about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--configuration.nix102
-rw-r--r--vpsadminos.nix54
2 files changed, 156 insertions, 0 deletions
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..09039d3
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,102 @@
+{ config, pkgs, ... }:
+{
+  environment = {
+    enableAllTerminfo = true;
+    systemPackages = with pkgs; [ git vim ];
+  };
+
+  imports = [ ./vpsadminos.nix ];
+
+  networking = {
+    domain = "loang.net";
+
+    firewall = {
+      allowedTCPPorts = [
+        80 # HTTP
+        443 # TLS
+        2211 # SSH
+        4001 # IPFS
+      ];
+      allowedUDPPorts = [
+        4001 # IPFS
+      ];
+    };
+
+    hostName = "brno";
+  };
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "mcsinyx@disroot.org";
+    };
+
+    sudo = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts."loang.net" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/var/www/loang.net";
+      };
+    };
+
+    ipfs = {
+      enable = true;
+      enableGC = true;
+    };
+
+    openssh = {
+      enable = true;
+      passwordAuthentication = false;
+      ports = [ 2211 ];
+    };
+  };
+
+  system.stateVersion = "22.05";
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStartSec=900s
+  '';
+
+  time.timeZone = "UTC";
+
+  users = {
+    groups.git = {};
+
+    users = {
+      ckie = {
+        isNormalUser = true;
+        openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ];
+      };
+
+      cnx = {
+        extraGroups = [ "wheel" ];
+        isNormalUser = true;
+        openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ];
+        packages = with pkgs; [ stow ];
+      };
+
+      git = {
+        createHome = true;
+        home = "/var/lib/git";
+        group = "git";
+        isSystemUser = true;
+        openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ];
+        shell = "${pkgs.git}/bin/git-shell";
+      };
+
+      xarvos = {
+        isNormalUser = true;
+        openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ];
+      };
+    };
+  };
+}
diff --git a/vpsadminos.nix b/vpsadminos.nix
new file mode 100644
index 0000000..e804746
--- /dev/null
+++ b/vpsadminos.nix
@@ -0,0 +1,54 @@
+# This file provides compatibility for NixOS to run in a container on vpsAdminOS
+# hosts.
+#
+# If you're experiencing issues, try updating this file to the latest version
+# from vpsAdminOS repository:
+#
+#   https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
+
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  nameservers = [
+    "9.9.9.9"
+    "2620:fe::fe"
+  ];
+in {
+  networking.nameservers = mkDefault nameservers;
+  services.resolved = mkDefault { fallbackDns = nameservers; };
+  networking.dhcpcd.extraConfig = "noipv4ll";
+
+  systemd.services.systemd-sysctl.enable = false;
+  systemd.sockets."systemd-journald-audit".enable = false;
+  systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ];
+  systemd.services.systemd-udev-trigger.enable = false;
+  systemd.services.rpc-gssd.enable = false;
+
+  boot.isContainer = true;
+  boot.enableContainers = mkDefault true;
+  boot.loader.initScript.enable = true;
+  boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs";
+  boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0";
+
+  # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
+  documentation.enable = mkOverride 500 true;
+  documentation.nixos.enable = mkOverride 500 true;
+  networking.useHostResolvConf = mkOverride 500 false;
+  services.openssh.startWhenNeeded = mkOverride 500 false;
+
+  # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
+  systemd.services.networking-setup = {
+    description = "Load network configuration provided by the vpsAdminOS host";
+    before = [ "network.target" ];
+    wantedBy = [ "network.target" ];
+    after = [ "network-pre.target" ];
+    path = [ pkgs.iproute ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
+      ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
+    };
+    unitConfig.ConditionPathExists = "/ifcfg.add";
+  };
+}