nixos-config/configs/nixos/plover/default.nix

{ config, lib, pkgs, foodogsquaredLib, foodogsquaredUtils
, foodogsquaredModulesPath, ... }:

{
  imports = [
    # The users for this host.
    (foodogsquaredUtils.getUser "nixos" "admin")
    (foodogsquaredUtils.getUser "nixos" "plover")

    "${foodogsquaredModulesPath}/profiles/hardened.nix"
    "${foodogsquaredModulesPath}/profiles/hetzner-cloud-cx22.nix"

    ./disko.nix

    ./modules
  ];

  boot.supportedFilesystems = [ "btrfs" ];

  # Host-specific modules structuring.
  hosts.plover.services = {
    networking = {
      enable = true;
      macAddress = "96:00:03:c3:99:93";
    };

    backup.enable = true;
    database.enable = true;
    firewall.enable = true;
    idm.enable = true;
    monitoring.enable = true;
    reverse-proxy.enable = true;
    fail2ban.enable = true;
    grafana.enable = true;

    # All of the self-hosted applications belong in here.
    gitea.enable = true;
    vaultwarden.enable = true;
  };

  # Overriding the kernel version for ourselves.
  boot.kernelPackages = lib.mkOverride 500 pkgs.linuxKernel.packages.linux_6_11_hardened;

  # We're using our own VPN configuration for this one.
  suites.vpn.personal.enable = true;
  services.tailscale.useRoutingFeatures = "server";
  services.tailscaleAuth.enable = true;

  # Post installation script to be executed manually by the provisioner.
  system.build.postInstallationScript = pkgs.writeShellApplication {
    name = "post-installation-script";
    runtimeInputs = with pkgs; [ openssh ];
    text = ''
      sopsPrivateKey="''${1:-"key.txt"}"
      sopsKeyfileDir="$(dirname ${lib.escapeShellArg config.sops.age.keyFile})"
      mkdir -p "$sopsKeyfileDir" && mv "$sopsPrivateKey" "$sopsKeyfileDir"
    '';
  };

  state.network = rec {
    ipv4 = "135.181.26.192";
    ipv6 = "2a01:4f9:c010:8db4::1";

    interfaces = {
      lan = {
        ifname = "enp7s0";
        ipv4 = "10.0.0.2";
        ipv6 = "fe80::8400:ff:fef7:864";
        ipv4Gateway = "10.0.0.1";
        ipv6Gateway = "fe80::1";
      };

      wan = {
        ifname = "enp1s0";
        inherit ipv4 ipv6;
        ipv4Gateway = "172.31.1.1";
        ipv6Gateway = "fe80::1";
      };
    };

    secondaryNameservers = [
      # ns1.first-ns.de
      "213.239.242.238"
      "2a01:4f8:0:a101::a:1"

      # robotns2.second-ns.de
      "213.133.100.103"
      "2a01:4f8:0:1::5ddc:2"

      # robotns3.second-ns.com
      "193.47.99.3"
      "2001:67c:192c::add:a3"
    ];
  };

  state.paths = {
    dataDir = "/var/lib";
    cacheDir = "/var/cache";
    logDir = "/var/log";
    runtimeDir = "/run";
  };

  # Offline SSH!?!
  programs.mosh.enable = true;

  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
    "lego/env" = { };
  };

  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  suites.server = {
    enable = true;
    cleanup.enable = true;
  };

  # DNS-related settings. We're settling by configuring the ACME setup with a
  # self-hosted DNS server.
  security.acme.defaults = {
    email = "admin+acme@foodogsquared.one";
    dnsProvider = "hetzner";
    environmentFile =
      config.sops.secrets."lego/env".path or "/var/lib/secrets/acme.env";
    enableDebugLogs = true;
  };

  # Enable generating new DH params.
  security.dhparams.enable = true;

  # !!! The keys should be rotated at an interval here.
  services.openssh.hostKeys = lib.singleton {
    path = config.sops.secrets."ssh-key".path;
    type = "ed25519";
  };

  system.stateVersion = "24.11";
}
hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`{ config, lib, pkgs, foodogsquaredLib, foodogsquaredUtils`
			`, foodogsquaredModulesPath, ... }:`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`{`
			`imports = [`
users/plover: add home-manager user to config 2022-12-03 05:46:46 +00:00			`# The users for this host.`
hosts/plover: update code 2024-06-18 13:56:32 +00:00			`(foodogsquaredUtils.getUser "nixos" "admin")`
			`(foodogsquaredUtils.getUser "nixos" "plover")`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00
hosts/ni: make use of the custom "profiles ala-nixpkgs" 2024-01-22 04:23:14 +00:00			`"${foodogsquaredModulesPath}/profiles/hardened.nix"`
nixos/profiles/hetzner-cloud-cx22: init It's mostly generic at this point and I want to manage more of them. 2024-10-02 05:07:10 +00:00			`"${foodogsquaredModulesPath}/profiles/hetzner-cloud-cx22.nix"`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00
hosts/plover: make disko as a dedicated NixOS module 2024-02-22 23:25:44 +00:00			`./disko.nix`

hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`./modules`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`];`

hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`boot.supportedFilesystems = [ "btrfs" ];`

hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`# Host-specific modules structuring.`
			`hosts.plover.services = {`
hosts/plover/services/networking: init additional options Exclusively focusing on the public network interface for now. 2024-10-10 04:34:13 +00:00			`networking = {`
			`enable = true;`
			`macAddress = "96:00:03:c3:99:93";`
			`};`

hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`backup.enable = true;`
			`database.enable = true;`
			`firewall.enable = true;`
			`idm.enable = true;`
			`monitoring.enable = true;`
			`reverse-proxy.enable = true;`
			`fail2ban.enable = true;`
			`grafana.enable = true;`
hosts/plover: update and re-enable Vaultwarden service 2024-10-02 13:16:15 +00:00
			`# All of the self-hosted applications belong in here.`
hosts/plover: update and re-enable Gitea service 2024-10-02 13:16:39 +00:00			`gitea.enable = true;`
hosts/plover: update and re-enable Vaultwarden service 2024-10-02 13:16:15 +00:00			`vaultwarden.enable = true;`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`};`

hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`# Overriding the kernel version for ourselves.`
			`boot.kernelPackages = lib.mkOverride 500 pkgs.linuxKernel.packages.linux_6_11_hardened;`

hosts/plover: update VPN setup with Tailscale Setting up our own VPN infra with manual Wireguard thingy is a bit of tedious task. 2024-09-20 04:44:54 +00:00			`# We're using our own VPN configuration for this one.`
hosts/plover: fix erroneous config values 2024-09-22 14:07:59 +00:00			`suites.vpn.personal.enable = true;`
hosts/plover: update Tailscale config 2024-10-02 13:18:16 +00:00			`services.tailscale.useRoutingFeatures = "server";`
hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`services.tailscaleAuth.enable = true;`
hosts/plover: update VPN setup with Tailscale Setting up our own VPN infra with manual Wireguard thingy is a bit of tedious task. 2024-09-20 04:44:54 +00:00
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`# Post installation script to be executed manually by the provisioner.`
			`system.build.postInstallationScript = pkgs.writeShellApplication {`
			`name = "post-installation-script";`
hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`runtimeInputs = with pkgs; [ openssh ];`
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`text = ''`
			`sopsPrivateKey="''${1:-"key.txt"}"`
			`sopsKeyfileDir="$(dirname ${lib.escapeShellArg config.sops.age.keyFile})"`
			`mkdir -p "$sopsKeyfileDir" && mv "$sopsPrivateKey" "$sopsKeyfileDir"`
			`'';`
			`};`

hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`state.network = rec {`
hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`ipv4 = "135.181.26.192";`
			`ipv6 = "2a01:4f9:c010:8db4::1";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00
			`interfaces = {`
			`lan = {`
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`ifname = "enp7s0";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`ipv4 = "10.0.0.2";`
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`ipv6 = "fe80::8400:ff:fef7:864";`
			`ipv4Gateway = "10.0.0.1";`
			`ipv6Gateway = "fe80::1";`
			`};`

			`wan = {`
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`ifname = "enp1s0";`
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`inherit ipv4 ipv6;`
			`ipv4Gateway = "172.31.1.1";`
			`ipv6Gateway = "fe80::1";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`};`
			`};`

			`secondaryNameservers = [`
			`# ns1.first-ns.de`
			`"213.239.242.238"`
			`"2a01:4f8:0:a101::a:1"`

			`# robotns2.second-ns.de`
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`"213.133.100.103"`
			`"2a01:4f8:0:1::5ddc:2"`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00
			`# robotns3.second-ns.com`
			`"193.47.99.3"`
			`"2001:67c:192c::add:a3"`
			`];`
			`};`

			`state.paths = {`
			`dataDir = "/var/lib";`
			`cacheDir = "/var/cache";`
			`logDir = "/var/log";`
			`runtimeDir = "/run";`
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`};`

hosts/plover: add Mosh into the installation 2023-11-06 12:37:08 +00:00			`# Offline SSH!?!`
			`programs.mosh.enable = true;`
hosts/plover: modularize BorgBackup service 2023-11-06 08:59:20 +00:00
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"ssh-key" = { };`
			`"lego/env" = { };`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`};`
hosts/plover: init 2022-11-23 05:27:01 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# All of the keys required to deploy the secrets.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.age.keyFile = "/var/lib/sops-nix/key.txt";`

modules: move `profiles` custom namespace to `suites` We now have a "proper" profiles modules ala-nixpkgs so we'll have to move these to make it less confusing. 2024-01-22 06:48:55 +00:00			`suites.server = {`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`enable = true;`
			`cleanup.enable = true;`
			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# DNS-related settings. We're settling by configuring the ACME setup with a`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`# self-hosted DNS server.`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`security.acme.defaults = {`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`email = "admin+acme@foodogsquared.one";`
hosts/plover: update DNS setup Which is no setup for now. It's a bit frustrating to deal with especially with the email stuff. On a future note, the DNS server should be on a separate machine. 2024-10-10 04:35:37 +00:00			`dnsProvider = "hetzner";`
hosts/plover: update base config 2024-12-18 07:24:24 +00:00			`environmentFile =`
			`config.sops.secrets."lego/env".path or "/var/lib/secrets/acme.env";`
hosts/plover: update DNS setup Which is no setup for now. It's a bit frustrating to deal with especially with the email stuff. On a future note, the DNS server should be on a separate machine. 2024-10-10 04:35:37 +00:00			`enableDebugLogs = true;`
hosts/plover: add DNS-related config 2022-12-03 00:09:26 +00:00			`};`

hosts/plover: enable DH params generation This is for certain applications as we'll see. 2023-06-30 02:46:43 +00:00			`# Enable generating new DH params.`
			`security.dhparams.enable = true;`

			`# !!! The keys should be rotated at an interval here.`
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`services.openssh.hostKeys = lib.singleton {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`path = config.sops.secrets."ssh-key".path;`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`type = "ed25519";`
hosts/plover: update network state settings 2024-09-29 04:25:38 +00:00			`};`
hosts/plover: update config 2022-12-02 04:33:51 +00:00
hosts/plover: fix erroneous config values 2024-09-22 14:07:59 +00:00			`system.stateVersion = "24.11";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`}`