Compare commits
28 Commits
f59662b6c8
...
7fc6f60b11
Author | SHA1 | Date |
---|---|---|
Benjamin Bädorf | 7fc6f60b11 | |
Benjamin Bädorf | d9c92dc9d5 | |
Hendrik Sokolowski | 1fde142895 | |
Hendrik Sokolowski | 710b81c94c | |
b12f | f0eb3fd4f4 | |
teutat3s | 3690b3cf9d | |
b12f | 14c647e8f7 | |
teutat3s | a5b32302c1 | |
teutat3s | 3c9f9c9fc7 | |
Akshay Mankar | 49890bc53d | |
Akshay Mankar | fcc2115c0b | |
Akshay Mankar | c42fadab6d | |
Akshay Mankar | bdc5033bf4 | |
b12f | 44f301c772 | |
Benjamin Bädorf | 8aee160fd1 | |
Benjamin Bädorf | b921201645 | |
Akshay Mankar | 41d6c334bc | |
teutat3s | b6f75c2c27 | |
teutat3s | e7febf5403 | |
Akshay Mankar | c23bc00f19 | |
Akshay Mankar | 5a7d81d787 | |
Akshay Mankar | c9beea7f82 | |
teutat3s | 3ceec80aab | |
Akshay Mankar | b788a9f383 | |
b12f | 02e570c85a | |
Akshay Mankar | e0c6530d97 | |
b12f | 41b85714a6 | |
Akshay Mankar | d8e0bbb43b |
|
@ -1,2 +1,3 @@
|
|||
*.tf.json
|
||||
/tags.*
|
||||
.direnv
|
136
flake.lock
136
flake.lock
|
@ -1,5 +1,31 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": [
|
||||
"nix-darwin"
|
||||
],
|
||||
"home-manager": [
|
||||
"home-manager"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696775529,
|
||||
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"bats-assert": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -35,7 +61,9 @@
|
|||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -73,11 +101,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1688466019,
|
||||
"narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
|
||||
"lastModified": 1696343447,
|
||||
"narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
|
||||
"rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -108,15 +136,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690652600,
|
||||
"narHash": "sha256-Dy09g7mezToVwtFPyY25fAx1hzqNXv73/QmY5/qyR44=",
|
||||
"lastModified": 1695108154,
|
||||
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "f58889c07efa8e1328fdf93dc1796ec2a5c47f38",
|
||||
"rev": "07682fff75d41f18327a871088d20af2710d4744",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-23.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -128,11 +157,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690431538,
|
||||
"narHash": "sha256-Uml8ivMMOFPB9fNSDcw72imGHRdJpaK12sRm2DTLLe8=",
|
||||
"lastModified": 1698429334,
|
||||
"narHash": "sha256-Gq3+QabboczSu7RMpcy79RSLMSqnySO3wsnHQk4DfbE=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "16c07487ac9bc59f58b121d13160c67befa3342e",
|
||||
"rev": "afe83cbc2e673b1f08d32dd0f70df599678ff1e7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -144,11 +173,11 @@
|
|||
},
|
||||
"nixos-flake": {
|
||||
"locked": {
|
||||
"lastModified": 1690424850,
|
||||
"narHash": "sha256-pPELqUXbNdZ7nMLPL8A+BSyUsxjxMO3q2Wb7plW/Wf8=",
|
||||
"lastModified": 1692742948,
|
||||
"narHash": "sha256-19LQQFGshuQNrrXZYVt+mWY0O3NbhEXeMy3MZwzYZGo=",
|
||||
"owner": "srid",
|
||||
"repo": "nixos-flake",
|
||||
"rev": "df6fe273ff64dc29de2c93805045b5348d70bc26",
|
||||
"rev": "2c25190ceacdaaae7e8afbecfa87096bb499a431",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -159,16 +188,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1671417167,
|
||||
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
|
||||
"owner": "NixOS",
|
||||
"lastModified": 1698288402,
|
||||
"narHash": "sha256-jIIjApPdm+4yt8PglX8pUOexAdEiAax/DXW3S/Mb21E=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
|
||||
"rev": "60b9db998f71ea49e1a9c41824d09aa274be1344",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -176,11 +205,11 @@
|
|||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"dir": "lib",
|
||||
"lastModified": 1688049487,
|
||||
"narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
|
||||
"lastModified": 1696019113,
|
||||
"narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
|
||||
"rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -191,46 +220,17 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1690548937,
|
||||
"narHash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1636823747,
|
||||
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"deploy-rs": "deploy-rs",
|
||||
"flake-parts": "flake-parts",
|
||||
"home-manager": "home-manager",
|
||||
"nix-darwin": "nix-darwin",
|
||||
"nixos-flake": "nixos-flake",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"terranix": "terranix"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"terranix": "terranix",
|
||||
"unstable": "unstable"
|
||||
}
|
||||
},
|
||||
"terranix": {
|
||||
|
@ -238,15 +238,17 @@
|
|||
"bats-assert": "bats-assert",
|
||||
"bats-support": "bats-support",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"terranix-examples": "terranix-examples"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1684906298,
|
||||
"narHash": "sha256-pNuJxmVMGbBHw7pa+Bx0HY0orXIXoyyAXOKuQ1zpfus=",
|
||||
"lastModified": 1695406838,
|
||||
"narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
|
||||
"owner": "terranix",
|
||||
"repo": "terranix",
|
||||
"rev": "c0dd15076856c6cb425795b8c7d5d37d3a1e922a",
|
||||
"rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -270,6 +272,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1698318101,
|
||||
"narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1667395993,
|
||||
|
|
54
flake.nix
54
flake.nix
|
@ -1,23 +1,33 @@
|
|||
{
|
||||
inputs = {
|
||||
# Principle inputs (updated by `nix run .#update`)
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
# Track channels with commits tested and built by hydra
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
|
||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
home-manager.url = "github:nix-community/home-manager";
|
||||
|
||||
home-manager.url = "github:nix-community/home-manager/release-23.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
nixos-flake.url = "github:srid/nixos-flake";
|
||||
|
||||
terranix.url = "github:terranix/terranix";
|
||||
terranix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.inputs.darwin.follows = "nix-darwin";
|
||||
agenix.inputs.home-manager.follows = "home-manager";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, terranix, ... }:
|
||||
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
systems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" ];
|
||||
systems = [ "x86_64-linux" "aarch64-linux" ];
|
||||
|
||||
imports = [
|
||||
inputs.nixos-flake.flakeModule
|
||||
|
@ -26,7 +36,35 @@
|
|||
./lib
|
||||
];
|
||||
|
||||
perSystem = { config, ... }: { };
|
||||
perSystem = { system, pkgs, config, ... }: {
|
||||
_module.args = {
|
||||
inherit inputs;
|
||||
pkgs = import inputs.nixpkgs {
|
||||
inherit system;
|
||||
overlays = [
|
||||
inputs.agenix.overlays.default
|
||||
];
|
||||
};
|
||||
unstable = import inputs.unstable { inherit system; };
|
||||
master = import inputs.master { inherit system; };
|
||||
};
|
||||
devShells.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
deploy-rs
|
||||
nixpkgs-fmt
|
||||
agenix
|
||||
cachix
|
||||
editorconfig-checker
|
||||
nix
|
||||
nodePackages.prettier
|
||||
nvfetcher
|
||||
shellcheck
|
||||
shfmt
|
||||
treefmt
|
||||
nixos-generators
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
flake =
|
||||
let
|
||||
|
@ -34,13 +72,14 @@
|
|||
system = "x86_64-linux";
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
nachtigall = self.nixos-flake.lib.mkLinuxSystem system {
|
||||
nachtigall = self.nixos-flake.lib.mkLinuxSystem {
|
||||
imports = [
|
||||
self.nixosModules.common
|
||||
./hosts/nachtigall
|
||||
self.pub-solar.lib.linux.unlockZFSOnBoot
|
||||
self.nixosModules.home-manager
|
||||
self.nixosModules.linux
|
||||
inputs.agenix.nixosModules.default
|
||||
{
|
||||
home-manager.users.${username} = {
|
||||
imports = [
|
||||
|
@ -53,12 +92,15 @@
|
|||
};
|
||||
};
|
||||
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||
|
||||
nixosModules = {
|
||||
# Common nixos/nix-darwin configuration shared between Linux and macOS.
|
||||
common = { pkgs, ... }: {
|
||||
virtualisation.docker.enable = true;
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||
services.openssh.settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
# NixOS specific configuration
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.nextcloud = {
|
||||
hostName = "cloud.pub.solar";
|
||||
home = "/var/lib/nextcloud";
|
||||
|
||||
enable = true;
|
||||
https = true;
|
||||
secretFile = ""; # secret
|
||||
|
||||
configureRedis = true;
|
||||
|
||||
notify_push = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
config = {
|
||||
adminuser = "admin";
|
||||
dbuser = "nextcloud";
|
||||
dbtype = "pgsql";
|
||||
dbname = "nextcloud";
|
||||
dbtableprefix = "oc_";
|
||||
overwriteProtocol = "https";
|
||||
};
|
||||
|
||||
extraOptions = {
|
||||
overwrite.cli.url = "http://cloud.pub.solar";
|
||||
|
||||
installed = true;
|
||||
default_phone_region = "+49";
|
||||
mail_sendmailmode = "smtp";
|
||||
mail_from_address = "nextcloud";
|
||||
mail_smtpmode = "smtp";
|
||||
mail_smtpauthtype = "PLAIN";
|
||||
mail_domain = "pub.solar";
|
||||
mail_smtpname = "admins@pub.solar";
|
||||
mail_smtpsecure = "tls";
|
||||
mail_smtpauth = 1;
|
||||
mail_smtphost = "mx2.greenbaum.cloud";
|
||||
mail_smtpport = "587";
|
||||
|
||||
enable_previews = true;
|
||||
enabledPreviewProviders = [
|
||||
"OC\\Preview\\PNG"
|
||||
"OC\\Preview\\JPEG"
|
||||
"OC\\Preview\\GIF"
|
||||
"OC\\Preview\\BMP"
|
||||
"OC\\Preview\\XBitmap"
|
||||
"OC\\Preview\\Movie"
|
||||
"OC\\Preview\\PDF"
|
||||
"OC\\Preview\\MP3"
|
||||
"OC\\Preview\\TXT"
|
||||
"OC\\Preview\\MarkDown"
|
||||
];
|
||||
preview_max_x = "1024";
|
||||
preview_max_y = "768";
|
||||
preview_max_scale_factor = "1";
|
||||
|
||||
auth.bruteforce.protection.enabled = true;
|
||||
trashbin_retention_obligation = "auto,7";
|
||||
skeletondirectory = "";
|
||||
defaultapp = "file";
|
||||
activity_expire_days = "14";
|
||||
integrity.check.disabled = false;
|
||||
updater.release.channel = "stable";
|
||||
loglevel = 0;
|
||||
maintenance = false;
|
||||
app_install_overwrite = [
|
||||
"pdfdraw"
|
||||
"integration_whiteboard"
|
||||
];
|
||||
htaccess.RewriteBase = "/";
|
||||
theme = "";
|
||||
simpleSignUpLink.shown = false;
|
||||
};
|
||||
|
||||
caching.redis = true;
|
||||
autoUpdateApps.enable = true;
|
||||
database.createLocally = true;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}: let
|
||||
acmeEmailAddress = "admins@pub.solar";
|
||||
webserverGroup = "hakkonaut";
|
||||
in {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
group = webserverGroup;
|
||||
enableReload = true;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = acmeEmailAddress;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
}
|
|
@ -0,0 +1,66 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false;
|
||||
mirroredBoots = [
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
|
||||
];
|
||||
path = "/boot1";
|
||||
}
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
|
||||
];
|
||||
path = "/boot2";
|
||||
}
|
||||
];
|
||||
copyKernels = true;
|
||||
};
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
boot.kernelParams = [
|
||||
"boot.shell_on_fail=1"
|
||||
"ip=138.201.80.102::138.201.80.65:255.255.255.192:nachtigall::off"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "igb" ];
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
environment = {
|
||||
# just a couple of packages to make our lives easier
|
||||
systemPackages = with pkgs; [ vim ];
|
||||
};
|
||||
|
||||
users.users.hakkonaut = {
|
||||
description = "CI and automation user";
|
||||
home = "/var/nix/iso-cache";
|
||||
useDefaultShell = true;
|
||||
uid = 998;
|
||||
group = "hakkonaut";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
||||
];
|
||||
};
|
||||
|
||||
# https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
|
||||
systemd.services.zfs-mount.enable = false;
|
||||
|
||||
users.groups.hakkonaut = {};
|
||||
|
||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
}
|
|
@ -1,95 +1,14 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./nextcloud.nix
|
||||
./configuration.nix
|
||||
|
||||
./networking.nix
|
||||
./nix.nix
|
||||
./apps/nginx.nix
|
||||
./apps/nextcloud.nix
|
||||
];
|
||||
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false;
|
||||
mirroredBoots = [
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
|
||||
];
|
||||
path = "/boot1";
|
||||
}
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
|
||||
];
|
||||
path = "/boot2";
|
||||
}
|
||||
];
|
||||
copyKernels = true;
|
||||
};
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
boot.kernelParams = [
|
||||
"boot.shell_on_fail=1"
|
||||
"ip=138.201.80.102::138.201.80.65:255.255.255.192:nachtigall::off"
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "igb" ];
|
||||
|
||||
networking.hostName = "nachtigall";
|
||||
networking.domain = "pub.solar";
|
||||
networking.hostId = "00000001";
|
||||
|
||||
# enable flakes by default
|
||||
nix = {
|
||||
package = pkgs.nixFlakes;
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
environment = {
|
||||
# just a couple of packages to make our lives easier
|
||||
systemPackages = with pkgs; [ vim ];
|
||||
};
|
||||
|
||||
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces."enp35s0".ipv4.addresses = [
|
||||
{
|
||||
address = "138.201.80.102";
|
||||
prefixLength = 26;
|
||||
}
|
||||
];
|
||||
networking.interfaces."enp35s0".ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:4f8:172:1c25::1";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
networking.defaultGateway = "138.201.80.65";
|
||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
|
||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
'';
|
||||
};
|
||||
|
||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -18,6 +18,11 @@
|
|||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib" =
|
||||
{ device = "root_pool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/postgresql" =
|
||||
{ device = "root_pool/data/postgresql";
|
||||
fsType = "zfs";
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
|
||||
networking.hostName = "nachtigall";
|
||||
networking.domain = "pub.solar";
|
||||
networking.hostId = "00000001";
|
||||
|
||||
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces."enp35s0".ipv4.addresses = [
|
||||
{
|
||||
address = "138.201.80.102";
|
||||
prefixLength = 26;
|
||||
}
|
||||
];
|
||||
networking.interfaces."enp35s0".ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:4f8:172:1c25::1";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
networking.defaultGateway = "138.201.80.65";
|
||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.caddy.virtualHosts."cloud.pub.solar" = {
|
||||
# logFormat = lib.mkForce ''
|
||||
# output discard
|
||||
# '';
|
||||
extraConfig = ''
|
||||
reverse_proxy :8080
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
https = true;
|
||||
secretFile = ""; # secret
|
||||
|
||||
notify_push = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
config = {
|
||||
adminuser = "admin";
|
||||
dbuser = "nextcloud";
|
||||
dbtype = "pgsql";
|
||||
dbname = "nextcloud";
|
||||
dbtableprefix = "oc_";
|
||||
trustedProxies = [
|
||||
"cloud.pub.solar"
|
||||
];
|
||||
};
|
||||
|
||||
autoUpdateApps.enable = true;
|
||||
database.createLocally = true;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
flake,
|
||||
...
|
||||
}: {
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
];
|
||||
|
||||
nix = {
|
||||
# Use default version alias for nix package
|
||||
package = pkgs.nix;
|
||||
gc.automatic = true;
|
||||
optimise.automatic = true;
|
||||
|
||||
settings = {
|
||||
# Improve nix store disk usage
|
||||
auto-optimise-store = true;
|
||||
# Prevents impurities in builds
|
||||
sandbox = true;
|
||||
# Give root and @wheel special privileges with nix
|
||||
trusted-users = ["root" "@wheel"];
|
||||
# Allow only group wheel to connect to the nix daemon
|
||||
allowed-users = ["@wheel"];
|
||||
};
|
||||
|
||||
# Generally useful nix option defaults
|
||||
extraOptions = lib.mkForce ''
|
||||
experimental-features = flakes nix-command
|
||||
min-free = 536870912
|
||||
keep-outputs = true
|
||||
keep-derivations = true
|
||||
fallback = true
|
||||
'';
|
||||
|
||||
nixPath = [
|
||||
"nixpkgs=${flake.inputs.nixpkgs}"
|
||||
"nixos-config=${../../lib/compat/nixos}"
|
||||
"home-manager=${flake.inputs.home-manager}"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -6,6 +6,16 @@
|
|||
*/
|
||||
|
||||
{ lib, inputs }: let
|
||||
# https://github.com/serokell/deploy-rs#overall-usage
|
||||
system = "x86_64-linux";
|
||||
pkgs = import inputs.nixpkgs { inherit system; };
|
||||
deployPkgs = import inputs.nixpkgs {
|
||||
inherit system;
|
||||
overlays = [
|
||||
inputs.deploy-rs.overlay
|
||||
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
|
||||
];
|
||||
};
|
||||
getFqdn = c: let
|
||||
net = c.config.networking;
|
||||
fqdn =
|
||||
|
@ -53,7 +63,7 @@ in {
|
|||
hostname = getFqdn c;
|
||||
profiles.system = {
|
||||
user = "root";
|
||||
path = inputs.deploy-rs.lib.${c.pkgs.stdenv.hostPlatform.system}.activate.nixos c;
|
||||
path = deployPkgs.deploy-rs.lib.activate.nixos c;
|
||||
};
|
||||
}
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue