starting light work on serer infra
This commit is contained in:
alisceon
parent
16b6623f7f
commit
bde2cb101d
6 changed files with 212 additions and 1 deletions
16
flake.nix
16
flake.nix
|
|
@ -98,6 +98,22 @@
|
||||||
}) # end home-manager
|
}) # end home-manager
|
||||||
]; # end modules
|
]; # end modules
|
||||||
}; # end tesla-nixos
|
}; # end tesla-nixos
|
||||||
|
blogbox = nixpkgs.lib.nixosSystem {
|
||||||
|
inherit system;
|
||||||
|
inherit pkgs;
|
||||||
|
specialArgs = sharedSpecialArgs // {};
|
||||||
|
modules = sharedModules ++ [
|
||||||
|
./hosts/common/server.nix
|
||||||
|
./hosts/blogbox/configuration.nix
|
||||||
|
home-manager.nixosModules.home-manager
|
||||||
|
({ config, ...}: {
|
||||||
|
home-manager.users.alisceon.imports = [
|
||||||
|
./home/alisceon/base.nix
|
||||||
|
./home/alisceon/server.nix
|
||||||
|
];
|
||||||
|
}) # end home-manager
|
||||||
|
]; # end modules
|
||||||
|
}; # end tesla-nixos
|
||||||
}; # end nixos conf
|
}; # end nixos conf
|
||||||
}; # end "in"
|
}; # end "in"
|
||||||
} # end file
|
} # end file
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,16 @@
|
||||||
# nixpkgs config
|
# nixpkgs config
|
||||||
xdg.configFile."nixpkgs/config.nix".source = ../conf/config.nix;
|
xdg.configFile."nixpkgs/config.nix".source = ../conf/config.nix;
|
||||||
|
|
||||||
|
xdg.autostart = {
|
||||||
|
enable = true;
|
||||||
|
entries = [
|
||||||
|
"${pkgs.firefox}/share/applications/firefox.desktop"
|
||||||
|
"${pkgs.discord}/share/applications/discord.desktop"
|
||||||
|
"${pkgs.signal-desktop}/share/applications/signal.desktop"
|
||||||
|
"${pkgs.obsidian}/share/applications/obsidian.desktop"
|
||||||
|
];
|
||||||
|
}; # end xdg.autostart
|
||||||
|
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
signal-desktop
|
signal-desktop
|
||||||
discord
|
discord
|
||||||
|
|
|
||||||
13
hosts/alisceon-core/configuration.nix
Normal file
13
hosts/alisceon-core/configuration.nix
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ ./hardware-configuration.nix ];
|
||||||
|
networking.hostName = "alisceon-core";
|
||||||
|
boot.initrd.enable = true;
|
||||||
|
boot.loader = {
|
||||||
|
systemd-boot = {
|
||||||
|
enable = true;
|
||||||
|
}; # end loader.systemd-boot
|
||||||
|
}; # end boot
|
||||||
|
} # end file
|
||||||
165
hosts/blogbox/configuration.nix
Normal file
165
hosts/blogbox/configuration.nix
Normal file
|
|
@ -0,0 +1,165 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ ./hardware-configuration.nix ];
|
||||||
|
networking.hostName = "blogbox";
|
||||||
|
boot.initrd.enable = true;
|
||||||
|
boot.loader = {
|
||||||
|
systemd-boot = {
|
||||||
|
enable = true;
|
||||||
|
}; # end loader.systemd-boot
|
||||||
|
}; # end boot
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
allowedUDPPorts = [ 443 ];
|
||||||
|
};
|
||||||
|
systemd = {
|
||||||
|
services = {
|
||||||
|
"pull-blog" = {
|
||||||
|
script = ''
|
||||||
|
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
type = "oneshot";
|
||||||
|
user = "root"
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
timers = {
|
||||||
|
"pull-blog" = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "*:0/5";
|
||||||
|
Persistent = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
etc = {
|
||||||
|
"blogbox/blogbox.env" = {
|
||||||
|
text = "";
|
||||||
|
mode = "644";
|
||||||
|
};
|
||||||
|
"blogbox/acme.json" = {
|
||||||
|
text = "";
|
||||||
|
mode = "600";
|
||||||
|
};
|
||||||
|
}; # end etc
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation = {
|
||||||
|
podman.dockerSocket.enable = true;
|
||||||
|
oci-containers = {
|
||||||
|
backend = "podman";
|
||||||
|
containers = {
|
||||||
|
traefik = {
|
||||||
|
image = "docker.io/library/traefik:beaufort";
|
||||||
|
autoStart = true;
|
||||||
|
autoRemoveOnStop = true;
|
||||||
|
privileged = true;
|
||||||
|
networks = [ "Containet" ];
|
||||||
|
ports = [ "80:80" "443:443" "443:443/udp" ];
|
||||||
|
volumes = [
|
||||||
|
"${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro"
|
||||||
|
"/etc/traefik/acme.json:/acme.json"
|
||||||
|
];
|
||||||
|
environmentFiles = [ "/etc/traefik/blogbox.env" ];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)";
|
||||||
|
"traefik.http.routers.http-catchall.entrypoints" = "web";
|
||||||
|
};
|
||||||
|
cmd = ''
|
||||||
|
--accesslog \
|
||||||
|
--accesslog.format=json \
|
||||||
|
--accesslog.fields.headers.names.User-Agent=keep \
|
||||||
|
--log.level=INFO \
|
||||||
|
--providers.docker=true \
|
||||||
|
--providers.docker.network=Containet \
|
||||||
|
--providers.docker.exposedbydefault=false \
|
||||||
|
--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||||||
|
--entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||||||
|
--entryPoints.web.forwardedHeaders.insecure=false \
|
||||||
|
--entryPoints.web.proxyProtocol.insecure=false \
|
||||||
|
--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||||||
|
--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
|
||||||
|
--entryPoints.websecure.forwardedHeaders.insecure=false \
|
||||||
|
--entryPoints.websecure.proxyProtocol.insecure=false \
|
||||||
|
--entrypoints.web.address=:80 \
|
||||||
|
--entrypoints.websecure.address=:443 \
|
||||||
|
--entryPoints.metrics.address=:8082 \
|
||||||
|
--entrypoints.web.http.redirections.entryPoint.to=websecure \
|
||||||
|
--entrypoints.web.http.redirections.entryPoint.scheme=https \
|
||||||
|
--entrypoints.web.http.redirections.entrypoint.permanent=true \
|
||||||
|
--entrypoints.websecure.http3 \
|
||||||
|
--entrypoints.name.http3.advertisedport=443 \
|
||||||
|
--entrypoints.websecure.http.tls.certResolver=leresolver \
|
||||||
|
--entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \
|
||||||
|
--entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \
|
||||||
|
--certificatesresolvers.leresolver.acme.dnschallenge=true \
|
||||||
|
--certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \
|
||||||
|
--certificatesresolvers.leresolver.acme.storage=./acme.json \
|
||||||
|
--certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \
|
||||||
|
--metrics.prometheus=true \
|
||||||
|
--metrics.prometheus.addrouterslabels=true \
|
||||||
|
--metrics.prometheus.entryPoint=metrics
|
||||||
|
''
|
||||||
|
}; # end traefik
|
||||||
|
hugo = {
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = true;
|
||||||
|
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
|
||||||
|
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
|
||||||
|
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
|
||||||
|
"traefik.http.routers.hugo-router.service" = "hugo-router";
|
||||||
|
"traefik.http.middlewares.compression.compress" = "true";
|
||||||
|
"traefik.http.middlewares.retry.retry.attempts" = "8";
|
||||||
|
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
|
||||||
|
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
|
||||||
|
};
|
||||||
|
}; # end hugo
|
||||||
|
cats = {
|
||||||
|
labels = {
|
||||||
|
"traefik.http.routers.cats-router.priority"="1";
|
||||||
|
"traefik.http.middlewares.cats.errors.status"="400-599";
|
||||||
|
"traefik.http.middlewares.cats.errors.service"="cats-router";
|
||||||
|
"traefik.http.middlewares.cats.errors.query"="/{status}.html";
|
||||||
|
"traefik.enable" = true;
|
||||||
|
"traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
|
||||||
|
"traefik.http.routers.hugo-router.entrypoints" = "websecure";
|
||||||
|
"traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
|
||||||
|
"traefik.http.routers.hugo-router.service" = "hugo-router";
|
||||||
|
"traefik.http.middlewares.compression.compress" = "true";
|
||||||
|
"traefik.http.middlewares.retry.retry.attempts" = "8";
|
||||||
|
"traefik.http.middlewares.retry.retry.initialInterval" = "2";
|
||||||
|
"traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
|
||||||
|
"traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
|
||||||
|
};
|
||||||
|
}; # end cats
|
||||||
|
}; # end containers
|
||||||
|
}; # end oci-containers
|
||||||
|
}; # end virtualisation
|
||||||
|
} # end file
|
||||||
|
|
@ -115,6 +115,9 @@
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" "networkmanager" "podman" ];
|
extraGroups = [ "wheel" "networkmanager" "podman" ];
|
||||||
shell = pkgs.nushell;
|
shell = pkgs.nushell;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra"
|
||||||
|
];
|
||||||
}; # end users
|
}; # end users
|
||||||
|
|
||||||
programs.command-not-found.enable = true;
|
programs.command-not-found.enable = true;
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,11 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
openssh.enable = true;
|
openssh = {
|
||||||
|
enable = true;
|
||||||
|
permitRootLogin = "no";
|
||||||
|
passwordAuthentication = false;
|
||||||
|
}; # end openssh
|
||||||
}; # end services
|
}; # end services
|
||||||
|
|
||||||
services.fwupd.enable = true;
|
services.fwupd.enable = true;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue