nixos-config/configs/nixos/plover/default.nix

{ config, lib, pkgs, foodogsquaredLib, foodogsquaredUtils, foodogsquaredModulesPath, ... }:

{
  imports = [
    # Since this will be rarely configured, make sure to import the appropriate
    # hardware modules depending on the hosting provider (and even just the
    # server).
    ./modules/profiles/hetzner-cloud-cx22.nix

    # The users for this host.
    (foodogsquaredUtils.getUser "nixos" "admin")
    (foodogsquaredUtils.getUser "nixos" "plover")

    "${foodogsquaredModulesPath}/profiles/headless.nix"
    "${foodogsquaredModulesPath}/profiles/hardened.nix"

    ./disko.nix

    ./modules
  ];

  # Host-specific modules structuring.
  hosts.plover.services = {
    networking.enable = true;
    backup.enable = true;
    database.enable = true;
    firewall.enable = true;
    dns-server.enable = true;
    idm.enable = true;
    monitoring.enable = true;
    reverse-proxy.enable = true;
    fail2ban.enable = true;
    grafana.enable = true;
  };

  # We're using our own VPN configuration for this one.
  suites.vpn.personal.enable = true;

  state.network = rec {
    ipv4 = "135.181.26.192";
    ipv6 = "2a01:4f9:c011:b61e::1";

    interfaces = {
      lan = {
        ifname = "enp7s0";
        ipv4 = "10.0.0.2";
        ipv6 = "fe80::8400:ff:fef7:864";
        ipv4Gateway = "10.0.0.1";
        ipv6Gateway = "fe80::1";
      };

      wan = {
        ifname = "eth0";
        inherit ipv4 ipv6;
        ipv4Gateway = "172.31.1.1";
        ipv6Gateway = "fe80::1";
      };
    };

    secondaryNameservers = [
      # ns1.first-ns.de
      "213.239.242.238"
      "2a01:4f8:0:a101::a:1"

      # robotns2.second-ns.de
      "213.133.105.6"
      "2a01:4f8:d0a:2004::2"

      # robotns3.second-ns.com
      "193.47.99.3"
      "2001:67c:192c::add:a3"
    ];
  };

  state.paths = {
    dataDir = "/var/lib";
    cacheDir = "/var/cache";
    logDir = "/var/log";
    runtimeDir = "/run";
  };

  # Offline SSH!?!
  programs.mosh.enable = true;

  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
    "lego/env" = { };
  };

  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  suites.server = {
    enable = true;
    cleanup.enable = true;
  };

  # DNS-related settings. We're settling by configuring the ACME setup with a
  # self-hosted DNS server.
  security.acme.defaults = {
    email = "admin+acme@foodogsquared.one";
    dnsProvider = "rfc2136";
    dnsResolver = "1.1.1.1";
    credentialsFile = config.sops.secrets."lego/env".path or "/var/lib/secrets/acme.env";
  };

  # Enable generating new DH params.
  security.dhparams.enable = true;

  # !!! The keys should be rotated at an interval here.
  services.openssh.hostKeys = [{
    path = config.sops.secrets."ssh-key".path;
    type = "ed25519";
  }];

  system.stateVersion = "24.11";
}
hosts/plover: update code 2024-06-18 13:56:32 +00:00			`{ config, lib, pkgs, foodogsquaredLib, foodogsquaredUtils, foodogsquaredModulesPath, ... }:`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`{`
			`imports = [`
hosts/plover: move hardware config to be hosting provider-specific 2023-01-14 07:55:30 +00:00			`# Since this will be rarely configured, make sure to import the appropriate`
			`# hardware modules depending on the hosting provider (and even just the`
			`# server).`
hosts/plover/services/networking: modularize networking setup into its own module 2024-09-22 14:03:20 +00:00			`./modules/profiles/hetzner-cloud-cx22.nix`
hosts/plover: update config 2022-11-26 06:13:17 +00:00
users/plover: add home-manager user to config 2022-12-03 05:46:46 +00:00			`# The users for this host.`
hosts/plover: update code 2024-06-18 13:56:32 +00:00			`(foodogsquaredUtils.getUser "nixos" "admin")`
			`(foodogsquaredUtils.getUser "nixos" "plover")`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00
hosts/ni: make use of the custom "profiles ala-nixpkgs" 2024-01-22 04:23:14 +00:00			`"${foodogsquaredModulesPath}/profiles/headless.nix"`
			`"${foodogsquaredModulesPath}/profiles/hardened.nix"`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00
hosts/plover: make disko as a dedicated NixOS module 2024-02-22 23:25:44 +00:00			`./disko.nix`

hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`./modules`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`];`

hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`# Host-specific modules structuring.`
			`hosts.plover.services = {`
hosts/plover/services/networking: modularize networking setup into its own module 2024-09-22 14:03:20 +00:00			`networking.enable = true;`
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`backup.enable = true;`
			`database.enable = true;`
			`firewall.enable = true;`
			`dns-server.enable = true;`
			`idm.enable = true;`
			`monitoring.enable = true;`
			`reverse-proxy.enable = true;`
			`fail2ban.enable = true;`
			`grafana.enable = true;`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`};`

hosts/plover: update VPN setup with Tailscale Setting up our own VPN infra with manual Wireguard thingy is a bit of tedious task. 2024-09-20 04:44:54 +00:00			`# We're using our own VPN configuration for this one.`
hosts/plover: fix erroneous config values 2024-09-22 14:07:59 +00:00			`suites.vpn.personal.enable = true;`
hosts/plover: update VPN setup with Tailscale Setting up our own VPN infra with manual Wireguard thingy is a bit of tedious task. 2024-09-20 04:44:54 +00:00
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`state.network = rec {`
			`ipv4 = "135.181.26.192";`
			`ipv6 = "2a01:4f9:c011:b61e::1";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00
			`interfaces = {`
			`lan = {`
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`ifname = "enp7s0";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`ipv4 = "10.0.0.2";`
hosts/plover: update network state This is pretty much needed from the networking setup. 2024-09-22 14:07:23 +00:00			`ipv6 = "fe80::8400:ff:fef7:864";`
			`ipv4Gateway = "10.0.0.1";`
			`ipv6Gateway = "fe80::1";`
			`};`

			`wan = {`
			`ifname = "eth0";`
			`inherit ipv4 ipv6;`
			`ipv4Gateway = "172.31.1.1";`
			`ipv6Gateway = "fe80::1";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`};`
			`};`

			`secondaryNameservers = [`
			`# ns1.first-ns.de`
			`"213.239.242.238"`
			`"2a01:4f8:0:a101::a:1"`

			`# robotns2.second-ns.de`
			`"213.133.105.6"`
			`"2a01:4f8:d0a:2004::2"`

			`# robotns3.second-ns.com`
			`"193.47.99.3"`
			`"2001:67c:192c::add:a3"`
			`];`
			`};`

			`state.paths = {`
			`dataDir = "/var/lib";`
			`cacheDir = "/var/cache";`
			`logDir = "/var/log";`
			`runtimeDir = "/run";`
hosts/plover: try out host-specific module structure 2023-12-11 08:30:00 +00:00			`};`

hosts/plover: add Mosh into the installation 2023-11-06 12:37:08 +00:00			`# Offline SSH!?!`
			`programs.mosh.enable = true;`
hosts/plover: modularize BorgBackup service 2023-11-06 08:59:20 +00:00
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"ssh-key" = { };`
			`"lego/env" = { };`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`};`
hosts/plover: init 2022-11-23 05:27:01 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# All of the keys required to deploy the secrets.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.age.keyFile = "/var/lib/sops-nix/key.txt";`

modules: move `profiles` custom namespace to `suites` We now have a "proper" profiles modules ala-nixpkgs so we'll have to move these to make it less confusing. 2024-01-22 06:48:55 +00:00			`suites.server = {`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`enable = true;`
			`cleanup.enable = true;`
			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# DNS-related settings. We're settling by configuring the ACME setup with a`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`# self-hosted DNS server.`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`security.acme.defaults = {`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`email = "admin+acme@foodogsquared.one";`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`dnsProvider = "rfc2136";`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`dnsResolver = "1.1.1.1";`
hosts/plover: update state variables and services This is just made in advanced for the upcoming config updates of each services. 2024-09-19 13:27:22 +00:00			`credentialsFile = config.sops.secrets."lego/env".path or "/var/lib/secrets/acme.env";`
hosts/plover: add DNS-related config 2022-12-03 00:09:26 +00:00			`};`

hosts/plover: enable DH params generation This is for certain applications as we'll see. 2023-06-30 02:46:43 +00:00			`# Enable generating new DH params.`
			`security.dhparams.enable = true;`

			`# !!! The keys should be rotated at an interval here.`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`services.openssh.hostKeys = [{`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`path = config.sops.secrets."ssh-key".path;`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`type = "ed25519";`
			`}];`

hosts/plover: fix erroneous config values 2024-09-22 14:07:59 +00:00			`system.stateVersion = "24.11";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`}`