123 lines
2.3 KiB
Nix
123 lines
2.3 KiB
Nix
{ config, pkgs, agenix, ... }:
|
|
|
|
let
|
|
|
|
ports = {
|
|
ssh = [ 2322 2323 2324 ];
|
|
gitea = 10010;
|
|
headscale = 10020;
|
|
wg0 = 51820;
|
|
};
|
|
|
|
pubkeys = {
|
|
labyrinth = {
|
|
wg = "fGP6Iebdk31dDtreRmvrur+9IzRL56v3N/sw1ILGPSk=";
|
|
nix = "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0=";
|
|
};
|
|
};
|
|
|
|
in
|
|
{
|
|
|
|
|
|
imports = [
|
|
./hardware.nix
|
|
|
|
../../modules/gitea
|
|
../../modules/headscale
|
|
../../modules/observatory
|
|
|
|
../../users/christian
|
|
];
|
|
|
|
services = {
|
|
gitea.enable = true;
|
|
headscale.enable = true;
|
|
observatory.enable = true;
|
|
nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
};
|
|
openssh = {
|
|
enable = true;
|
|
ports = ports.ssh;
|
|
};
|
|
};
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
users.mutableUsers = false;
|
|
users.users = {
|
|
christian = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
};
|
|
};
|
|
|
|
|
|
networking.hostName = "fugitive";
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 80 443 ];
|
|
allowedUDPPorts = [ ports.wg0 ];
|
|
};
|
|
|
|
networking.wireguard.enable = true;
|
|
networking.wireguard.interfaces = {
|
|
wg0 = {
|
|
ips = ["10.11.12.1/24" ];
|
|
listenPort = ports.wg0;
|
|
privateKeyFile = "/srv/wireguard/wg0.private";
|
|
generatePrivateKeyFile = true;
|
|
|
|
peers = [{
|
|
publicKey = pubkeys.labyrinth.wg;
|
|
allowedIPs = [ "10.11.12.2/32" ];
|
|
}];
|
|
};
|
|
};
|
|
|
|
age.secrets = {
|
|
namecheap.file = ../../../secrets/namecheap.age;
|
|
grafana = {
|
|
file = ../../../secrets/grafana.age;
|
|
owner = "grafana";
|
|
};
|
|
};
|
|
|
|
security = {
|
|
sudo = {
|
|
wheelNeedsPassword = false;
|
|
extraConfig = ''
|
|
Defaults lecture = never
|
|
'';
|
|
};
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "monitor@ctsk.dev";
|
|
|
|
certs."enclave.ctsk.dev" = {
|
|
dnsProvider = "namecheap";
|
|
environmentFile = config.age.secrets.namecheap.path;
|
|
group = "nginx";
|
|
extraDomainNames = [ "*.enclave.ctsk.dev" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
nix.settings = {
|
|
trusted-users = [ "@wheel" ];
|
|
trusted-public-keys = [ pubkeys.labyrinth.nix ];
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
config-archive
|
|
];
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|