mans/dotfiles-nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
dotfiles-nixos/nixos/machines/srv01-home/configuration.nix

249 lines
7.6 KiB
Nix
Raw Permalink Normal View History

server setup
2023-06-18 15:03:56 +00:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
asdf
2023-06-28 20:14:05 +00:00
{ inputs, lib, config, pkgs, ... }: {
server setup
2023-06-18 15:03:56 +00:00
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
asdf
2023-06-28 20:14:05 +00:00
inputs.hardware.nixosModules.common-cpu-amd
server setup
2023-06-18 15:03:56 +00:00
../../modules/docker.nix
../../roles/server.nix
];
asdf
2023-06-28 20:14:05 +00:00
services.haproxy = {
enable = true;
config = ''
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:88
default_backend garage-web
backend garage-s3
server server1 127.0.0.1:3900 maxconn 32
backend garage-web
server server1 127.0.0.1:3902 maxconn 32
'';
};
virtualisation.libvirtd.enable = true;
services.gitea-actions-runner.instances.nixos = {
actions
2023-06-18 16:33:03 +00:00
enable = true;
name = "NixOs";
url = "https://git.mzsl.nl";
asdf
2023-06-28 20:14:05 +00:00
token = "vKx7ZkXHrQES3cAgNTr0KhT0LQZK3gKj7KY2Jdk3";
actions
2023-06-18 16:33:03 +00:00
labels = [
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
];
};
server setup
2023-06-18 15:03:56 +00:00
asdf
2023-06-28 20:14:05 +00:00
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
# services.garage = {
# enable = true;
# package = pkgs.garage_0_8;
# settings = {
# metadata_dir = "/var/lib/garage/meta";
# data_dir = "/var/lib/garage/data";
# db_engine = "lmdb";
# compression_level = 2;
# replication_mode = "none";
# rpc_bind_addr = "[::]:3901";
# rpc_public_addr = "0.0.0.0:3901";
# rpc_secret = "aa6d8a7fc7a53d3c89b28838920eb75934ee8cb814b322c2c9f96af687a6f053";
#
# s3_api = {
# s3_region = "garage";
# api_bind_addr = "127.0.0.1:3900";
# root_domain = ".s3.mzsl.nl";
# };
#
# s3_web = {
# bind_addr = "127.0.0.1:3902";
# root_domain = ".site.mzsl.nl";
# index = "index.html";
# };
# };
# };
server setup
2023-06-18 15:03:56 +00:00
# Use the systemd-boot EFI boot loader.
# boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.mirroredBoots = [
{ devices = [ "/dev/disk/by-uuid/D527-57A9" ];
path = "/boot-fallback"; }
];
networking = {
hostName = "srv01-home"; # Define your hostname.
hostId = "3bf26306";
interfaces.enp2s0.ipv4.addresses = [
{
address = "192.168.2.11";
prefixLength = 24;
}
];
defaultGateway = "192.168.2.254";
nameservers = ["1.1.1.1" "8.8.8.8"];
};
# Define a user account. Don't forget to set a password with passwd.
users.users.adminmz = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
curl
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDub2v/G51kGDqhQ4o7LN5ncq1oS0e14cjlibsPSfuPsGQBSFMojAUN8sYf43PrlzJs1nZsA3teF9SLmuWcyzcNXGKclhbj0AhN470l/G2SoEcIKDTgVJwNeQ7A/qzFSxmXIV7rmiPPADAyq0ykQA9MAD3f/+4KPiv3DgcU+9ZkSD1nbh4TGld44OLr70ozWBEdqlaUETIXKleEq/RbMcNi3YD89opafeeKpt6tMQydxcIFLUMimq3PiYVjJk4bypjB2r/jMAgnrE6nm96L8R8EZFMWsKpaL2s52NX90VIB69VMyQTdKdHEtxRWIwFR68E3YkYfyGZ5gyNIOaG4l0FyBVux21KxpR1kjhgm2JNw2moG0qwkpFI+Lu+3hqvUu0OM8otTpqGMWjTVs0yYsmIqwnEzEqAifdWxcLus6QLmz+61ajyQBlPBkJ6qFr9MhFvQOnuaUB461SkN/Rah3PU2wUSO9VvCcan2+l3M5zP2QJfPGfdS/mUHPuqCVzzXjNc= mzies@DESKTOP-AKMBK3I"
];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
git
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# Open ports in the firewall.
asdf
2023-06-28 20:14:05 +00:00
networking.firewall.allowedTCPPorts = [ 22 80 88 443 9002 2022 ];
networking.firewall.allowedUDPPorts = [ 22 80 88 443 9002 2022 51820];
server setup
2023-06-18 15:03:56 +00:00
# Or disable the firewall altogether.
asdf
2023-06-28 20:14:05 +00:00
networking.firewall.enable = true;
networking.nat.enable = true;
networking.nat.externalInterface = "enp2s0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/etc/wireguard/private";
peers = [
# List of allowed peers.
{ # PC werk
publicKey = "0PWQA3zf48RFFJXMxPE/i6FWzbH9FzKliRugtDVmPlY=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
restic setup
2023-07-02 10:52:06 +00:00
users.users.restic = {
isNormalUser = true;
};
security.wrappers.restic = {
source = "${pkgs.restic.out}/bin/restic";
owner = "restic";
group = "users";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
services.restic.backups.srv01-home = {
user = "restic";
paths = [ "/srv" ];
exclude = [];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
repositoryFile = "/etc/dotfiles-nixos/secrets/restic-repository-srv01-home";
initialize = true;
timerConfig = {
OnCalendar = "02:00";
Persistent = true;
};
passwordFile = "/etc/dotfiles-nixos/secrets/restic-password-srv01-home";
};
systemd.services.restic-backups-srv01-home = {
serviceConfig = {
EnvironmentFile = "/etc/dotfiles-nixos/secrets/b2.env";
};
};
# environment = {
# B2_ACCOUNT_ID = "my_account_id_abc123";
# B2_ACCOUNT_KEY = "my_account_key_def456";
# };
server setup
2023-06-18 15:03:56 +00:00
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}
Reference in New Issue Copy Permalink