mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 16:57:55 +00:00
223 lines
5.8 KiB
Nix
223 lines
5.8 KiB
Nix
{ config, options, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (builtins) toString;
|
|
domain = "foodogsquared.one";
|
|
wikiDomain = "wiki.${domain}";
|
|
passwordManagerDomain = "vault.${domain}";
|
|
codeForgeDomain = "forge.${domain}";
|
|
in
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
(lib.getUser "nixos" "admin")
|
|
|
|
(lib.mapHomeManagerUser "plover" {})
|
|
(lib.getUser "nixos" "plover")
|
|
];
|
|
|
|
sops.secrets =
|
|
let
|
|
getKey = key: {
|
|
inherit key;
|
|
sopsFile = ./secrets/secrets.yaml;
|
|
};
|
|
getSecrets = keys:
|
|
lib.listToAttrs (lib.lists.map
|
|
(secret:
|
|
lib.nameValuePair
|
|
"plover/${secret}"
|
|
(getKey secret))
|
|
keys);
|
|
in
|
|
getSecrets [
|
|
"ssh-key"
|
|
"gitea/db/password"
|
|
];
|
|
|
|
# Be sure to upload this manually. (It's this really a good idea?)
|
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
package = pkgs.nginxMainline;
|
|
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
# Server blocks with no forcing of SSL are static sites so it is pretty
|
|
# much OK.
|
|
virtualHosts = {
|
|
# Personal website.
|
|
"${domain}" = {
|
|
forceSSL = false;
|
|
enableACME = true;
|
|
serverAliases = [ "www.${domain}" ];
|
|
locations."/" = {
|
|
proxyPass = "https://foodogsquared.netlify.app";
|
|
};
|
|
};
|
|
|
|
# My digital notebook.
|
|
"${wikiDomain}" = {
|
|
forceSSL = false;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "https://foodogsquared-wiki.netlify.app";
|
|
};
|
|
};
|
|
|
|
# Vaultwarden instance.
|
|
"${passwordManagerDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations = let
|
|
port = config.services.vaultwarden.config.ROCKET_PORT;
|
|
websocketPort = config.services.vaultwarden.config.WEBSOCKET_PORT;
|
|
in {
|
|
"/" = {
|
|
proxyPass = "http://localhost:${toString port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
|
|
"/notifications/hub" = {
|
|
proxyPass = "http://localhost:${toString websocketPort}";
|
|
proxyWebsockets = true;
|
|
};
|
|
|
|
"/notifications/hub/negotiate" = {
|
|
proxyPass = "http://localhost:${toString port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# Gitea instance.
|
|
"${codeForgeDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:${toString config.services.gitea.httpPort}";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# Time to harden...
|
|
profiles.system.hardened-config.enable = true;
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "admin@foodogsquared.one";
|
|
};
|
|
|
|
# Some additional dependencies for this system.
|
|
environment.systemPackages = with pkgs; [
|
|
asciidoctor
|
|
];
|
|
|
|
# My code forge.
|
|
services.gitea = {
|
|
inherit domain;
|
|
enable = true;
|
|
appName = "foodogsquared's code forge";
|
|
# TODO: Use postgresql later
|
|
database = {
|
|
passwordFile = config.sops.secrets."plover/gitea/db/password".path;
|
|
#type = "postgres";
|
|
};
|
|
lfs.enable = true;
|
|
#mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path;
|
|
rootUrl = "http://${codeForgeDomain}";
|
|
|
|
settings = {
|
|
"repository.pull_request" = {
|
|
WORK_IN_PROGRESS_PREFIXES = "WIP:,[WIP],DRAFT,[DRAFT]";
|
|
ADD_CO_COMMITTERS_TRAILERS = true;
|
|
};
|
|
|
|
ui = {
|
|
EXPLORE_PAGING_SUM = 15;
|
|
GRAPH_MAX_COMMIT_NUM = 200;
|
|
};
|
|
|
|
"ui.meta" = {
|
|
AUTHOR = "foodogsquared's code forge";
|
|
DESCRIPTION = ''
|
|
foodogsquared's personal Git forge.
|
|
Mainly personal projects and some archived and mirrored codebases.
|
|
'';
|
|
KEYWORDS = "foodogsquared,gitea,self-hosted";
|
|
};
|
|
|
|
# It's a personal instance so nah...
|
|
service.DISABLE_REGISTRATION = true;
|
|
|
|
repository = {
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
DEFAULT_PRIVATE = "public";
|
|
DEFAULT_PRIVATE_PUSH_CREATE = true;
|
|
};
|
|
|
|
"markup.asciidoc" = {
|
|
ENABLED = true;
|
|
NEED_POSTPROCESS = true;
|
|
FILE_EXTENSIONS = ".adoc,.asciidoc";
|
|
RENDER_COMMANDS = "asciidoc --out-file=- -";
|
|
IS_INPUT_FILE = false;
|
|
};
|
|
|
|
# Well, collaboration between forges is nice...
|
|
federation.ENABLED = true;
|
|
|
|
# Enable mirroring feature...
|
|
mirror.ENABLED = true;
|
|
|
|
other = {
|
|
SHOW_FOOTER_VERSION = true;
|
|
ENABLE_SITEMAP = true;
|
|
ENABLE_FEED = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# An alternative implementation of Bitwarden written in Rust. The project
|
|
# being written in Rust is a insta-self-hosting material right there.
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DOMAIN = "https://${passwordManagerDomain}";
|
|
|
|
# Configuring the server.
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = 8222;
|
|
ROCKET_LOG = "critical";
|
|
|
|
# Ehh... It's only a few (or even one) users anyways so nah. Since this
|
|
# instance will not configure SMTP server, this pretty much means
|
|
# invitation is only via email at this point.
|
|
SHOW_PASSWORD_HINT = false;
|
|
|
|
# Configuring some parts of account management which is almost
|
|
# nonexistent because this is just intended for me (at least right now).
|
|
SIGNUPS_ALLOWED = false;
|
|
SIGNUPS_VERIFY = true;
|
|
INVITATIONS_ALLOWED = true;
|
|
|
|
# Notifications...
|
|
WEBSOCKET_ENABLED = true;
|
|
WEBSOCKET_PORT = 3012;
|
|
WEBSOCKET_ADDRESS = "0.0.0.0";
|
|
|
|
# Enabling web vault with whatever nixpkgs comes in.
|
|
WEB_VAULT_ENABLED = true;
|
|
WEB_VAULT_FOLDER = "${pkgs.vaultwarden-vault}/share/vaultwarden";
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "22.11";
|
|
}
|