blob: bb6f59ad59a9ff9ea58d0c347aaf2a1375892f6c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
{ pkgs, inputs, ... }: {
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
systemd.services.ann = {
enable = true;
description = "Ann";
script = ''
export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable"
${inputs.ann.apps.${pkgs.system}."migrate-up".program}
exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
'';
wantedBy = [ "multi-user.target" ];
};
services.freshrss = {
enable = true;
defaultUser = "freshrss";
passwordFile = "/run/secrets/freshrss";
dataDir = "/srv/freshrss/data";
virtualHost = "rss.mccd.space";
baseUrl = "https://rss.mccd.space";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "ann" ];
settings = {
listen_addresses = pkgs.lib.mkForce "*";
};
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
host all all ::1/128 trust
'';
};
services.nginx = {
enable = true;
gitweb = {
enable = false;
};
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."rss.mccd.space" = {
forceSSL = true;
enableACME = true;
};
virtualHosts."ann.sh" = {
enableACME = true;
addSSL = true;
locations."~" = {
proxyPass = "http://localhost:8080";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;" +
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;"
;
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443];
security.acme = {
acceptTerms = true;
defaults.email = "marcc@mccd.space";
};
environment.systemPackages = with pkgs; [ git vim ];
users.users.git = {
isNormalUser = true;
home = "/home/git";
description = "Git User";
extraGroups = [ "wheel" "networkmanager" "git" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ];
};
boot.cleanTmpDir = true;
zramSwap.enable = true;
networking.hostName = "nix";
networking.domain = "ann";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ];
}
|