blob: f782e9ca4ce9c1a7a1bc341382670ea117337bd7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
{ pkgs, inputs, ... }: {
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-*" ];
networking.nat.externalInterface = "eth0";
containers.ann = {
# Drop privileges
extraFlags = [ "-U" ];
autoStart = true;
hostAddress = "192.168.100.2";
localAddress = "192.168.100.11";
privateNetwork = true;
config = { config, pkgs, ... }: {
systemd.services.ann = {
enable = true;
description = "Ann";
script = ''
export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable"
export ANN_INTERFACE="0.0.0.0"
${inputs.ann.apps.${pkgs.system}."migrate-up".program}
exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
'';
serviceConfig = {
Restart = "on-failure";
RestartSec = 1;
};
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 443 8080];
services.postgresql = {
enable = true;
ensureDatabases = [ "ann" ];
settings = {
listen_addresses = pkgs.lib.mkForce "*";
};
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
host all all ::1/128 trust
'';
};
system.stateVersion = "24.05";
};
};
services.freshrss = {
enable = true;
defaultUser = "freshrss";
passwordFile = "/run/secrets/freshrss";
dataDir = "/srv/freshrss/data";
virtualHost = "rss.mccd.space";
baseUrl = "https://rss.mccd.space";
};
services.cron = {
enable = true;
systemCronJobs = [
"10 * * * * www-data ${pkgs.php}/bin/php -f ${pkgs.freshrss}/app/actualize_script.php > /tmp/FreshRSS.log 2>&1"
];
};
services.nginx = {
enable = true;
gitweb = {
enable = false;
};
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."rss.mccd.space" = {
forceSSL = true;
enableACME = true;
};
virtualHosts."ann.sh" = {
enableACME = true;
addSSL = true;
locations."~" = {
proxyPass = "http://192.168.100.11:8080";
proxyWebsockets = true; # needed if you need to use WebSocket
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 8080];
system.stateVersion = "24.05";
security.acme = {
acceptTerms = true;
defaults.email = "marcc@mccd.space";
};
environment.systemPackages = with pkgs; [ git vim fd php ];
users.users.git = {
isNormalUser = true;
home = "/home/git";
description = "Git User";
extraGroups = [ "wheel" "networkmanager" "git" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ];
};
boot.cleanTmpDir = true;
zramSwap.enable = true;
networking.hostName = "nix";
networking.domain = "ann";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ];
}
|