{ pkgs, inputs, ... }: let cgitCss = pkgs.writeText "cgit.css" (builtins.readFile ./cgit.css); in { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; networking.nat.enable = true; networking.nat.internalInterfaces = [ "ve-*" ]; networking.nat.externalInterface = "eth0"; systemd.tmpfiles.rules = [ "d /mnt/ 700 root root -" ]; containers.ann = { autoStart = true; hostAddress = "192.168.100.2"; localAddress = "192.168.100.11"; privateNetwork = true; ephemeral = true; bindMounts = { "/srv/ann" = { hostPath = "/mnt/ann/"; isReadOnly = false; }; }; config = { config, pkgs, ... }: { systemd.tmpfiles.rules = [ "d /srv/ann 700 ann ann -" ]; users.users.ann = { isSystemUser = true; home = "/srv/ann"; group = "ann"; extraGroups = [ "wheel" ]; }; users.groups.ann = {}; services.rabbitmq = { enable = true; managementPlugin.enable = true; }; systemd.services.ann = { enable = true; description = "Ann"; environment = { ANN_DB_URL = "sqlite3:/srv/ann/ann.db"; ANN_INTERFACE = "0.0.0.0"; }; script = '' echo "Running migrations" ${inputs.ann.apps.${pkgs.system}."migrate-up".program} echo "Migrations complete, starting server" exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} ''; serviceConfig = { Restart = "on-failure"; RestartSec = 1; User = "ann"; group = "ann"; }; wantedBy = [ "multi-user.target" ]; }; networking.firewall.allowedTCPPorts = [ 80 443 8080]; system.stateVersion = "24.05"; }; }; services.cgit.mccd = { scanPath = "/srv/git/repositories"; enable = true; nginx.virtualHost = "git.mccd.space"; settings = { css = "/cgit2.css"; logo = ""; favicon = ""; enable-index-owner = "0"; enable-index-links = "0"; snapshots = "tar.gz tar.bz2 zip"; about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; clone-url = (pkgs.lib.concatStringsSep " " [ "https://git.mccd.space/$CGIT_REPO_URL" "ssh://git@git.mccd.space:$CGIT_REPO_URL" ]); footer = ""; readme = ":README.md"; remove-suffix = "1"; "mimetype.gif" = "image/gif"; "mimetype.html" = "text/html"; "mimetype.jpg" = "image/jpeg"; "mimetype.jpeg" = "image/jpeg"; "mimetype.pdf" = "application/pdf"; "mimetype.png" = "image/png"; "mimetype.svg" = "image/svg+xml"; "repo.owner" = "Marc"; enable-log-filecount = 1; enable-follow-links = 1; enable-log-linecount = 1; enable-git-config = 1; enable-commit-graph = 1; project-list = "/srv/git/projects.list"; root-title = "git.mccd ߸"; root-desc = ""; }; }; services.freshrss = { enable = true; defaultUser = "freshrss"; passwordFile = "/run/secrets/freshrss"; dataDir = "/srv/freshrss/data"; virtualHost = "rss.mccd.space"; baseUrl = "https://rss.mccd.space"; }; services.cron = { enable = true; systemCronJobs = [ "10 * * * * www-data ${pkgs.php}/bin/php -f ${pkgs.freshrss}/app/actualize_script.php > /tmp/FreshRSS.log 2>&1" ]; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."git.mccd.space" = { forceSSL = true; enableACME = true; locations."= /cgit2.css" = { alias = "${cgitCss}"; }; }; virtualHosts."rss.mccd.space" = { forceSSL = true; enableACME = true; }; virtualHosts."ann.sh" = { enableACME = true; addSSL = true; locations."~" = { proxyPass = "http://192.168.100.11:8080"; proxyWebsockets = true; # needed if you need to use WebSocket }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 8080]; system.stateVersion = "24.05"; security.acme = { acceptTerms = true; defaults.email = "marcc@mccd.space"; }; environment.systemPackages = with pkgs; [ git vim fd php python311Packages.markdown ]; programs.git.enable = true; users.groups.git = {}; services.sshguard.enable = true; services.gitolite = { enable = true; user = "git"; group = "git"; extraGitoliteRc = '' $RC{UMASK} = 0077; $RC{GIT_CONFIG_KEYS} = 'gitweb.owner gitweb.description'; ''; dataDir = "/srv/git"; adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd"; }; users.users.git = { isSystemUser = true; home = "/srv/git"; group = "git"; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ]; }; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "mccd"; networking.domain = "ann"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ]; }