a
This commit is contained in:
parent
f4cec47f66
commit
db321b4944
28
flake.lock
28
flake.lock
@ -46,13 +46,17 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"narHash": "sha256-s54wF24xA0vSjoEJ5/duD5XGr55JUtH4R71WiWgPyBk=",
|
"lastModified": 1660175414,
|
||||||
"type": "tarball",
|
"narHash": "sha256-x/Biv9kkFq4qHaxi9hU0Nl7E/3IlEVBJnxIge/ltgvA=",
|
||||||
"url": "https://git.gaze.systems/dusk/website/archive/master.zip"
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "dc1b24e7521b1329f8f5ac93703e18649716cc70",
|
||||||
|
"revCount": 58,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.gaze.systems/dusk/website.git"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "git",
|
||||||
"url": "https://git.gaze.systems/dusk/website/archive/master.zip"
|
"url": "https://git.gaze.systems/dusk/website.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"crane": {
|
"crane": {
|
||||||
@ -761,13 +765,17 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"narHash": "sha256-3PHw4aioOmhAPAL7PGbf/At0E+1rrENtRbLVkjLctxA=",
|
"lastModified": 1659251276,
|
||||||
"type": "tarball",
|
"narHash": "sha256-rHhaPtyH1hBcZxd6nXxyg59wL6ilqJqsfuHh8Ebd+rA=",
|
||||||
"url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "d30b07841100278a1d7901001ecec038c5448be2",
|
||||||
|
"revCount": 50,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.gaze.systems/dusk/html.nix.git"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "git",
|
||||||
"url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"
|
"url": "https://git.gaze.systems/dusk/html.nix.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"hyprland": {
|
"hyprland": {
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
hyprland.url = "github:hyprwm/Hyprland";
|
hyprland.url = "github:hyprwm/Hyprland";
|
||||||
hyprland.inputs.nixpkgs.follows = "nixpkgs";
|
hyprland.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
fufexan.url = "github:fufexan/dotfiles";
|
fufexan.url = "github:fufexan/dotfiles";
|
||||||
blog.url = "https://git.gaze.systems/dusk/website/archive/master.zip";
|
blog.url = "git+https://git.gaze.systems/dusk/website.git";
|
||||||
blog.inputs.nixpkgs.follows = "nixpkgs";
|
blog.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
bernbot.url = "github:yusdacra/bernbot";
|
bernbot.url = "github:yusdacra/bernbot";
|
||||||
bernbot.inputs.nixpkgs.follows = "nixpkgs";
|
bernbot.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
14
hosts/wolumonde/blog.nix
Normal file
14
hosts/wolumonde/blog.nix
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
services.nginx.virtualHosts."gaze.systems" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
root = "${inputs.blog.packages.${pkgs.system}.website}";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
add_header cache-control max-age=1800;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
@ -4,89 +4,34 @@
|
|||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
personal = import "${inputs.self}/personal.nix";
|
imports = let
|
||||||
email = personal.emails.short;
|
files =
|
||||||
in {
|
lib.filterAttrs
|
||||||
imports = [
|
(name: type: type == "regular" && name != "default.nix")
|
||||||
./hardware-configuration.nix
|
(builtins.readDir (toString ./.));
|
||||||
./bernbot.nix
|
filesToImport =
|
||||||
];
|
builtins.map
|
||||||
|
(
|
||||||
|
name:
|
||||||
|
builtins.path {
|
||||||
|
inherit name;
|
||||||
|
path = "${toString ./.}/${name}";
|
||||||
|
}
|
||||||
|
)
|
||||||
|
(builtins.attrNames files);
|
||||||
|
in
|
||||||
|
filesToImport;
|
||||||
|
|
||||||
boot.cleanTmpDir = true;
|
boot.cleanTmpDir = true;
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
|
|
||||||
# ssh config
|
|
||||||
services.fail2ban.enable = true;
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
passwordAuthentication = false;
|
|
||||||
};
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
|
||||||
(builtins.readFile "${inputs.self}/secrets/ssh-key.pub")
|
|
||||||
];
|
|
||||||
|
|
||||||
# nginx
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
virtualHosts."gaze.systems" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
root = "${inputs.blog.packages.${pkgs.system}.website}";
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
add_header cache-control max-age=1800;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
virtualHosts."git.gaze.systems" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/".proxyPass = "http://localhost:3001";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
certs = {
|
|
||||||
"gaze.systems".email = email;
|
|
||||||
"git.gaze.systems".email = email;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# gitea
|
|
||||||
services.gitea = {
|
|
||||||
enable = true;
|
|
||||||
cookieSecure = true;
|
|
||||||
disableRegistration = true;
|
|
||||||
domain = "git.gaze.systems";
|
|
||||||
rootUrl = "https://git.gaze.systems/";
|
|
||||||
httpPort = 3001;
|
|
||||||
};
|
|
||||||
|
|
||||||
# firewall stuffs
|
# firewall stuffs
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedTCPPorts = lib.flatten [
|
allowedTCPPorts = [22 80 443];
|
||||||
[22 80 443]
|
|
||||||
(
|
|
||||||
lib.optional
|
|
||||||
config.services.gitea.enable
|
|
||||||
config.services.gitea.httpPort
|
|
||||||
)
|
|
||||||
];
|
|
||||||
allowedUDPPortRanges = [];
|
allowedUDPPortRanges = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
# nixinate for deployment
|
|
||||||
_module.args.nixinate = {
|
|
||||||
host = "gaze.systems";
|
|
||||||
sshUser = "root";
|
|
||||||
buildOn = "local"; # valid args are "local" or "remote"
|
|
||||||
substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
|
|
||||||
hermetic = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "22.05";
|
system.stateVersion = "22.05";
|
||||||
}
|
}
|
||||||
|
20
hosts/wolumonde/gitea.nix
Normal file
20
hosts/wolumonde/gitea.nix
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{config, ...}: {
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
cookieSecure = true;
|
||||||
|
disableRegistration = true;
|
||||||
|
domain = "git.gaze.systems";
|
||||||
|
rootUrl = "https://git.gaze.systems/";
|
||||||
|
httpPort = 3001;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."git.gaze.systems" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://localhost:3001";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
config.services.gitea.httpPort
|
||||||
|
];
|
||||||
|
}
|
13
hosts/wolumonde/nginx.nix
Normal file
13
hosts/wolumonde/nginx.nix
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
{inputs, ...}: {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
};
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = (import "${inputs.self}/personal.nix").emails.primary;
|
||||||
|
};
|
||||||
|
}
|
9
hosts/wolumonde/nixinate.nix
Normal file
9
hosts/wolumonde/nixinate.nix
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{...}: {
|
||||||
|
_module.args.nixinate = {
|
||||||
|
host = "gaze.systems";
|
||||||
|
sshUser = "root";
|
||||||
|
buildOn = "local"; # valid args are "local" or "remote"
|
||||||
|
substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
|
||||||
|
hermetic = true;
|
||||||
|
};
|
||||||
|
}
|
10
hosts/wolumonde/ssh.nix
Normal file
10
hosts/wolumonde/ssh.nix
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{inputs, ...}: {
|
||||||
|
services.fail2ban.enable = true;
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
passwordAuthentication = false;
|
||||||
|
};
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
(builtins.readFile "${inputs.self}/secrets/ssh-key.pub")
|
||||||
|
];
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user