From db321b49448867823a172a827820a2b16223eaac Mon Sep 17 00:00:00 2001 From: Yusuf Bera Ertan Date: Thu, 11 Aug 2022 02:57:40 +0300 Subject: [PATCH] a --- flake.lock | 28 +++++++---- flake.nix | 2 +- hosts/wolumonde/blog.nix | 14 ++++++ hosts/wolumonde/default.nix | 93 ++++++++---------------------------- hosts/wolumonde/gitea.nix | 20 ++++++++ hosts/wolumonde/nginx.nix | 13 +++++ hosts/wolumonde/nixinate.nix | 9 ++++ hosts/wolumonde/ssh.nix | 10 ++++ 8 files changed, 104 insertions(+), 85 deletions(-) create mode 100644 hosts/wolumonde/blog.nix create mode 100644 hosts/wolumonde/gitea.nix create mode 100644 hosts/wolumonde/nginx.nix create mode 100644 hosts/wolumonde/nixinate.nix create mode 100644 hosts/wolumonde/ssh.nix diff --git a/flake.lock b/flake.lock index f3bfff6..2560c30 100644 --- a/flake.lock +++ b/flake.lock @@ -46,13 +46,17 @@ ] }, "locked": { - "narHash": "sha256-s54wF24xA0vSjoEJ5/duD5XGr55JUtH4R71WiWgPyBk=", - "type": "tarball", - "url": "https://git.gaze.systems/dusk/website/archive/master.zip" + "lastModified": 1660175414, + "narHash": "sha256-x/Biv9kkFq4qHaxi9hU0Nl7E/3IlEVBJnxIge/ltgvA=", + "ref": "refs/heads/master", + "rev": "dc1b24e7521b1329f8f5ac93703e18649716cc70", + "revCount": 58, + "type": "git", + "url": "https://git.gaze.systems/dusk/website.git" }, "original": { - "type": "tarball", - "url": "https://git.gaze.systems/dusk/website/archive/master.zip" + "type": "git", + "url": "https://git.gaze.systems/dusk/website.git" } }, "crane": { @@ -761,13 +765,17 @@ ] }, "locked": { - "narHash": "sha256-3PHw4aioOmhAPAL7PGbf/At0E+1rrENtRbLVkjLctxA=", - "type": "tarball", - "url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip" + "lastModified": 1659251276, + "narHash": "sha256-rHhaPtyH1hBcZxd6nXxyg59wL6ilqJqsfuHh8Ebd+rA=", + "ref": "refs/heads/master", + "rev": "d30b07841100278a1d7901001ecec038c5448be2", + "revCount": 50, + "type": "git", + "url": "https://git.gaze.systems/dusk/html.nix.git" }, "original": { - "type": "tarball", - "url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip" + "type": "git", + "url": "https://git.gaze.systems/dusk/html.nix.git" } }, "hyprland": { diff --git a/flake.nix b/flake.nix index 7ae6c1d..fce1095 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,7 @@ hyprland.url = "github:hyprwm/Hyprland"; hyprland.inputs.nixpkgs.follows = "nixpkgs"; fufexan.url = "github:fufexan/dotfiles"; - blog.url = "https://git.gaze.systems/dusk/website/archive/master.zip"; + blog.url = "git+https://git.gaze.systems/dusk/website.git"; blog.inputs.nixpkgs.follows = "nixpkgs"; bernbot.url = "github:yusdacra/bernbot"; bernbot.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/wolumonde/blog.nix b/hosts/wolumonde/blog.nix new file mode 100644 index 0000000..3d3b90a --- /dev/null +++ b/hosts/wolumonde/blog.nix @@ -0,0 +1,14 @@ +{ + pkgs, + inputs, + ... +}: { + services.nginx.virtualHosts."gaze.systems" = { + enableACME = true; + forceSSL = true; + root = "${inputs.blog.packages.${pkgs.system}.website}"; + locations."/".extraConfig = '' + add_header cache-control max-age=1800; + ''; + }; +} diff --git a/hosts/wolumonde/default.nix b/hosts/wolumonde/default.nix index 355fbcb..bd732e5 100644 --- a/hosts/wolumonde/default.nix +++ b/hosts/wolumonde/default.nix @@ -4,89 +4,34 @@ config, lib, ... -}: let - personal = import "${inputs.self}/personal.nix"; - email = personal.emails.short; -in { - imports = [ - ./hardware-configuration.nix - ./bernbot.nix - ]; +}: { + imports = let + files = + lib.filterAttrs + (name: type: type == "regular" && name != "default.nix") + (builtins.readDir (toString ./.)); + filesToImport = + builtins.map + ( + name: + builtins.path { + inherit name; + path = "${toString ./.}/${name}"; + } + ) + (builtins.attrNames files); + in + filesToImport; boot.cleanTmpDir = true; zramSwap.enable = true; - # ssh config - services.fail2ban.enable = true; - services.openssh = { - enable = true; - passwordAuthentication = false; - }; - users.users.root.openssh.authorizedKeys.keys = [ - (builtins.readFile "${inputs.self}/secrets/ssh-key.pub") - ]; - - # nginx - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts."gaze.systems" = { - enableACME = true; - forceSSL = true; - root = "${inputs.blog.packages.${pkgs.system}.website}"; - locations."/".extraConfig = '' - add_header cache-control max-age=1800; - ''; - }; - virtualHosts."git.gaze.systems" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://localhost:3001"; - }; - }; - security.acme = { - acceptTerms = true; - certs = { - "gaze.systems".email = email; - "git.gaze.systems".email = email; - }; - }; - - # gitea - services.gitea = { - enable = true; - cookieSecure = true; - disableRegistration = true; - domain = "git.gaze.systems"; - rootUrl = "https://git.gaze.systems/"; - httpPort = 3001; - }; - # firewall stuffs networking.firewall = { enable = true; - allowedTCPPorts = lib.flatten [ - [22 80 443] - ( - lib.optional - config.services.gitea.enable - config.services.gitea.httpPort - ) - ]; + allowedTCPPorts = [22 80 443]; allowedUDPPortRanges = []; }; - # nixinate for deployment - _module.args.nixinate = { - host = "gaze.systems"; - sshUser = "root"; - buildOn = "local"; # valid args are "local" or "remote" - substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" - hermetic = true; - }; - system.stateVersion = "22.05"; } diff --git a/hosts/wolumonde/gitea.nix b/hosts/wolumonde/gitea.nix new file mode 100644 index 0000000..a728ced --- /dev/null +++ b/hosts/wolumonde/gitea.nix @@ -0,0 +1,20 @@ +{config, ...}: { + services.gitea = { + enable = true; + cookieSecure = true; + disableRegistration = true; + domain = "git.gaze.systems"; + rootUrl = "https://git.gaze.systems/"; + httpPort = 3001; + }; + + services.nginx.virtualHosts."git.gaze.systems" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:3001"; + }; + + networking.firewall.allowedTCPPorts = [ + config.services.gitea.httpPort + ]; +} diff --git a/hosts/wolumonde/nginx.nix b/hosts/wolumonde/nginx.nix new file mode 100644 index 0000000..cf5af7e --- /dev/null +++ b/hosts/wolumonde/nginx.nix @@ -0,0 +1,13 @@ +{inputs, ...}: { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + security.acme = { + acceptTerms = true; + defaults.email = (import "${inputs.self}/personal.nix").emails.primary; + }; +} diff --git a/hosts/wolumonde/nixinate.nix b/hosts/wolumonde/nixinate.nix new file mode 100644 index 0000000..d6fb18c --- /dev/null +++ b/hosts/wolumonde/nixinate.nix @@ -0,0 +1,9 @@ +{...}: { + _module.args.nixinate = { + host = "gaze.systems"; + sshUser = "root"; + buildOn = "local"; # valid args are "local" or "remote" + substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s" + hermetic = true; + }; +} diff --git a/hosts/wolumonde/ssh.nix b/hosts/wolumonde/ssh.nix new file mode 100644 index 0000000..6900163 --- /dev/null +++ b/hosts/wolumonde/ssh.nix @@ -0,0 +1,10 @@ +{inputs, ...}: { + services.fail2ban.enable = true; + services.openssh = { + enable = true; + passwordAuthentication = false; + }; + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile "${inputs.self}/secrets/ssh-key.pub") + ]; +}