summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configuration.nix81
1 files changed, 47 insertions, 34 deletions
diff --git a/configuration.nix b/configuration.nix
index dc3e7e6..f782e9c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -4,19 +4,49 @@
./networking.nix # generated at runtime by nixos-infect
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
- systemd.services.ann = {
- enable = true;
- description = "Ann";
- script = ''
- export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable"
- ${inputs.ann.apps.${pkgs.system}."migrate-up".program}
- exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
- '';
- serviceConfig = {
- Restart = "on-failure";
- RestartSec = 1;
+ networking.nat.enable = true;
+ networking.nat.internalInterfaces = [ "ve-*" ];
+ networking.nat.externalInterface = "eth0";
+
+ containers.ann = {
+ # Drop privileges
+ extraFlags = [ "-U" ];
+ autoStart = true;
+ hostAddress = "192.168.100.2";
+ localAddress = "192.168.100.11";
+ privateNetwork = true;
+
+ config = { config, pkgs, ... }: {
+ systemd.services.ann = {
+ enable = true;
+ description = "Ann";
+ script = ''
+ export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable"
+ export ANN_INTERFACE="0.0.0.0"
+ ${inputs.ann.apps.${pkgs.system}."migrate-up".program}
+ exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
+ '';
+ serviceConfig = {
+ Restart = "on-failure";
+ RestartSec = 1;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ networking.firewall.allowedTCPPorts = [ 80 443 8080];
+ services.postgresql = {
+ enable = true;
+ ensureDatabases = [ "ann" ];
+ settings = {
+ listen_addresses = pkgs.lib.mkForce "*";
+ };
+ authentication = pkgs.lib.mkOverride 10 ''
+ #type database DBuser auth-method
+ local all all trust
+ host all all ::1/128 trust
+ '';
};
- wantedBy = [ "multi-user.target" ];
+ system.stateVersion = "24.05";
+ };
};
services.freshrss = {
@@ -34,20 +64,6 @@
"10 * * * * www-data ${pkgs.php}/bin/php -f ${pkgs.freshrss}/app/actualize_script.php > /tmp/FreshRSS.log 2>&1"
];
};
-
- services.postgresql = {
- enable = true;
- ensureDatabases = [ "ann" ];
- settings = {
- listen_addresses = pkgs.lib.mkForce "*";
- };
- authentication = pkgs.lib.mkOverride 10 ''
- #type database DBuser auth-method
- local all all trust
- host all all ::1/128 trust
- '';
- };
-
services.nginx = {
enable = true;
@@ -68,18 +84,15 @@
addSSL = true;
locations."~" = {
- proxyPass = "http://localhost:8080";
+ proxyPass = "http://192.168.100.11:8080";
proxyWebsockets = true; # needed if you need to use WebSocket
- extraConfig =
- # required when the target is also TLS server with multiple hosts
- "proxy_ssl_server_name on;" +
- # required when the server wants to use HTTP Authentication
- "proxy_pass_header Authorization;"
- ;
};
};
};
- networking.firewall.allowedTCPPorts = [ 80 443];
+
+ networking.firewall.allowedTCPPorts = [ 80 443 8080];
+ system.stateVersion = "24.05";
+
security.acme = {
acceptTerms = true;
defaults.email = "marcc@mccd.space";