diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/linde.nix | 60 | ||||
-rwxr-xr-x | system/nanopi.nix | 44 | ||||
-rw-r--r-- | system/settings/configuration/nix.nix | 4 | ||||
-rw-r--r-- | system/settings/user-interface.nix | 2 |
4 files changed, 54 insertions, 56 deletions
diff --git a/system/linde.nix b/system/linde.nix index e5880491..ba88075d 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -13,7 +13,7 @@ let net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-rdnsip = "2a01:4f8:c012:23a4::53"; - net-acmeip = "2a01:4f8:c012:23a4::715"; + net-redisip = "2a01:4f8:c012:23a4::6379"; net-mask6 = "64"; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; @@ -43,6 +43,7 @@ in binarycache.file = ../secrets/binarycache.age; dex.file = ../secrets/dex.age; powerdns.file = ../secrets/powerdns.age; + redis-website.file = ../secrets/redis-website.age; golink = let golink = config.services.golink; in { # hope this doesn't collide... path = "${golink.dataDir}/.config/tsnet-golink/auth.key"; @@ -163,7 +164,7 @@ in ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-rdnsip} = [ "dns" ]; - ${net-acmeip} = [ "acme" ]; + ${net-redisip} = [ "redis" ]; }; firewall = { enable = true; @@ -176,6 +177,7 @@ in 443 53 853 + 6379 9418 6922 ]; @@ -221,7 +223,7 @@ in address = [ "${net-ip6}/${net-mask6}" "${net-rdnsip}/${net-mask6}" - "${net-acmeip}/${net-mask6}" + "${net-redisip}/${net-mask6}" ]; addresses = [{ Address = "${net-ip4}/${net-mask4}"; @@ -610,37 +612,11 @@ in }; }; - services.acme-dns = { - enable = true; - settings = - let - me = "acme.${domain}"; - in - { - general = { - listen = "[${net-acmeip}]:53"; - protocol = "both6"; - domain = me; - nsname = me; - nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email; - records = [ - "${me}. AAAA ${net-acmeip}" - "${me}. NS ${me}." - ]; - }; - api = { - ip = "[${net-acmeip}]"; - tls = "letsencrypt"; - port = 443; - notification-email = config.security.acme.defaults.email; - }; - }; - }; - security.acme = { defaults = { email = "alan@alanpearce.eu"; - dnsProvider = "acme-dns"; + dnsProvider = "pdns"; + dnsResolver = "1.1.1.1:53"; credentialsFile = config.age.secrets.acme.path; reloadServices = [ "caddy" ]; validMinDays = 32; @@ -656,6 +632,9 @@ in certs."stats.alanpearce.eu" = { extraDomainNames = [ "*.stats.alanpearce.eu" ]; }; + certs."redis.alanpearce.eu" = { + group = "redis-website"; + }; }; users.groups.acme.members = [ "caddy" @@ -988,6 +967,25 @@ in Requires = [ "etcd.service" ]; }; + services.redis = { + servers = { + website = { + enable = true; + port = 0; + bind = net-redisip; + databases = 1; + maxclients = 6; + requirePassFile = config.age.secrets.redis-website.path; + settings = { + tls-port = 6379; + tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem"; + tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem"; + tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt"; + tls-auth-clients = false; + }; + }; + }; + }; services.syncthing = { enable = true; diff --git a/system/nanopi.nix b/system/nanopi.nix index 3a95ebfc..3a0b55e3 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -11,9 +11,6 @@ in { imports = [ ./nanopi-hardware.nix - <agenix/modules/age.nix> - <nixos-hardware/friendlyarm/nanopi-r5s> - <home-manager/nixos> ]; age.secrets = { @@ -616,7 +613,6 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvcW4Z9VxOQgEJjsRC1uSMwEJ4vru9BwjT+Z50nawp4 lan" ]; }; - home-manager.users.alan = import ../user/nanopi.nix; users.groups = { linde.members = [ ]; @@ -765,34 +761,34 @@ in services.samba = { enable = true; - enableNmbd = false; - extraConfig = '' - log level = 1 + nmbd.enable = false; + settings = { + global = { + "log level" = 1; - interfaces = bridge0 + "interfaces" = "bridge0"; - min protocol = SMB2 - disable netbios = yes - smb ports = 445 + "min protocol" = "SMB2"; + "disable netbios" = true; + "smb ports" = 445; - socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536 - max xmit = 131072 - min receivefile size = 131072 + "socket options" = "IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536"; + "max xmit" = 131072; + "min receivefile size" = 131072; - aio read size = 1 - aio write size = 1 + "aio read size" = 1; + "aio write size" = 1; - load printers = no - disable spoolss = yes + "load printers" = false; + "disable spoolss" = true; - mdns name = mdns + "mdns name" = "mdns"; - follow symlinks = yes + "follow symlinks" = true; - veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/ - delete veto files = yes - ''; - shares = { + "veto files" = "/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/"; + "delete veto files" = true; + }; public = { path = "/srv/public"; browseable = "yes"; diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix index 105efaae..28da18c0 100644 --- a/system/settings/configuration/nix.nix +++ b/system/settings/configuration/nix.nix @@ -13,11 +13,15 @@ warn-dirty = false; substituters = [ "https://nix-community.cachix.org" + "https://deploy-rs.cachix.org" "https://binarycache.alanpearce.eu" + "https://deploy-rs.cachix.org" ]; trusted-public-keys = [ + "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI=" "binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4=" ]; }; diff --git a/system/settings/user-interface.nix b/system/settings/user-interface.nix index 27f1d9aa..a1d31c3b 100644 --- a/system/settings/user-interface.nix +++ b/system/settings/user-interface.nix @@ -6,7 +6,7 @@ documentation.info.enable = true; environment.systemPackages = with pkgs; [ - epdfview + qpdfview lxappearance lxrandr |