drop obsolete config from cube
This commit is contained in:
parent
645e223aab
commit
718db6f8c3
|
@ -1,8 +0,0 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "hensoko@gssws.de";
|
||||
};
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
self,
|
||||
...
|
||||
}: {
|
||||
age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
|
||||
age.secrets.restic_nextcloud_password.file = "${self}/secrets/cube_restic_nextcloud_password.age";
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
Host backup
|
||||
HostName 10.0.1.12
|
||||
Port 32222
|
||||
User backup
|
||||
IdentityFile /run/agenix/restic_ssh_private_key
|
||||
'';
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
backupAll = true;
|
||||
compression = "zstd";
|
||||
};
|
||||
|
||||
services.restic.backups = {
|
||||
cox = {
|
||||
passwordFile = "/run/agenix/restic_repository_password";
|
||||
paths = [
|
||||
"/mnt/internal/nextcloud"
|
||||
"/var/backup/postgresql"
|
||||
];
|
||||
repositoryFile = "/run/agenix/restic_nextcloud_password";
|
||||
#repository = "rest:http://nextcloud:md1TYoRcOqdr7sBRH9ZH0iGos0yv2pLhrnZc3Xhk@10.0.1.12";
|
||||
#repository = "sftp:backup:/data/hdd/restic";
|
||||
timerConfig = {
|
||||
OnCalendar = "02:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,21 +1,14 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./acme.nix
|
||||
./backup.nix
|
||||
./drone.nix
|
||||
./home-assistant.nix
|
||||
./nextcloud.nix
|
||||
./wireguard.nix
|
||||
|
||||
./invoiceplane.nix
|
||||
#./tang.nix
|
||||
#./whiteboard.nix
|
||||
];
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
|
@ -26,26 +19,14 @@
|
|||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
|
||||
interfaces.eno1.ipv4.addresses = [{
|
||||
address = "80.244.242.2";
|
||||
prefixLength = 29;
|
||||
}];
|
||||
|
||||
defaultGateway = "80.244.242.1";
|
||||
nameservers = [ "95.129.51.51" "80.244.244.244" ];
|
||||
};
|
||||
|
||||
services.openssh.ports = [ 2222 ];
|
||||
networking.interfaces.eno1.useDHCP = true;
|
||||
|
||||
networking.nat.enable = true;
|
||||
networking.nat.internalIPs = [ "10.10.42.0/24" ];
|
||||
networking.nat.internalIPs = ["10.10.42.0/24"];
|
||||
networking.nat.externalInterface = "eno1";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
|
||||
networking.firewall.allowedUDPPorts = [ 51899 ];
|
||||
networking.firewall.allowedTCPPorts = [80 443 22];
|
||||
networking.firewall.allowedUDPPorts = [51899];
|
||||
|
||||
networking.firewall.enable = lib.mkForce true;
|
||||
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
age.secrets.drone_exec_runner_config = {
|
||||
file = "${self}/secrets/cube_drone_exec_runner_config.age";
|
||||
owner = "999";
|
||||
};
|
||||
|
||||
pub-solar.docker-ci-runner = {
|
||||
enable = true;
|
||||
enableKvm = true;
|
||||
nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
|
||||
|
||||
runnerEnvironment = {
|
||||
DRONE_RUNNER_CAPACITY = "1";
|
||||
DRONE_RUNNER_LABELS = "hosttype:baremetal";
|
||||
};
|
||||
|
||||
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
|
||||
};
|
||||
}
|
|
@ -1,40 +1,55 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.extraModprobeConfig = "options kvm_intel nested=1";
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "megaraid_sas" "usb_storage" "usbhid" "sd_mod"];
|
||||
boot.initrd.kernelModules = ["dm-snapshot"];
|
||||
boot.kernelModules = ["kvm-intel"];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
|
||||
fsType = "ext4";
|
||||
};
|
||||
boot.initrd.luks.devices."cryptroot" = {
|
||||
device = "/dev/disk/by-uuid/24ddd650-e9fc-4407-ba4c-cc237de4c484";
|
||||
bypassWorkqueues = true;
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
|
||||
fsType = "ext2";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/c47cdc43-d77c-4a01-87b3-a289fa97ef14";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/internal" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/3ee236cc-c4a6-423b-ba77-7a15ba642123";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
|
||||
swapDevices = [
|
||||
{device = "/dev/disk/by-uuid/0ddcb856-f39e-45d6-bde3-4fbf9c81fe6c";}
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
{ self, pkgs, config, ... }:
|
||||
|
||||
{
|
||||
# HTTP
|
||||
services.nginx = {
|
||||
virtualHosts."ha.gssws.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.0.1.254:8123";
|
||||
proxyWebsockets = true;
|
||||
extraConfig =
|
||||
"proxy_ssl_server_name on;" +
|
||||
"proxy_pass_header Authorization;"
|
||||
;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostAddress = "10.10.42.1";
|
||||
serviceAddress = "10.10.42.11";
|
||||
|
||||
domain = "inv.gssws.de";
|
||||
hostStateDir = "/mnt/internal/invoiceplane";
|
||||
containerStateDir = "/var/lib/invoiceplane";
|
||||
in
|
||||
{
|
||||
# nginx
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceAddress}:80";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# invoiceplane
|
||||
containers."invoiceplane" = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.10.42.1";
|
||||
localAddress = serviceAddress;
|
||||
|
||||
bindMounts."${containerStateDir}" = {
|
||||
hostPath = hostStateDir;
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
config = { config, pkgs, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
|
||||
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
|
||||
date.timezone = Europe/Berlin
|
||||
'';
|
||||
services.caddy.virtualHosts."http://${domain}".listenAddresses = [ "0.0.0.0" ];
|
||||
|
||||
services.invoiceplane.sites."${domain}" = {
|
||||
enable = true;
|
||||
stateDir = containerStateDir;
|
||||
|
||||
database = {
|
||||
user = "invoiceplane";
|
||||
name = "invoiceplane";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,84 +0,0 @@
|
|||
{ self, pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
notify_push = pkgs.fetchzip {
|
||||
sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
|
||||
url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
|
||||
};
|
||||
in
|
||||
{
|
||||
systemd.services.nextcloud-notify-push = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Environment = [
|
||||
"PORT=7867"
|
||||
"NEXTCLOUD_URL=https://data.gssws.de"
|
||||
];
|
||||
ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php";
|
||||
User = "nextcloud";
|
||||
};
|
||||
};
|
||||
|
||||
services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; {
|
||||
inherit bookmarks calendar contacts deck keeweb news tasks;
|
||||
inherit notify_push;
|
||||
|
||||
"bruteforcesettings" = pkgs.fetchzip {
|
||||
sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
|
||||
url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
|
||||
};
|
||||
"cookbook" = pkgs.fetchzip {
|
||||
sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY=";
|
||||
url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz";
|
||||
};
|
||||
"cospend" = pkgs.fetchzip {
|
||||
sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c=";
|
||||
url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz";
|
||||
};
|
||||
"files_accesscontrol" = pkgs.fetchzip {
|
||||
sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc=";
|
||||
url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz";
|
||||
};
|
||||
"files_automatedtagging" = pkgs.fetchzip {
|
||||
sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0=";
|
||||
url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz";
|
||||
};
|
||||
"files_fulltextsearch" = pkgs.fetchzip {
|
||||
sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU=";
|
||||
url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz";
|
||||
};
|
||||
"files_mindmap" = pkgs.fetchzip {
|
||||
sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY=";
|
||||
url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz";
|
||||
};
|
||||
"fulltextsearch" = pkgs.fetchzip {
|
||||
sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA=";
|
||||
url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz";
|
||||
};
|
||||
"groupfolders" = pkgs.fetchzip {
|
||||
sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0=";
|
||||
url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz";
|
||||
};
|
||||
"maps" = pkgs.fetchzip {
|
||||
sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI=";
|
||||
url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz";
|
||||
};
|
||||
#"notify_push" = pkgs.fetchzip {
|
||||
# sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
|
||||
# url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
|
||||
#};
|
||||
"quota_warning" = pkgs.fetchzip {
|
||||
sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4=";
|
||||
url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz";
|
||||
};
|
||||
"richdocuments" = pkgs.fetchzip {
|
||||
sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA=";
|
||||
url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz";
|
||||
};
|
||||
#"twofactor_totp" = pkgs.fetchzip {
|
||||
# sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4=";
|
||||
# url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
|
||||
#};
|
||||
};
|
||||
}
|
|
@ -1,163 +0,0 @@
|
|||
{ self, pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
notifyPushPort = 7867;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./nextcloud-apps.nix
|
||||
];
|
||||
|
||||
age.secrets.nextcloud_db_pass = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
file = "${self}/secrets/cube_nextcloud_db_pass.age";
|
||||
};
|
||||
|
||||
age.secrets.nextcloud_admin_pass = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
file = "${self}/secrets/cube_nextcloud_admin_pass.age";
|
||||
};
|
||||
|
||||
# HTTP
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
virtualHosts."data.gssws.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."^~ /push/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# DATABASES
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_11;
|
||||
|
||||
settings = {
|
||||
max_connections = "200";
|
||||
};
|
||||
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# REDIS
|
||||
services.redis.servers = {
|
||||
"nextcloud".enable = true;
|
||||
};
|
||||
|
||||
users.groups."redis-nextcloud".members = [ "nextcloud" ];
|
||||
|
||||
# Collabora Code server
|
||||
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
|
||||
image = "collabora/code";
|
||||
autoStart = true;
|
||||
ports = [ "127.0.0.1:9980:9980" ];
|
||||
environment.domain = "data\\.gssws\\.de";
|
||||
extraOptions = [ "--cap-add" "MKNOD" ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."office.gssws.de" =
|
||||
let
|
||||
proxyPass = "https://127.0.0.1:9980";
|
||||
extraConfig = "proxy_ssl_verify off;";
|
||||
in
|
||||
{
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."^~ /browser" = {
|
||||
inherit proxyPass extraConfig;
|
||||
};
|
||||
locations."^~ /hosting/discovery" = {
|
||||
inherit proxyPass extraConfig;
|
||||
};
|
||||
locations."^~ /hosting/capabilities" = {
|
||||
inherit proxyPass extraConfig;
|
||||
};
|
||||
locations."~ ^/cool/(.*)/ws''$" = {
|
||||
inherit proxyPass extraConfig;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."~ ^/(c|l)ool" = {
|
||||
inherit proxyPass extraConfig;
|
||||
};
|
||||
locations."^~ /cool/adminws" = {
|
||||
inherit proxyPass extraConfig;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
# NEXTCLOUD
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud25;
|
||||
hostName = "data.gssws.de";
|
||||
https = true;
|
||||
datadir = "/mnt/internal/nextcloud";
|
||||
|
||||
caching.apcu = true;
|
||||
caching.redis = true;
|
||||
|
||||
phpPackage = lib.mkForce pkgs.php81;
|
||||
|
||||
poolSettings = {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = "128";
|
||||
"pm.start_servers" = "64";
|
||||
"pm.min_spare_servers" = "32";
|
||||
"pm.max_spare_servers" = "76";
|
||||
"pm.max_requests" = "500";
|
||||
};
|
||||
|
||||
phpOptions = {
|
||||
short_open_tag = "Off";
|
||||
expose_php = "Off";
|
||||
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
||||
display_errors = "stderr";
|
||||
"opcache.enable_cli" = "1";
|
||||
"opcache.interned_strings_buffer" = "32";
|
||||
"opcache.max_accelerated_files" = "100000";
|
||||
"opcache.memory_consumption" = "256";
|
||||
"opcache.revalidate_freq" = "1";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||
catch_workers_output = "yes";
|
||||
};
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql";
|
||||
dbname = "nextcloud";
|
||||
dbpassFile = "/run/agenix/nextcloud_db_pass";
|
||||
adminpassFile = "/run/agenix/nextcloud_admin_pass";
|
||||
adminuser = "admin";
|
||||
|
||||
trustedProxies = [ "80.244.242.2" ];
|
||||
defaultPhoneRegion = "DE";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,64 +0,0 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
containerStateDir = "/data";
|
||||
hostStateDir = "/opt/tangd";
|
||||
domain = "";
|
||||
serviceAddress = "10.10.42.12";
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${serviceAddress}:${toString servicePort}";
|
||||
};
|
||||
};
|
||||
|
||||
containers."tang" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
bindMounts."${containerStateDir}" = {
|
||||
hostPath = hostStateDir;
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
config = { config, pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
|
||||
users.groups."_tang" = {} ;
|
||||
|
||||
users.users."_tang" = {
|
||||
group = "_tang";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = [ "${pkgs.jose}" ];
|
||||
|
||||
systemd.services."tangd@" = {
|
||||
enable = true;
|
||||
serviceConfig = {
|
||||
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
|
||||
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
|
||||
StandardInput = "socket";
|
||||
StandardOutput = "socket";
|
||||
StandardError = "journal";
|
||||
User = "_tang";
|
||||
Group = "_tang";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.sockets."tangd" = {
|
||||
enable = true;
|
||||
listenStreams = [ "${toString servicePort}" ];
|
||||
wantedBy = [ "sockets.target" ];
|
||||
socketConfig = {
|
||||
Accept = true;
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
let
|
||||
domain = "t.gssws.de";
|
||||
servicePort = 63080;
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString(servicePort)}";
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers."tang" = {
|
||||
image = "cloggo/tangd";
|
||||
ports = [ "127.0.0.1:${builtins.toString(servicePort)}:8080" ];
|
||||
environment = {
|
||||
IP_WHITELIST = "172.17.0.1";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,21 +1,14 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw H9fC9B01yBIuK4kuLCR+T+PNPXr9GHyft8mZCnPDkTY
|
||||
814T5tV6Y2fK2dgr66nCive8TFykciQfNmWAPEq7AjA
|
||||
-> ssh-ed25519 YFSOsg JtumpQSIC4q9Os3pu5E8yKygzPveW7a28Ec0mnoTQw4
|
||||
Sidzfymq9mkA/vbwHFbfz7vprlTjOQGywQULyz4FJiE
|
||||
-> ssh-rsa 42S2Dw
|
||||
uhfQ06sREfsIph1DPBlwV0x5uVq8+qsaZMGwoJgx5y5JEPOkW4OVHqJeVRLswvLP
|
||||
JAqNypMaJ99ZQAlTWWVZPP3fLT7xqT71MpwyMWerQ9aHs0TdmDT4Uflv8MXj70j0
|
||||
0m8HySMzBuWOIZJT2nTipcfrpsZSJJ852ATtPMWSxkd86FHwwKRfAobrWxgq7y3S
|
||||
y4Mg+hHbLpyiHwJkgKFDj9zqbxxMxEuizE9e3xeAGCkOuUI15SdT6clzeEk79KjN
|
||||
LA0AAukjogRX11OduAP/F/xUlYK+R3qPV6RC4DjdWv8jkyul3/VvHVUXTKQXh6dH
|
||||
s2GVRWrewkvkVx1FGr9kFg
|
||||
-> ssh-ed25519 iHV63A jJ0elkHdU2Si46g6NvwlQT2HSv5X04ETvppVS0KXg04
|
||||
uf701nEPCV+h3R5tZKJVUPoSnZ0Q9G9YvbRbT1JaC58
|
||||
-> ssh-ed25519 uTVbSg gZsQ/qVZfcBh2TjfjYr5x2derahCkp10NbcYEOu/lA8
|
||||
TKx+3ZZuYOI9x2WeYxlkc1eg4NB/t096Yfn/L6y+v/8
|
||||
-> u36Zx2-grease EcPV lR? 5*n
|
||||
jweUnWSlMzAJ9zos5dI4rA5EVzJe3haX0JtORFEQnbG088O8iRZG/s/V8G8KZmO1
|
||||
5LJnnPjvNA
|
||||
--- lt548aI1VX+cDd5wQYt8PPpSDSlpKhWyiPjsMlAiyeU
|
||||
÷nQåžès…¶1Ž¦¼8ç<%Þ<>Hw½·ýÄå‰Ò´Êùc}FÇ<46>
Ÿ¥—<C2A5>È&;\F*ªl¿–EëüÖKC«ÿ(/éqx'\ƒ£ÑÙ‡º
|
||||
-> ssh-ed25519 hPyiJw PDAYOfRC3WR52UPJyxRM0j/40vIaYXWHP9Qc5C1XeyM
|
||||
YEFXLCYFtK7ejU+i/RrxhV8RjhuXpnB3T7J9H2WU6I0
|
||||
-> ssh-ed25519 YFSOsg wfTSTKasks8qxITzeG+w+Zb7Cduo7Poo28YopUm0hD8
|
||||
0HXEs1/Nb3irJPgEkI6yjDfQuqWSWr79m8VUZEJt/YQ
|
||||
-> ssh-ed25519 iHV63A lvTyKq0jrMPiqAJNvvtiSv4hFDPpUxvCLmFC5QgAGCU
|
||||
ZX7BuooTCRdZf6oFgOyAz5kXaKF5ZaaRr44sAz1KY8E
|
||||
-> ssh-ed25519 M1hJoQ PCVjpMFR7eX088akl5gCGc2GG6WB4nqaCSsBeGFyzWw
|
||||
YrhsfUVqL64p27AVDYu/sB26Jy82xpEZepa2oK8i9ZU
|
||||
-> y-grease :)oCj;
|
||||
ulVy3Ql0uRerTUPnktK8wLzzKx2cfoB8Ijlg26SguS1sH5UZnsOAoSkCG8d2h4MF
|
||||
M/x29vX9jUUXlff0ljOvrzlEgLWGZA
|
||||
--- GSVGY1hfaf8qxtY+WYnALG/8mK0xErR+4Zw2iYNNLoU
|
||||
<EFBFBD><EFBFBD>+XqXZテe゙ォ臑ィ{ト厲奧アカ&dW\#Aマ<41><EFBE8F>'ワfソキM髴xクq。ァ<10>掖qネ、 朝盧<1B>汰ヌ<>\`Cュマ
|
|
@ -9,7 +9,7 @@ let
|
|||
system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos";
|
||||
system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos";
|
||||
|
||||
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
|
||||
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSUke0r8PV35PWJ3BsGwFPtc2kWk2xbupbbdnJDc50x root@nixos";
|
||||
system_chonk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICt8I4z42DXGL3d6eju3WzSEnJMeaWPn3y+f/82oYBzy root@nixos";
|
||||
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
|
||||
|
||||
|
|
Loading…
Reference in a new issue