a
This commit is contained in:
parent
f4cec47f66
commit
db321b4944
28
flake.lock
28
flake.lock
@ -46,13 +46,17 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"narHash": "sha256-s54wF24xA0vSjoEJ5/duD5XGr55JUtH4R71WiWgPyBk=",
|
||||
"type": "tarball",
|
||||
"url": "https://git.gaze.systems/dusk/website/archive/master.zip"
|
||||
"lastModified": 1660175414,
|
||||
"narHash": "sha256-x/Biv9kkFq4qHaxi9hU0Nl7E/3IlEVBJnxIge/ltgvA=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "dc1b24e7521b1329f8f5ac93703e18649716cc70",
|
||||
"revCount": 58,
|
||||
"type": "git",
|
||||
"url": "https://git.gaze.systems/dusk/website.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://git.gaze.systems/dusk/website/archive/master.zip"
|
||||
"type": "git",
|
||||
"url": "https://git.gaze.systems/dusk/website.git"
|
||||
}
|
||||
},
|
||||
"crane": {
|
||||
@ -761,13 +765,17 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"narHash": "sha256-3PHw4aioOmhAPAL7PGbf/At0E+1rrENtRbLVkjLctxA=",
|
||||
"type": "tarball",
|
||||
"url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"
|
||||
"lastModified": 1659251276,
|
||||
"narHash": "sha256-rHhaPtyH1hBcZxd6nXxyg59wL6ilqJqsfuHh8Ebd+rA=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "d30b07841100278a1d7901001ecec038c5448be2",
|
||||
"revCount": 50,
|
||||
"type": "git",
|
||||
"url": "https://git.gaze.systems/dusk/html.nix.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"
|
||||
"type": "git",
|
||||
"url": "https://git.gaze.systems/dusk/html.nix.git"
|
||||
}
|
||||
},
|
||||
"hyprland": {
|
||||
|
@ -19,7 +19,7 @@
|
||||
hyprland.url = "github:hyprwm/Hyprland";
|
||||
hyprland.inputs.nixpkgs.follows = "nixpkgs";
|
||||
fufexan.url = "github:fufexan/dotfiles";
|
||||
blog.url = "https://git.gaze.systems/dusk/website/archive/master.zip";
|
||||
blog.url = "git+https://git.gaze.systems/dusk/website.git";
|
||||
blog.inputs.nixpkgs.follows = "nixpkgs";
|
||||
bernbot.url = "github:yusdacra/bernbot";
|
||||
bernbot.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
14
hosts/wolumonde/blog.nix
Normal file
14
hosts/wolumonde/blog.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}: {
|
||||
services.nginx.virtualHosts."gaze.systems" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${inputs.blog.packages.${pkgs.system}.website}";
|
||||
locations."/".extraConfig = ''
|
||||
add_header cache-control max-age=1800;
|
||||
'';
|
||||
};
|
||||
}
|
@ -4,89 +4,34 @@
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
personal = import "${inputs.self}/personal.nix";
|
||||
email = personal.emails.short;
|
||||
in {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./bernbot.nix
|
||||
];
|
||||
}: {
|
||||
imports = let
|
||||
files =
|
||||
lib.filterAttrs
|
||||
(name: type: type == "regular" && name != "default.nix")
|
||||
(builtins.readDir (toString ./.));
|
||||
filesToImport =
|
||||
builtins.map
|
||||
(
|
||||
name:
|
||||
builtins.path {
|
||||
inherit name;
|
||||
path = "${toString ./.}/${name}";
|
||||
}
|
||||
)
|
||||
(builtins.attrNames files);
|
||||
in
|
||||
filesToImport;
|
||||
|
||||
boot.cleanTmpDir = true;
|
||||
zramSwap.enable = true;
|
||||
|
||||
# ssh config
|
||||
services.fail2ban.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
(builtins.readFile "${inputs.self}/secrets/ssh-key.pub")
|
||||
];
|
||||
|
||||
# nginx
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."gaze.systems" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${inputs.blog.packages.${pkgs.system}.website}";
|
||||
locations."/".extraConfig = ''
|
||||
add_header cache-control max-age=1800;
|
||||
'';
|
||||
};
|
||||
virtualHosts."git.gaze.systems" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:3001";
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
certs = {
|
||||
"gaze.systems".email = email;
|
||||
"git.gaze.systems".email = email;
|
||||
};
|
||||
};
|
||||
|
||||
# gitea
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
cookieSecure = true;
|
||||
disableRegistration = true;
|
||||
domain = "git.gaze.systems";
|
||||
rootUrl = "https://git.gaze.systems/";
|
||||
httpPort = 3001;
|
||||
};
|
||||
|
||||
# firewall stuffs
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = lib.flatten [
|
||||
[22 80 443]
|
||||
(
|
||||
lib.optional
|
||||
config.services.gitea.enable
|
||||
config.services.gitea.httpPort
|
||||
)
|
||||
];
|
||||
allowedTCPPorts = [22 80 443];
|
||||
allowedUDPPortRanges = [];
|
||||
};
|
||||
|
||||
# nixinate for deployment
|
||||
_module.args.nixinate = {
|
||||
host = "gaze.systems";
|
||||
sshUser = "root";
|
||||
buildOn = "local"; # valid args are "local" or "remote"
|
||||
substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
|
||||
hermetic = true;
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
||||
|
20
hosts/wolumonde/gitea.nix
Normal file
20
hosts/wolumonde/gitea.nix
Normal file
@ -0,0 +1,20 @@
|
||||
{config, ...}: {
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
cookieSecure = true;
|
||||
disableRegistration = true;
|
||||
domain = "git.gaze.systems";
|
||||
rootUrl = "https://git.gaze.systems/";
|
||||
httpPort = 3001;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."git.gaze.systems" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:3001";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
config.services.gitea.httpPort
|
||||
];
|
||||
}
|
13
hosts/wolumonde/nginx.nix
Normal file
13
hosts/wolumonde/nginx.nix
Normal file
@ -0,0 +1,13 @@
|
||||
{inputs, ...}: {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = (import "${inputs.self}/personal.nix").emails.primary;
|
||||
};
|
||||
}
|
9
hosts/wolumonde/nixinate.nix
Normal file
9
hosts/wolumonde/nixinate.nix
Normal file
@ -0,0 +1,9 @@
|
||||
{...}: {
|
||||
_module.args.nixinate = {
|
||||
host = "gaze.systems";
|
||||
sshUser = "root";
|
||||
buildOn = "local"; # valid args are "local" or "remote"
|
||||
substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"
|
||||
hermetic = true;
|
||||
};
|
||||
}
|
10
hosts/wolumonde/ssh.nix
Normal file
10
hosts/wolumonde/ssh.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{inputs, ...}: {
|
||||
services.fail2ban.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
(builtins.readFile "${inputs.self}/secrets/ssh-key.pub")
|
||||
];
|
||||
}
|
Loading…
Reference in New Issue
Block a user