+    settings = {
+      global = {
+        "log level" = 1;
 
-      interfaces = bridge0
+        "interfaces" = "bridge0";
 
-      min protocol = SMB2
-      disable netbios = yes
-      smb ports = 445
+        "min protocol" = "SMB2";
+        "disable netbios" = true;
+        "smb ports" = 445;
 
-      socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536
-      max xmit = 131072
-      min receivefile size = 131072
+        "socket options" = "IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536";
+        "max xmit" = 131072;
+        "min receivefile size" = 131072;
 
-      aio read size = 1
-      aio write size = 1
+        "aio read size" = 1;
+        "aio write size" = 1;
 
-      load printers = no
-      disable spoolss = yes
+        "load printers" = false;
+        "disable spoolss" = true;
 
-      mdns name = mdns
+        "mdns name" = "mdns";
 
-      follow symlinks = yes
+        "follow symlinks" = true;
 
-      veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
-      delete veto files = yes
-    '';
-    shares = {
+        "veto files" = "/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/";
+        "delete veto files" = true;
+      };
       public = {
         path = "/srv/public";
         browseable = "yes";
diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix
index 105efaae..28da18c0 100644
--- a/system/settings/configuration/nix.nix
+++ b/system/settings/configuration/nix.nix
@@ -13,11 +13,15 @@
       warn-dirty = false;
       substituters = [
         "https://nix-community.cachix.org"
+        "https://deploy-rs.cachix.org"
         "https://binarycache.alanpearce.eu"
+        "https://deploy-rs.cachix.org"
       ];
 
       trusted-public-keys = [
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4="
       ];
     };
diff --git a/system/settings/user-interface.nix b/system/settings/user-interface.nix
index 27f1d9aa..a1d31c3b 100644
--- a/system/settings/user-interface.nix
+++ b/system/settings/user-interface.nix
@@ -6,7 +6,7 @@
   documentation.info.enable = true;
 
   environment.systemPackages = with pkgs; [
-    epdfview
+    qpdfview
 
     lxappearance
     lxrandr