2022-12-17 17:51:29 +00:00
|
|
|
{ pkgs, config, lib, ... }: {
|
2021-10-27 19:36:16 +00:00
|
|
|
imports = [
|
|
|
|
./hardware-configuration.nix
|
2021-10-31 19:06:44 +00:00
|
|
|
|
2021-10-31 21:37:04 +00:00
|
|
|
# Set up cloud
|
|
|
|
../modules/cloud/postgresql
|
|
|
|
../modules/cloud/traefik
|
2021-11-01 01:41:29 +00:00
|
|
|
../modules/cloud/bitwarden
|
2021-11-01 19:50:30 +00:00
|
|
|
../modules/cloud/mail
|
2022-06-10 20:50:07 +00:00
|
|
|
../modules/cloud/conduit
|
2022-11-14 20:31:05 +00:00
|
|
|
../modules/cloud/writefreely
|
2021-10-27 19:36:16 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
boot.cleanTmpDir = true;
|
|
|
|
networking.hostName = "nki-personal";
|
|
|
|
networking.firewall.allowPing = true;
|
|
|
|
services.openssh.enable = true;
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
2021-10-31 19:06:44 +00:00
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLr1Q+PJuDYJtBAVMSU0U2kZi4V0Z7dE+dpRxa4aEDupSlcPCwSEtcpNME1up7z0yxjcIHHkBYq0RobIaLqwEmntnZzz37jg/iiHwyZsN93jZljId1X0uykcMem4ljiqgmRg3Fs8RKj2+N1ovpIZVDOWINLJJDVJntNvwW/anSCtx27FATVdroHoiyXCwVknG6p3bHU5Nd3idRMn45kZ7Qf1J50XUhtu3ehIWI2/5nYIbi8WDnzY5vcRZEHROyTk2pv/m9rRkCTaGnUdZsv3wfxeeT3223k0mUfRfCsiPtNDGwXn66HcG2cmhrBIeDoZQe4XNkzspaaJ2+SGQfO8Zf natsukagami@gmail.com"
|
2021-10-27 19:36:16 +00:00
|
|
|
];
|
2022-06-11 21:41:43 +00:00
|
|
|
users.users.root.shell = pkgs.fish;
|
2021-10-27 19:36:16 +00:00
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
2021-11-01 18:41:55 +00:00
|
|
|
git
|
2022-12-17 17:51:29 +00:00
|
|
|
|
|
|
|
docker-compose
|
2021-10-27 19:36:16 +00:00
|
|
|
];
|
|
|
|
|
2022-12-17 17:51:29 +00:00
|
|
|
virtualisation.docker.enable = true;
|
|
|
|
|
2021-10-27 19:36:16 +00:00
|
|
|
services.do-agent.enable = true;
|
|
|
|
|
2021-10-31 19:06:44 +00:00
|
|
|
system.autoUpgrade = {
|
|
|
|
enable = true;
|
|
|
|
allowReboot = true;
|
|
|
|
flake = "github:natsukagami/nix-home#nki-personal-do";
|
|
|
|
};
|
|
|
|
|
|
|
|
nix = {
|
|
|
|
package = pkgs.nixUnstable;
|
|
|
|
extraOptions = ''
|
|
|
|
experimental-features = nix-command flakes
|
|
|
|
'';
|
|
|
|
};
|
2021-10-28 20:35:02 +00:00
|
|
|
|
|
|
|
# Secret management
|
|
|
|
sops.defaultSopsFile = ./secrets/secrets.yaml;
|
2022-12-01 18:14:40 +00:00
|
|
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
2021-10-28 20:35:02 +00:00
|
|
|
|
|
|
|
# tinc
|
|
|
|
services.my-tinc.enable = true;
|
2021-10-28 21:05:06 +00:00
|
|
|
services.my-tinc.hostName = "cloud";
|
2022-10-17 11:51:03 +00:00
|
|
|
sops.secrets."tinc/rsa-private-key" = { };
|
|
|
|
sops.secrets."tinc/ed25519-private-key" = { };
|
|
|
|
services.my-tinc.rsaPrivateKey = config.sops.secrets."tinc/rsa-private-key".path;
|
|
|
|
services.my-tinc.ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path;
|
2021-10-31 21:37:04 +00:00
|
|
|
|
|
|
|
# Set up traefik
|
2021-11-01 19:44:19 +00:00
|
|
|
sops.secrets.cloudflare-dns-api-token = { owner = "traefik"; };
|
|
|
|
sops.secrets.traefik-dashboard-users = { owner = "traefik"; };
|
2021-10-31 21:37:04 +00:00
|
|
|
cloud.traefik.cloudflareKeyFile = config.sops.secrets.cloudflare-dns-api-token.path;
|
2021-11-01 19:44:19 +00:00
|
|
|
cloud.traefik.dashboard = {
|
|
|
|
enable = true;
|
|
|
|
usersFile = config.sops.secrets.traefik-dashboard-users.path;
|
|
|
|
};
|
2021-11-01 19:50:30 +00:00
|
|
|
cloud.traefik.certsDumper.enable = true;
|
2022-06-10 20:50:07 +00:00
|
|
|
cloud.conduit.enable = true;
|
2022-07-17 21:10:28 +00:00
|
|
|
cloud.conduit.package = pkgs.unstable.matrix-conduit;
|
2021-11-01 19:50:30 +00:00
|
|
|
|
2022-06-11 19:53:34 +00:00
|
|
|
# Navidrome back to the PC
|
|
|
|
cloud.traefik.hosts.navidrome = {
|
|
|
|
host = "navidrome.nkagami.me";
|
|
|
|
port = 4533;
|
|
|
|
localHost = "11.0.0.2";
|
|
|
|
};
|
|
|
|
|
2021-11-01 19:50:30 +00:00
|
|
|
# Mail
|
|
|
|
sops.secrets.mail-users = { owner = "maddy"; };
|
|
|
|
cloud.mail = {
|
|
|
|
enable = true;
|
2021-12-01 19:38:53 +00:00
|
|
|
debug = true;
|
2022-12-01 18:14:40 +00:00
|
|
|
# local_ip = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
|
2021-11-01 19:50:30 +00:00
|
|
|
tls.certFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/certificate.crt";
|
|
|
|
tls.keyFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/privatekey.key";
|
|
|
|
usersFile = config.sops.secrets.mail-users.path;
|
|
|
|
};
|
2021-11-03 17:22:27 +00:00
|
|
|
|
|
|
|
# Youmubot
|
2022-05-31 16:23:57 +00:00
|
|
|
sops.secrets.youmubot-env = { };
|
2021-11-03 17:22:27 +00:00
|
|
|
services.youmubot = {
|
|
|
|
enable = true;
|
|
|
|
envFile = config.sops.secrets.youmubot-env.path;
|
|
|
|
};
|
2022-05-31 16:23:57 +00:00
|
|
|
|
2022-11-14 20:31:05 +00:00
|
|
|
# Writefreely
|
|
|
|
cloud.writefreely.enable = true;
|
|
|
|
|
2022-12-17 17:51:29 +00:00
|
|
|
# Authentik (running under docker-compose T_T)
|
|
|
|
cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = 9480; };
|
|
|
|
|
|
|
|
# Outline
|
|
|
|
sops.secrets.minio-secret-key = { };
|
|
|
|
sops.secrets.authentik-oidc-client-secret = { owner = "outline"; };
|
|
|
|
services.outline = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.outline.overrideAttrs (attrs: rec {
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
|
|
owner = "outline";
|
|
|
|
repo = "outline";
|
|
|
|
rev = "08a471f2306c045ea96b4c838b73ad28d8448875";
|
|
|
|
sha256 = "sha256-HF/E9Spr7mJF8wrSFJv2HmV/wkjmNqmylvWshnvxg3w=";
|
|
|
|
};
|
|
|
|
|
|
|
|
yarnOfflineCache = pkgs.fetchYarnDeps {
|
|
|
|
yarnLock = src + "/yarn.lock";
|
|
|
|
sha256 = "sha256-8sWtN9uE5EUI9sybD1A5xAOq8mqBMQOx2AJ9Pw8i+rM=";
|
|
|
|
};
|
|
|
|
});
|
|
|
|
databaseUrl = "postgres://outline:outline@localhost/outline?sslmode=disable";
|
|
|
|
sequelizeArguments = "--env=production-ssl-disabled";
|
|
|
|
redisUrl = "local";
|
|
|
|
publicUrl = "https://wiki.dtth.ch";
|
|
|
|
port = 18729;
|
|
|
|
storage = {
|
|
|
|
accessKey = "minio";
|
|
|
|
secretKeyFile = config.sops.secrets.minio-secret-key.path;
|
|
|
|
region = config.services.minio.region;
|
|
|
|
uploadBucketUrl = "https://s3.dtth.ch";
|
|
|
|
uploadBucketName = "dtth-outline";
|
|
|
|
uploadMaxSize = 50 * 1024 * 1000;
|
|
|
|
};
|
|
|
|
maximumImportSize = 50 * 1024 * 1000;
|
|
|
|
|
|
|
|
oidcAuthentication = {
|
|
|
|
clientId = "3a0c10e00cdcb4a1194315577fa208a747c1a5f7";
|
|
|
|
clientSecretFile = config.sops.secrets.authentik-oidc-client-secret.path;
|
|
|
|
authUrl = "https://auth.dtth.ch/application/o/authorize/";
|
|
|
|
tokenUrl = "https://auth.dtth.ch/application/o/token/";
|
|
|
|
userinfoUrl = "https://auth.dtth.ch/application/o/userinfo/";
|
|
|
|
displayName = "DTTH Account";
|
|
|
|
};
|
|
|
|
|
|
|
|
forceHttps = false;
|
|
|
|
};
|
|
|
|
systemd.services.outline.environment.PGSSLMODE = "disable";
|
|
|
|
cloud.postgresql.databases = [ "outline" ];
|
|
|
|
cloud.traefik.hosts.outline = { host = "wiki.dtth.ch"; port = 18729; };
|
|
|
|
|
|
|
|
# Minio
|
|
|
|
sops.secrets.minio-credentials = { };
|
|
|
|
services.minio = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = ":61929";
|
|
|
|
consoleAddress = ":62929";
|
|
|
|
rootCredentialsFile = config.sops.secrets.minio-credentials.path;
|
|
|
|
};
|
|
|
|
cloud.traefik.hosts.minio = { host = "s3.dtth.ch"; port = 61929; };
|
2022-05-31 16:23:57 +00:00
|
|
|
system.stateVersion = "21.11";
|
2021-10-27 19:36:16 +00:00
|
|
|
}
|
2022-12-17 17:51:29 +00:00
|
|
|
|