vps-arm-2024-06-20-17-58-05

machine/vps-arm.nix

@@ -0,0 +1,161 @@
+{ config, lib, pkgs, ... }:
+let
+  be = import ../configs/borg-exclude.nix;
+  unstable = import <nixos-unstable> { config.allowUnfree = true; };
+in
+{
+  imports =
+    [
+      /etc/nixos/hardware-configuration.nix
+      ../configs/common.nix
+      ../configs/docker.nix
+      ../configs/user.nix
+    ];
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  networking = {
+    hostName = "vps-arm"; # Define your hostname.
+    nftables.enable = true;
+    useDHCP = false;
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp7s0";
+    };
+    interfaces.enp7s0 = {
+      useDHCP = true;
+      ipv6.addresses = [{
+        address = "2a0a:4cc0:1:124c::";
+        prefixLength = 64;
+      }];
+    };
+    firewall = {
+      allowPing = true;
+      allowedTCPPorts = [
+        80 # web
+        222 # SSH for gitea
+        443 # web
+        9898 # i2p
+        9899
+        18080
+        21114 #Rustdesk
+        21115 #Rustdesk
+        21116 #Rustdesk
+        21117 #Rustdesk
+        21118 #Rustdesk
+        21119 #Rustdesk
+        22000 # syncthing
+      ];
+      allowedUDPPorts = [
+        80 # web
+        443 # web
+        3478 # headscale
+        9898 # i2p
+        21116 # Rustdesk
+        51820 # wireguard
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    goaccess
+    xd
+    nyx
+    mkp224o
+    progress
+    headscale
+  ];
+
+  programs = {
+    mtr.enable = true;
+    fuse.userAllowOther = true;
+  };
+
+  security.acme = {
+    defaults.email = "webmaster@szczepan.ski";
+    acceptTerms = true;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      clientMaxBodySize = "0";
+
+      commonHttpConfig = ''
+        log_format  main  '$host $remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio" '
+                          '$request_time $upstream_response_time $pipe';
+        access_log  /var/log/nginx/access.log main;
+      '';
+
+      virtualHosts = {
+        "git.v220240679185274666.nicesrv.de" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; };
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ config.services.gitea.user ];
+      ensureUsers = [{
+        name = config.services.gitea.database.user;
+        ensureDBOwnership = true;
+        # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+      }];
+    };
+
+    gitea = {
+      enable = true;
+      appName = "My awesome Gitea server"; # Give the site a name
+      database = {
+        type = "postgres";
+        password = "REMOVED_OLD_PASSWORD_FROM_HISTORY";
+      };
+      settings = {
+        server = {
+          DOMAIN = "git.v220240679185274666.nicesrv.de";
+          ROOT_URL = "https://git.v220240679185274666.nicesrv.de/";
+          HTTP_PORT = 3001;
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
+
+    fail2ban = {
+      enable = true;
+      bantime = "7d";
+
+      jails = {
+        sshd = {
+          settings = {
+            filter = "sshd";
+            maxretry = 4;
+            action = ''iptables[name=ssh, port=ssh, protocol=tcp]'';
+            enabled = true;
+          };
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}