{ pkgs, inputs, ... }: let cgitCss = pkgs.writeText "cgit.css" (builtins.readFile ./cgit.css); in { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; networking.nat.enable = true; networking.nat.internalInterfaces = [ "ve-*" ]; networking.nat.externalInterface = "eth0"; containers.ann = { # Drop privileges extraFlags = [ "-U" ]; autoStart = true; hostAddress = "192.168.100.2"; localAddress = "192.168.100.11"; privateNetwork = true; config = { config, pkgs, ... }: { systemd.services.ann = { enable = true; description = "Ann"; script = '' export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" export ANN_INTERFACE="0.0.0.0" ${inputs.ann.apps.${pkgs.system}."migrate-up".program} exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} ''; serviceConfig = { Restart = "on-failure"; RestartSec = 1; }; wantedBy = [ "multi-user.target" ]; }; networking.firewall.allowedTCPPorts = [ 80 443 8080]; services.postgresql = { enable = true; ensureDatabases = [ "ann" ]; settings = { listen_addresses = pkgs.lib.mkForce "*"; }; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust host all all ::1/128 trust ''; }; system.stateVersion = "24.05"; }; }; services.cgit.mccd = { scanPath = "/srv/git/repositories"; enable = true; nginx.virtualHost = "git.mccd.space"; settings = { css = "/cgit2.css"; logo = ""; favicon = ""; enable-index-owner = "0"; enable-index-links = "0"; snapshots = "tar.gz tar.bz2 zip"; about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; clone-url = (pkgs.lib.concatStringsSep " " [ "https://git.mccd.space/$CGIT_REPO_URL" "ssh://git@git.mccd.space:$CGIT_REPO_URL" ]); readme = ":README.md"; remove-suffix = "1"; "mimetype.gif" = "image/gif"; "mimetype.html" = "text/html"; "mimetype.jpg" = "image/jpeg"; "mimetype.jpeg" = "image/jpeg"; "mimetype.pdf" = "application/pdf"; "mimetype.png" = "image/png"; "mimetype.svg" = "image/svg+xml"; "repo.owner" = "Marc"; enable-log-filecount = 1; enable-follow-links = 1; enable-log-linecount = 1; enable-git-config = 1; enable-commit-graph = 1; project-list = "/srv/git/projects.list"; root-title = "git.mccd ߸"; root-desc = ""; }; }; services.freshrss = { enable = true; defaultUser = "freshrss"; passwordFile = "/run/secrets/freshrss"; dataDir = "/srv/freshrss/data"; virtualHost = "rss.mccd.space"; baseUrl = "https://rss.mccd.space"; }; services.cron = { enable = true; systemCronJobs = [ "10 * * * * www-data ${pkgs.php}/bin/php -f ${pkgs.freshrss}/app/actualize_script.php > /tmp/FreshRSS.log 2>&1" ]; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."git.mccd.space" = { forceSSL = true; enableACME = true; locations."= /cgit2.css" = { alias = "${cgitCss}"; }; }; virtualHosts."rss.mccd.space" = { forceSSL = true; enableACME = true; }; virtualHosts."ann.sh" = { enableACME = true; addSSL = true; locations."~" = { proxyPass = "http://192.168.100.11:8080"; proxyWebsockets = true; # needed if you need to use WebSocket }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 8080]; system.stateVersion = "24.05"; security.acme = { acceptTerms = true; defaults.email = "marcc@mccd.space"; }; environment.systemPackages = with pkgs; [ git vim fd php python311Packages.markdown ]; programs.git.enable = true; users.groups.git = {}; services.sshguard.enable = true; services.gitolite = { enable = true; user = "git"; group = "git"; extraGitoliteRc = '' $RC{UMASK} = 0077; $RC{GIT_CONFIG_KEYS} = 'gitweb.owner gitweb.description'; ''; dataDir = "/srv/git"; adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd"; }; users.users.git = { isSystemUser = true; home = "/srv/git"; group = "git"; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ]; }; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "mccd"; networking.domain = "ann"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ]; }