142 lines
3.1 KiB
Nix
142 lines
3.1 KiB
Nix
{ hostName, config, lib, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
|
|
../../common/ssh/server.nix
|
|
../../common/boot.nix
|
|
../../common/locales.nix
|
|
../../common/nix.nix
|
|
../../common/users.nix
|
|
|
|
../../modules/nixos/bash.nix
|
|
../../modules/nixos/tailscale.nix
|
|
];
|
|
|
|
fileSystems = {
|
|
"/".options = [ "compress=zstd" ];
|
|
"/home".options = [ "compress=zstd" ];
|
|
"/nix".options = [ "compress=zstd" "noatime" ];
|
|
"/swap".options = [ "noatime" ];
|
|
};
|
|
|
|
swapDevices = [{
|
|
device = "/swap/swapfile";
|
|
size = 8192;
|
|
}];
|
|
|
|
networking = {
|
|
hostName = "${hostName}";
|
|
firewall = lib.mkForce {
|
|
allowedTCPPorts = [];
|
|
allowedTCPPortRanges = [];
|
|
allowedUDPPorts = [];
|
|
allowedUDPPortRanges = [];
|
|
};
|
|
};
|
|
|
|
environment.defaultPackages = lib.mkForce [];
|
|
|
|
programs.git = {
|
|
enable = true;
|
|
config = {
|
|
user = {
|
|
name = "wo2wz";
|
|
email = "189177184+wo2wz@users.noreply.github.com";
|
|
};
|
|
safe.directory = "/etc/nixos";
|
|
};
|
|
};
|
|
|
|
services = {
|
|
scx.scheduler = lib.mkForce "scx_rusty";
|
|
|
|
cloudflared = {
|
|
enable = true;
|
|
tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
|
|
credentialsFile = "/etc/cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json";
|
|
default = "http_status:418";
|
|
};
|
|
};
|
|
|
|
caddy = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"drone.taild5f7e6.ts.net".extraConfig = ''
|
|
encode
|
|
|
|
# most of this doesnt matter but why not
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000;"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
X-Content-Type-Options "nosniff"
|
|
-Server
|
|
-X-Powered-By
|
|
}
|
|
|
|
# block connections to admin login
|
|
respond /admin/* 403
|
|
|
|
reverse_proxy localhost:8000
|
|
'';
|
|
|
|
"zipline.wo2wz.fyi".extraConfig = ''
|
|
encode
|
|
|
|
# most are configured by cloudflare already
|
|
header {
|
|
# Strict-Transport-Security "max-age=31536000;"
|
|
# X-Frame-Options "DENY"
|
|
# X-Content-Type-Options "nosniff"
|
|
# # nobody is gonna find this site through a search engine anyway
|
|
X-Robots-Tag "noindex, nofollow"
|
|
-Server
|
|
# -X-Powered-By
|
|
}
|
|
|
|
# use cloudflare origin certs for https
|
|
tls /var/secrets/caddy/wo2wz.fyi.crt /var/secrets/caddy/wo2wz.fyi.key
|
|
|
|
reverse_proxy localhost:3000
|
|
'';
|
|
|
|
"wo2wz.fyi".extraConfig = ''
|
|
encode
|
|
|
|
header {
|
|
X-Robots-Tag "noindex, nofollow"
|
|
-Server
|
|
}
|
|
|
|
respond "not much to see here"
|
|
'';
|
|
};
|
|
};
|
|
|
|
tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
|
|
|
|
vaultwarden = {
|
|
enable = true;
|
|
backupDir = "/var/backups/vaultwarden";
|
|
config = {
|
|
DOMAIN = "https://drone.taild5f7e6.ts.net";
|
|
|
|
SIGNUPS_ALLOWED = false;
|
|
};
|
|
environmentFile = "/var/secrets/vaultwarden/secrets.env";
|
|
};
|
|
|
|
zipline = {
|
|
enable = true;
|
|
settings = {
|
|
FEATURES_VERSION_CHECKING = "false";
|
|
FEATURES_THUMBNAILS_NUM_THREADS = 2;
|
|
};
|
|
environmentFiles = [ "/var/secrets/zipline/secrets.env" ];
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "25.05";
|
|
}
|
|
|