os/hosts/flora-6/flora-6.nix

245 lines
6.7 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config
, forkModulesPath
, latestModulesPath
, lib
, inputs
, pkgs
, profiles
, self
, ...
}:
let
psCfg = config.pub-solar;
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./triton-vmtools.nix
profiles.base-user
profiles.users.root # make sure to configure ssh keys
profiles.users.barkeeper
"${latestModulesPath}/services/web-apps/keycloak.nix"
"${forkModulesPath}/services/misc/gitea.nix"
];
disabledModules = [
"services/web-apps/keycloak.nix"
"services/misc/gitea.nix"
];
config = {
# # #
# # # pub.solar options
# # #
pub-solar.core = {
disk-encryption-active = false;
iso-options.enable = true;
lite = true;
};
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
mode = "700";
#owner = "keycloak";
};
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "700";
owner = "gitea";
};
age.secrets.gitea-mailer-password = {
file = "${self}/secrets/gitea-mailer-password.age";
mode = "700";
owner = "gitea";
};
# # #
# # # Host packages and configuration
# # #
# caddy
services.caddy = {
enable = lib.mkForce true;
email = "admins@pub.solar";
globalConfig = lib.mkForce "";
virtualHosts = {
"auth.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :8080
'';
};
"git.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :3000
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# keycloak
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.pub.solar";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
};
themes = {
"pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
# gitea
services.gitea = {
enable = true;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
domain = "git.pub.solar";
httpAddress = "127.0.0.1";
httpPort = 3000;
lfs.enable = true;
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
rootUrl = "https://git.pub.solar";
settings = {
mailer = {
ENABLED = true;
MAILER_TYPE = "smtp";
HOST = "mail.greenbaum.cloud:465";
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# Required for gitea server side gpg signatures
# configured / setup manually in
# /var/lib/gitea/data/home/.gitconfig and
# /var/lib/gitea/data/home/.gnupg/
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
# netbird
# Allow sudo without a password for the barkeeper user
security.sudo.extraRules = [
{
users = [ "${psCfg.user.name}" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}