diff --git a/hosts/nachtigall/apps/caddy.nix b/hosts/nachtigall/apps/caddy.nix new file mode 100644 index 00000000..9c74f4b4 --- /dev/null +++ b/hosts/nachtigall/apps/caddy.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + maintenanceMode = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + @notFound `{err.status_code} == 404` + + @websitePages { + path / + path /about + path /hakken + path /privacy + path /os + } + + error @websitePages "Scheduled Maintenance" 503 + + handle { + root * /srv/www/pub.solar + try_files {path}.html {path} + file_server + } + + handle_errors @notFound { + error * "Scheduled Maintenance" 503 + } + + handle_errors { + root * /srv/www/pub.solar + rewrite * /maintenance/index.html + file_server + } + ''; + }; +in { + systemd.tmpfiles.rules = [ + "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -" + ]; + + services.caddy = { + enable = lib.mkForce true; + group = "hakkonaut"; + email = "admins@pub.solar"; + enableReload = true; + globalConfig = lib.mkForce '' + grace_period 60s + ''; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 7471fef1..329aa2e1 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -1,5 +1,4 @@ { config, pkgs, ... }: - { # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. @@ -32,18 +31,6 @@ boot.initrd.availableKernelModules = [ "igb" ]; - networking.hostName = "nachtigall"; - networking.domain = "pub.solar"; - networking.hostId = "00000001"; - - # enable flakes by default - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - # Set your time zone. time.timeZone = "Etc/UTC"; @@ -52,33 +39,20 @@ systemPackages = with pkgs; [ vim ]; }; - # Network (Hetzner uses static IP assignments, and we don't use DHCP here) - networking.useDHCP = false; - networking.interfaces."enp35s0".ipv4.addresses = [ - { - address = "138.201.80.102"; - prefixLength = 26; - } - ]; - networking.interfaces."enp35s0".ipv6.addresses = [ - { - address = "2a01:4f8:172:1c25::1"; - prefixLength = 64; - } - ]; - networking.defaultGateway = "138.201.80.65"; - networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; - - services.resolved = { - enable = true; - extraConfig = '' - DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu - FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net - Domains=~. - DNSOverTLS=yes - ''; + users.users.hakkonaut = { + description = "CI and automation user"; + home = "/var/nix/iso-cache"; + useDefaultShell = true; + uid = 998; + group = "hakkonaut"; + isSystemUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6" + ]; }; + users.groups.hakkonaut = {}; + users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; # This value determines the NixOS release with which your system is to be diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 12e52294..67f10731 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -5,5 +5,9 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./configuration.nix + + ./networking.nix + ./nix.nix + ./apps/caddy.nix ]; } diff --git a/hosts/nachtigall/networking.nix b/hosts/nachtigall/networking.nix new file mode 100644 index 00000000..82470b04 --- /dev/null +++ b/hosts/nachtigall/networking.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: +{ + + networking.hostName = "nachtigall"; + networking.domain = "pub.solar"; + networking.hostId = "00000001"; + + # Network (Hetzner uses static IP assignments, and we don't use DHCP here) + networking.useDHCP = false; + networking.interfaces."enp35s0".ipv4.addresses = [ + { + address = "138.201.80.102"; + prefixLength = 26; + } + ]; + networking.interfaces."enp35s0".ipv6.addresses = [ + { + address = "2a01:4f8:172:1c25::1"; + prefixLength = 64; + } + ]; + networking.defaultGateway = "138.201.80.65"; + networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + + services.resolved = { + enable = true; + extraConfig = '' + DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net + FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net + Domains=~. + DNSOverTLS=yes + ''; + }; +} diff --git a/hosts/nachtigall/nix.nix b/hosts/nachtigall/nix.nix new file mode 100644 index 00000000..ec0040bf --- /dev/null +++ b/hosts/nachtigall/nix.nix @@ -0,0 +1,43 @@ +{ + config, + pkgs, + lib, + flake, + ... +}: { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + ]; + + nix = { + # Use default version alias for nix package + package = pkgs.nix; + gc.automatic = true; + optimise.automatic = true; + + settings = { + # Improve nix store disk usage + auto-optimise-store = true; + # Prevents impurities in builds + sandbox = true; + # Give root and @wheel special privileges with nix + trusted-users = ["root" "@wheel"]; + # Allow only group wheel to connect to the nix daemon + allowed-users = ["@wheel"]; + }; + + # Generally useful nix option defaults + extraOptions = lib.mkForce '' + experimental-features = flakes nix-command + min-free = 536870912 + keep-outputs = true + keep-derivations = true + fallback = true + ''; + + nixPath = [ + "nixpkgs=${flake.inputs.nixpkgs}" + "nixos-config=${../../lib/compat/nixos}" + "home-manager=${flake.inputs.home-manager}" + ]; + }; +}