diff options
author | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2022-05-04 14:52:32 +0000 |
---|---|---|
committer | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2022-05-04 14:52:32 +0000 |
commit | 1399d4a1be1d0c72ef9bc79b32ffc570810273c2 (patch) | |
tree | 5ed6a1a09a822cfc30b30129f971c85f765785a3 | |
download | nixos-conf-1399d4a1be1d0c72ef9bc79b32ffc570810273c2.tar.gz |
Snapshot configuration
-rw-r--r-- | configuration.nix | 102 | ||||
-rw-r--r-- | vpsadminos.nix | 54 |
2 files changed, 156 insertions, 0 deletions
diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..09039d3 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,102 @@ +{ config, pkgs, ... }: +{ + environment = { + enableAllTerminfo = true; + systemPackages = with pkgs; [ git vim ]; + }; + + imports = [ ./vpsadminos.nix ]; + + networking = { + domain = "loang.net"; + + firewall = { + allowedTCPPorts = [ + 80 # HTTP + 443 # TLS + 2211 # SSH + 4001 # IPFS + ]; + allowedUDPPorts = [ + 4001 # IPFS + ]; + }; + + hostName = "brno"; + }; + + security = { + acme = { + acceptTerms = true; + defaults.email = "mcsinyx@disroot.org"; + }; + + sudo = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + }; + + services = { + nginx = { + enable = true; + virtualHosts."loang.net" = { + enableACME = true; + forceSSL = true; + root = "/var/www/loang.net"; + }; + }; + + ipfs = { + enable = true; + enableGC = true; + }; + + openssh = { + enable = true; + passwordAuthentication = false; + ports = [ 2211 ]; + }; + }; + + system.stateVersion = "22.05"; + + systemd.extraConfig = '' + DefaultTimeoutStartSec=900s + ''; + + time.timeZone = "UTC"; + + users = { + groups.git = {}; + + users = { + ckie = { + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ]; + }; + + cnx = { + extraGroups = [ "wheel" ]; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ]; + packages = with pkgs; [ stow ]; + }; + + git = { + createHome = true; + home = "/var/lib/git"; + group = "git"; + isSystemUser = true; + openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ]; + shell = "${pkgs.git}/bin/git-shell"; + }; + + xarvos = { + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ]; + }; + }; + }; +} diff --git a/vpsadminos.nix b/vpsadminos.nix new file mode 100644 index 0000000..e804746 --- /dev/null +++ b/vpsadminos.nix @@ -0,0 +1,54 @@ +# This file provides compatibility for NixOS to run in a container on vpsAdminOS +# hosts. +# +# If you're experiencing issues, try updating this file to the latest version +# from vpsAdminOS repository: +# +# https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix + +{ config, pkgs, lib, ... }: +with lib; +let + nameservers = [ + "9.9.9.9" + "2620:fe::fe" + ]; +in { + networking.nameservers = mkDefault nameservers; + services.resolved = mkDefault { fallbackDns = nameservers; }; + networking.dhcpcd.extraConfig = "noipv4ll"; + + systemd.services.systemd-sysctl.enable = false; + systemd.sockets."systemd-journald-audit".enable = false; + systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ]; + systemd.services.systemd-udev-trigger.enable = false; + systemd.services.rpc-gssd.enable = false; + + boot.isContainer = true; + boot.enableContainers = mkDefault true; + boot.loader.initScript.enable = true; + boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs"; + boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0"; + + # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix> + documentation.enable = mkOverride 500 true; + documentation.nixos.enable = mkOverride 500 true; + networking.useHostResolvConf = mkOverride 500 false; + services.openssh.startWhenNeeded = mkOverride 500 false; + + # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host + systemd.services.networking-setup = { + description = "Load network configuration provided by the vpsAdminOS host"; + before = [ "network.target" ]; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" ]; + path = [ pkgs.iproute ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add"; + ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del"; + }; + unitConfig.ConditionPathExists = "/ifcfg.add"; + }; +} |