1
0
Fork 0
forked from pub-solar/infra

Merge pull request 'feat: caddy' (#11) from feat/caddy into main

Reviewed-on: pub-solar/infra-new#11
Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
b12f 2023-10-28 14:00:40 +02:00
commit 44f301c772
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
5 changed files with 150 additions and 38 deletions

View file

@ -0,0 +1,57 @@
{
config,
lib,
pkgs,
self,
...
}: let
maintenanceMode = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
@notFound `{err.status_code} == 404`
@websitePages {
path /
path /about
path /hakken
path /privacy
path /os
}
error @websitePages "Scheduled Maintenance" 503
handle {
root * /srv/www/pub.solar
try_files {path}.html {path}
file_server
}
handle_errors @notFound {
error * "Scheduled Maintenance" 503
}
handle_errors {
root * /srv/www/pub.solar
rewrite * /maintenance/index.html
file_server
}
'';
};
in {
systemd.tmpfiles.rules = [
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
];
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
enableReload = true;
globalConfig = lib.mkForce ''
grace_period 60s
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
# Use GRUB2 as the boot loader. # Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot. # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
@ -32,18 +31,6 @@
boot.initrd.availableKernelModules = [ "igb" ]; boot.initrd.availableKernelModules = [ "igb" ];
networking.hostName = "nachtigall";
networking.domain = "pub.solar";
networking.hostId = "00000001";
# enable flakes by default
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
# Set your time zone. # Set your time zone.
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
@ -52,33 +39,20 @@
systemPackages = with pkgs; [ vim ]; systemPackages = with pkgs; [ vim ];
}; };
# Network (Hetzner uses static IP assignments, and we don't use DHCP here) users.users.hakkonaut = {
networking.useDHCP = false; description = "CI and automation user";
networking.interfaces."enp35s0".ipv4.addresses = [ home = "/var/nix/iso-cache";
{ useDefaultShell = true;
address = "138.201.80.102"; uid = 998;
prefixLength = 26; group = "hakkonaut";
} isSystemUser = true;
]; openssh.authorizedKeys.keys = [
networking.interfaces."enp35s0".ipv6.addresses = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
{ ];
address = "2a01:4f8:172:1c25::1";
prefixLength = 64;
}
];
networking.defaultGateway = "138.201.80.65";
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
services.resolved = {
enable = true;
extraConfig = ''
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
Domains=~.
DNSOverTLS=yes
'';
}; };
users.groups.hakkonaut = {};
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be

View file

@ -5,5 +5,9 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
./networking.nix
./nix.nix
./apps/caddy.nix
]; ];
} }

View file

@ -0,0 +1,34 @@
{ config, pkgs, ... }:
{
networking.hostName = "nachtigall";
networking.domain = "pub.solar";
networking.hostId = "00000001";
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces."enp35s0".ipv4.addresses = [
{
address = "138.201.80.102";
prefixLength = 26;
}
];
networking.interfaces."enp35s0".ipv6.addresses = [
{
address = "2a01:4f8:172:1c25::1";
prefixLength = 64;
}
];
networking.defaultGateway = "138.201.80.65";
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
services.resolved = {
enable = true;
extraConfig = ''
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
Domains=~.
DNSOverTLS=yes
'';
};
}

43
hosts/nachtigall/nix.nix Normal file
View file

@ -0,0 +1,43 @@
{
config,
pkgs,
lib,
flake,
...
}: {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
];
nix = {
# Use default version alias for nix package
package = pkgs.nix;
gc.automatic = true;
optimise.automatic = true;
settings = {
# Improve nix store disk usage
auto-optimise-store = true;
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = ["root" "@wheel"];
# Allow only group wheel to connect to the nix daemon
allowed-users = ["@wheel"];
};
# Generally useful nix option defaults
extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
nixPath = [
"nixpkgs=${flake.inputs.nixpkgs}"
"nixos-config=${../../lib/compat/nixos}"
"home-manager=${flake.inputs.home-manager}"
];
};
}