# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). { inputs, lib, config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix inputs.hardware.nixosModules.common-cpu-amd ../../modules/docker.nix ../../roles/server.nix ]; services.haproxy = { enable = true; config = '' global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:88 default_backend garage-web backend garage-s3 server server1 127.0.0.1:3900 maxconn 32 backend garage-web server server1 127.0.0.1:3902 maxconn 32 ''; }; virtualisation.libvirtd.enable = true; services.gitea-actions-runner.instances.nixos = { enable = true; name = "NixOs"; url = "https://git.mzsl.nl"; token = "vKx7ZkXHrQES3cAgNTr0KhT0LQZK3gKj7KY2Jdk3"; labels = [ "ubuntu-latest:docker://node:16-bullseye" "ubuntu-22.04:docker://node:16-bullseye" "ubuntu-20.04:docker://node:16-bullseye" "ubuntu-18.04:docker://node:16-buster" ]; }; services.prometheus = { exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; port = 9002; }; }; }; # services.garage = { # enable = true; # package = pkgs.garage_0_8; # settings = { # metadata_dir = "/var/lib/garage/meta"; # data_dir = "/var/lib/garage/data"; # db_engine = "lmdb"; # compression_level = 2; # replication_mode = "none"; # rpc_bind_addr = "[::]:3901"; # rpc_public_addr = "0.0.0.0:3901"; # rpc_secret = "aa6d8a7fc7a53d3c89b28838920eb75934ee8cb814b322c2c9f96af687a6f053"; # # s3_api = { # s3_region = "garage"; # api_bind_addr = "127.0.0.1:3900"; # root_domain = ".s3.mzsl.nl"; # }; # # s3_web = { # bind_addr = "127.0.0.1:3902"; # root_domain = ".site.mzsl.nl"; # index = "index.html"; # }; # }; # }; # Use the systemd-boot EFI boot loader. # boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "zfs" ]; boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; boot.loader.grub.device = "nodev"; boot.loader.grub.mirroredBoots = [ { devices = [ "/dev/disk/by-uuid/D527-57A9" ]; path = "/boot-fallback"; } ]; networking = { hostName = "srv01-home"; # Define your hostname. hostId = "3bf26306"; interfaces.enp2s0.ipv4.addresses = [ { address = "192.168.2.11"; prefixLength = 24; } ]; defaultGateway = "192.168.2.254"; nameservers = ["1.1.1.1" "8.8.8.8"]; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.adminmz = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. packages = with pkgs; [ curl ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDub2v/G51kGDqhQ4o7LN5ncq1oS0e14cjlibsPSfuPsGQBSFMojAUN8sYf43PrlzJs1nZsA3teF9SLmuWcyzcNXGKclhbj0AhN470l/G2SoEcIKDTgVJwNeQ7A/qzFSxmXIV7rmiPPADAyq0ykQA9MAD3f/+4KPiv3DgcU+9ZkSD1nbh4TGld44OLr70ozWBEdqlaUETIXKleEq/RbMcNi3YD89opafeeKpt6tMQydxcIFLUMimq3PiYVjJk4bypjB2r/jMAgnrE6nm96L8R8EZFMWsKpaL2s52NX90VIB69VMyQTdKdHEtxRWIwFR68E3YkYfyGZ5gyNIOaG4l0FyBVux21KxpR1kjhgm2JNw2moG0qwkpFI+Lu+3hqvUu0OM8otTpqGMWjTVs0yYsmIqwnEzEqAifdWxcLus6QLmz+61ajyQBlPBkJ6qFr9MhFvQOnuaUB461SkN/Rah3PU2wUSO9VvCcan2+l3M5zP2QJfPGfdS/mUHPuqCVzzXjNc= mzies@DESKTOP-AKMBK3I" ]; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. wget git ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 80 88 443 9002 2022 ]; networking.firewall.allowedUDPPorts = [ 22 80 88 443 9002 2022 51820]; # Or disable the firewall altogether. networking.firewall.enable = true; networking.nat.enable = true; networking.nat.externalInterface = "enp2s0"; networking.nat.internalInterfaces = [ "wg0" ]; networking.wireguard.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the server's end of the tunnel interface. ips = [ "10.100.0.1/24" ]; # The port that WireGuard listens to. Must be accessible by the client. listenPort = 51820; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE ''; # This undoes the above command postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE ''; # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. privateKeyFile = "/etc/wireguard/private"; peers = [ # List of allowed peers. { # PC werk publicKey = "0PWQA3zf48RFFJXMxPE/i6FWzbH9FzKliRugtDVmPlY="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.100.0.2/32" ]; } ]; }; }; users.users.restic = { isNormalUser = true; }; security.wrappers.restic = { source = "${pkgs.restic.out}/bin/restic"; owner = "restic"; group = "users"; permissions = "u=rwx,g=,o="; capabilities = "cap_dac_read_search=+ep"; }; services.restic.backups.srv01-home = { user = "restic"; paths = [ "/srv" ]; exclude = []; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; repositoryFile = "/etc/dotfiles-nixos/secrets/restic-repository-srv01-home"; initialize = true; timerConfig = { OnCalendar = "02:00"; Persistent = true; }; passwordFile = "/etc/dotfiles-nixos/secrets/restic-password-srv01-home"; }; systemd.services.restic-backups-srv01-home = { serviceConfig = { EnvironmentFile = "/etc/dotfiles-nixos/secrets/b2.env"; }; }; # environment = { # B2_ACCOUNT_ID = "my_account_id_abc123"; # B2_ACCOUNT_KEY = "my_account_key_def456"; # }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? }