From c3a5ade1e80934f13b4760ebaddfbe7c0ca356e5 Mon Sep 17 00:00:00 2001 From: System administrator Date: Sat, 20 Jan 2024 21:18:57 +0000 Subject: Add initial nix config --- configuration.nix | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 configuration.nix (limited to 'configuration.nix') diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..0da4b09 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,93 @@ +{ pkgs, inputs, ... }: { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + systemd.services.ann = { + enable = true; + description = "Ann"; + script = '' + export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" + ${inputs.ann.apps.${pkgs.system}."migrate-up".program} + exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} + ''; + wantedBy = [ "multi-user.target" ]; + }; + + services.freshrss = { + enable = true; + defaultUser = "freshrss"; + passwordFile = "/run/secrets/freshrss"; + dataDir = "/srv/freshrss/data"; + virtualHost = "rssf.mccd.space"; + baseUrl = "https://rssf.mccd.space"; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "ann" ]; + settings = { + listen_addresses = pkgs.lib.mkForce "*"; + }; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + host all all ::1/128 trust + ''; + }; + + services.nginx = { + enable = true; + + gitweb = { + enable = false; + }; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."rssf.mccd.space" = { + forceSSL = true; + enableACME = true; + }; + + virtualHosts."ann.sh" = { + enableACME = true; + addSSL = true; + + locations."~" = { + proxyPass = "http://localhost:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + # required when the target is also TLS server with multiple hosts + "proxy_ssl_server_name on;" + + # required when the server wants to use HTTP Authentication + "proxy_pass_header Authorization;" + ; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443]; + security.acme = { + acceptTerms = true; + defaults.email = "marcc@mccd.space"; + }; + + environment.systemPackages = with pkgs; [ git vim ]; + + users.users.git = { + isNormalUser = true; + home = "/home/git"; + description = "Git User"; + extraGroups = [ "wheel" "networkmanager" "git" ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ]; + }; + + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "nix"; + networking.domain = "webgit.mccd.space"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ]; +} -- cgit v1.2.3