summaryrefslogtreecommitdiff
path: root/configuration.nix
blob: 941939e299bb9b94b75d2e6cb2dd199e208ae469 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{ pkgs, inputs, ... }:  {
  imports = [
    ./hardware-configuration.nix
    ./networking.nix # generated at runtime by nixos-infect
  ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  systemd.services.ann = {
      enable = true;
      description = "Ann";
      script = ''
	export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" 
        ${inputs.ann.apps.${pkgs.system}."migrate-up".program} 
        exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
         '';
      wantedBy = [ "multi-user.target" ];
  };

  services.freshrss = {
    enable = true;
    defaultUser = "freshrss";
    passwordFile = "/run/secrets/freshrss";
    dataDir = "/srv/freshrss/data";
    virtualHost = "rssf.mccd.space";
    baseUrl = "https://rssf.mccd.space";
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "ann" ];
    settings = {
      listen_addresses = pkgs.lib.mkForce "*";
    };
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser                        auth-method
      local all       all     trust
      host    all             all             ::1/128                 trust
    '';
  };

  services.nginx = {
    enable = true;

    gitweb = {
      enable = false;
    };

    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."rssf.mccd.space" = {
      forceSSL = true;
      enableACME = true;
    };

    virtualHosts."ann.sh" = {
      enableACME = true;
      addSSL = true;

      locations."~" = {
        proxyPass = "http://localhost:8080";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig =
          # required when the target is also TLS server with multiple hosts
          "proxy_ssl_server_name on;" +
          # required when the server wants to use HTTP Authentication
          "proxy_pass_header Authorization;"
          ;
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443];
  security.acme = {
    acceptTerms = true;
    defaults.email = "marcc@mccd.space";
  };

  environment.systemPackages = with pkgs; [ git vim ];

  users.users.git = {
    isNormalUser  = true;
    home  = "/home/git";
    description  = "Git User";
    extraGroups  = [ "wheel" "networkmanager" "git" ];
    openssh.authorizedKeys.keys  = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ];
  };
 
  boot.cleanTmpDir = true;
  zramSwap.enable = true;
  networking.hostName = "nix";
  networking.domain = "ann";
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ];
}