mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 16:57:55 +00:00
83 lines
2.0 KiB
Nix
83 lines
2.0 KiB
Nix
{ config, lib, pkgs, modulesPath, ... }:
|
|
|
|
{
|
|
imports = [
|
|
# Since this will be rarely configured, make sure to import the appropriate
|
|
# hardware modules depending on the hosting provider (and even just the
|
|
# server).
|
|
./modules/hardware/hetzner-cloud-cx21.nix
|
|
|
|
# The users for this host.
|
|
(lib.getUser "nixos" "admin")
|
|
(lib.getUser "nixos" "plover")
|
|
|
|
# Hardened profile from nixpkgs.
|
|
"${modulesPath}/profiles/hardened.nix"
|
|
|
|
./modules
|
|
];
|
|
|
|
# Host-specific modules structuring.
|
|
hosts.plover.services = {
|
|
# The essential services.
|
|
backup.enable = true;
|
|
database.enable = true;
|
|
firewall.enable = true;
|
|
dns-server.enable = true;
|
|
idm.enable = true;
|
|
monitoring.enable = true;
|
|
reverse-proxy.enable = true;
|
|
fail2ban.enable = true;
|
|
|
|
# The self-hosted services.
|
|
atuin.enable = true;
|
|
gitea.enable = true;
|
|
grafana.enable = true;
|
|
vaultwarden.enable = true;
|
|
wireguard.enable = true;
|
|
};
|
|
|
|
# Automatic format and partitioning.
|
|
disko.devices = import ./disko.nix {
|
|
disks = [ "/dev/sda" ];
|
|
};
|
|
|
|
# Offline SSH!?!
|
|
programs.mosh.enable = true;
|
|
|
|
sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
|
|
"ssh-key" = { };
|
|
"lego/env" = { };
|
|
};
|
|
|
|
# All of the keys required to deploy the secrets.
|
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
|
|
profiles.server = {
|
|
enable = true;
|
|
headless.enable = true;
|
|
hardened-config.enable = true;
|
|
cleanup.enable = true;
|
|
};
|
|
|
|
# DNS-related settings. We're settling by configuring the ACME setup with a
|
|
# self-hosted DNS server.
|
|
security.acme.defaults = {
|
|
email = "admin+acme@foodogsquared.one";
|
|
dnsProvider = "rfc2136";
|
|
dnsResolver = "1.1.1.1";
|
|
credentialsFile = config.sops.secrets."lego/env".path;
|
|
};
|
|
|
|
# Enable generating new DH params.
|
|
security.dhparams.enable = true;
|
|
|
|
# !!! The keys should be rotated at an interval here.
|
|
services.openssh.hostKeys = [{
|
|
path = config.sops.secrets."ssh-key".path;
|
|
type = "ed25519";
|
|
}];
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|