forked from pub-solar/infra
Merge pull request 'feat: caddy' (#11) from feat/caddy into main
Reviewed-on: pub-solar/infra-new#11 Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
commit
44f301c772
57
hosts/nachtigall/apps/caddy.nix
Normal file
57
hosts/nachtigall/apps/caddy.nix
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
self,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
maintenanceMode = {
|
||||||
|
logFormat = lib.mkForce ''
|
||||||
|
output discard
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
@notFound `{err.status_code} == 404`
|
||||||
|
|
||||||
|
@websitePages {
|
||||||
|
path /
|
||||||
|
path /about
|
||||||
|
path /hakken
|
||||||
|
path /privacy
|
||||||
|
path /os
|
||||||
|
}
|
||||||
|
|
||||||
|
error @websitePages "Scheduled Maintenance" 503
|
||||||
|
|
||||||
|
handle {
|
||||||
|
root * /srv/www/pub.solar
|
||||||
|
try_files {path}.html {path}
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
|
||||||
|
handle_errors @notFound {
|
||||||
|
error * "Scheduled Maintenance" 503
|
||||||
|
}
|
||||||
|
|
||||||
|
handle_errors {
|
||||||
|
root * /srv/www/pub.solar
|
||||||
|
rewrite * /maintenance/index.html
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.caddy = {
|
||||||
|
enable = lib.mkForce true;
|
||||||
|
group = "hakkonaut";
|
||||||
|
email = "admins@pub.solar";
|
||||||
|
enableReload = true;
|
||||||
|
globalConfig = lib.mkForce ''
|
||||||
|
grace_period 60s
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
}
|
|
@ -1,5 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
# Use GRUB2 as the boot loader.
|
# Use GRUB2 as the boot loader.
|
||||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||||
|
@ -32,18 +31,6 @@
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "igb" ];
|
boot.initrd.availableKernelModules = [ "igb" ];
|
||||||
|
|
||||||
networking.hostName = "nachtigall";
|
|
||||||
networking.domain = "pub.solar";
|
|
||||||
networking.hostId = "00000001";
|
|
||||||
|
|
||||||
# enable flakes by default
|
|
||||||
nix = {
|
|
||||||
package = pkgs.nixFlakes;
|
|
||||||
extraOptions = ''
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Etc/UTC";
|
time.timeZone = "Etc/UTC";
|
||||||
|
|
||||||
|
@ -52,33 +39,20 @@
|
||||||
systemPackages = with pkgs; [ vim ];
|
systemPackages = with pkgs; [ vim ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
|
users.users.hakkonaut = {
|
||||||
networking.useDHCP = false;
|
description = "CI and automation user";
|
||||||
networking.interfaces."enp35s0".ipv4.addresses = [
|
home = "/var/nix/iso-cache";
|
||||||
{
|
useDefaultShell = true;
|
||||||
address = "138.201.80.102";
|
uid = 998;
|
||||||
prefixLength = 26;
|
group = "hakkonaut";
|
||||||
}
|
isSystemUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
||||||
];
|
];
|
||||||
networking.interfaces."enp35s0".ipv6.addresses = [
|
|
||||||
{
|
|
||||||
address = "2a01:4f8:172:1c25::1";
|
|
||||||
prefixLength = 64;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
networking.defaultGateway = "138.201.80.65";
|
|
||||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
|
||||||
|
|
||||||
services.resolved = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
|
||||||
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
|
|
||||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
|
||||||
Domains=~.
|
|
||||||
DNSOverTLS=yes
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.hakkonaut = {};
|
||||||
|
|
||||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
|
|
@ -5,5 +5,9 @@
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
|
|
||||||
|
./networking.nix
|
||||||
|
./nix.nix
|
||||||
|
./apps/caddy.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
34
hosts/nachtigall/networking.nix
Normal file
34
hosts/nachtigall/networking.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
networking.hostName = "nachtigall";
|
||||||
|
networking.domain = "pub.solar";
|
||||||
|
networking.hostId = "00000001";
|
||||||
|
|
||||||
|
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.interfaces."enp35s0".ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "138.201.80.102";
|
||||||
|
prefixLength = 26;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
networking.interfaces."enp35s0".ipv6.addresses = [
|
||||||
|
{
|
||||||
|
address = "2a01:4f8:172:1c25::1";
|
||||||
|
prefixLength = 64;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
networking.defaultGateway = "138.201.80.65";
|
||||||
|
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
||||||
|
|
||||||
|
services.resolved = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
||||||
|
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||||
|
Domains=~.
|
||||||
|
DNSOverTLS=yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
43
hosts/nachtigall/nix.nix
Normal file
43
hosts/nachtigall/nix.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
flake,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||||
|
];
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
# Use default version alias for nix package
|
||||||
|
package = pkgs.nix;
|
||||||
|
gc.automatic = true;
|
||||||
|
optimise.automatic = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
# Improve nix store disk usage
|
||||||
|
auto-optimise-store = true;
|
||||||
|
# Prevents impurities in builds
|
||||||
|
sandbox = true;
|
||||||
|
# Give root and @wheel special privileges with nix
|
||||||
|
trusted-users = ["root" "@wheel"];
|
||||||
|
# Allow only group wheel to connect to the nix daemon
|
||||||
|
allowed-users = ["@wheel"];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Generally useful nix option defaults
|
||||||
|
extraOptions = lib.mkForce ''
|
||||||
|
experimental-features = flakes nix-command
|
||||||
|
min-free = 536870912
|
||||||
|
keep-outputs = true
|
||||||
|
keep-derivations = true
|
||||||
|
fallback = true
|
||||||
|
'';
|
||||||
|
|
||||||
|
nixPath = [
|
||||||
|
"nixpkgs=${flake.inputs.nixpkgs}"
|
||||||
|
"nixos-config=${../../lib/compat/nixos}"
|
||||||
|
"home-manager=${flake.inputs.home-manager}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue