diff --git a/configs/common-server.nix b/configs/common-server.nix index ff52f8f..a74cf33 100755 --- a/configs/common-server.nix +++ b/configs/common-server.nix @@ -1,9 +1,4 @@ { config, lib, pkgs, ... }: -let - secrets = import ../configs/secrets.nix; - be = import ../configs/borg-exclude.nix; - unstable = import { config.allowUnfree = true; }; -in { imports = [ ../configs/common.nix ../configs/docker.nix ../configs/user.nix ]; diff --git a/configs/common.nix b/configs/common.nix index a019557..d956505 100755 --- a/configs/common.nix +++ b/configs/common.nix @@ -1,6 +1,5 @@ { config, pkgs, lib, ... }: -let secrets = import ./secrets.nix; -in { +{ environment.shells = with pkgs; [ bashInteractive zsh ]; programs = { diff --git a/machine/vps-arm.nix b/machine/vps-arm.nix new file mode 100755 index 0000000..13467c0 --- /dev/null +++ b/machine/vps-arm.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: +let + be = import ../configs/borg-exclude.nix; + unstable = import { config.allowUnfree = true; }; +in +{ + imports = + [ + /etc/nixos/hardware-configuration.nix + ../configs/common.nix + ../configs/docker.nix + ../configs/user.nix + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + time.timeZone = "Europe/Berlin"; + + networking = { + hostName = "vps-arm"; # Define your hostname. + nftables.enable = true; + useDHCP = false; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp7s0"; + }; + interfaces.enp7s0 = { + useDHCP = true; + ipv6.addresses = [{ + address = "2a0a:4cc0:1:124c::"; + prefixLength = 64; + }]; + }; + firewall = { + allowPing = true; + allowedTCPPorts = [ + 80 # web + 222 # SSH for gitea + 443 # web + 9898 # i2p + 9899 + 18080 + 21114 #Rustdesk + 21115 #Rustdesk + 21116 #Rustdesk + 21117 #Rustdesk + 21118 #Rustdesk + 21119 #Rustdesk + 22000 # syncthing + ]; + allowedUDPPorts = [ + 80 # web + 443 # web + 3478 # headscale + 9898 # i2p + 21116 # Rustdesk + 51820 # wireguard + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + goaccess + xd + nyx + mkp224o + progress + headscale + ]; + + programs = { + mtr.enable = true; + fuse.userAllowOther = true; + }; + + security.acme = { + defaults.email = "webmaster@szczepan.ski"; + acceptTerms = true; + }; + + services = { + nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "0"; + + commonHttpConfig = '' + log_format main '$host $remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio" ' + '$request_time $upstream_response_time $pipe'; + access_log /var/log/nginx/access.log main; + ''; + + virtualHosts = { + "git.v220240679185274666.nicesrv.de" = { + forceSSL = true; + enableACME = true; + locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ config.services.gitea.user ]; + ensureUsers = [{ + name = config.services.gitea.database.user; + ensureDBOwnership = true; + # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; + }]; + }; + + gitea = { + enable = true; + appName = "My awesome Gitea server"; # Give the site a name + database = { + type = "postgres"; + password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; + }; + settings = { + server = { + DOMAIN = "git.v220240679185274666.nicesrv.de"; + ROOT_URL = "https://git.v220240679185274666.nicesrv.de/"; + HTTP_PORT = 3001; + }; + service.DISABLE_REGISTRATION = true; + }; + }; + + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + + fail2ban = { + enable = true; + bantime = "7d"; + + jails = { + sshd = { + settings = { + filter = "sshd"; + maxretry = 4; + action = ''iptables[name=ssh, port=ssh, protocol=tcp]''; + enabled = true; + }; + }; + }; + }; + }; + + system.stateVersion = "24.05"; +}