127 lines
2.7 KiB
Nix
127 lines
2.7 KiB
Nix
state-version: { pkgs, ... }:
|
|
let services = with builtins;
|
|
let services_no_ip =
|
|
map (s: import (./services + "/${s}") { inherit pkgs; })
|
|
(filter (s: ! isNull (match ".*\.nix" s))
|
|
(attrNames (readDir ./services)));
|
|
in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
|
|
|
|
lib = import ./lib.nix;
|
|
secrets = import ./secrets/secrets.nix;
|
|
|
|
hostIp = "10.10.0.1";
|
|
in
|
|
|
|
{
|
|
containers =
|
|
lib.foldMap ({ name, config, ip, ports, ... }:
|
|
{
|
|
${name} = {
|
|
autoStart = true;
|
|
ephemeral = true;
|
|
privateNetwork = true;
|
|
hostAddress = hostIp;
|
|
localAddress = ip;
|
|
config = config // {
|
|
boot.isContainer = true;
|
|
|
|
networking = {
|
|
hostName = "${name}";
|
|
|
|
hosts = lib.foldMap ({ name, ip, ...}:
|
|
{ "${ip}" = [ "${name}.containers" "${name}" ]; }
|
|
) services;
|
|
|
|
firewall.enable = true;
|
|
firewall.allowedTCPPorts = ports.tcp;
|
|
firewall.allowedUDPPorts = ports.udp;
|
|
};
|
|
|
|
system.stateVersion = state-version;
|
|
};
|
|
};
|
|
}
|
|
) services;
|
|
}
|
|
|
|
//
|
|
|
|
{
|
|
# [NGINX]
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts =
|
|
lib.foldMap ({ ports, hosts, ip, ... }:
|
|
lib.foldMap (host:
|
|
if (builtins.isNull ports.http)
|
|
then {}
|
|
else {
|
|
"${host}" = {
|
|
locations."/".proxyPass =
|
|
"http://${ip}:${builtins.toString ports.http}";
|
|
};
|
|
}
|
|
) hosts
|
|
) services;
|
|
};
|
|
|
|
# [SSHD]
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
# [NETWORK]
|
|
networking = {
|
|
hostName = "cafe";
|
|
|
|
firewall.allowedTCPPorts = [ 22 80 443 ];
|
|
firewall.allowedUDPPorts = [ ];
|
|
|
|
nat = {
|
|
enable = true;
|
|
internalInterfaces = ["ve-+"];
|
|
externalInterface = "lo";
|
|
};
|
|
};
|
|
|
|
# [USER]
|
|
users.users.admin = {
|
|
isNormalUser = true;
|
|
group = "admin";
|
|
extraGroups = [ "wheel" ];
|
|
hashedPassword = pkgs.lib.removeSuffix "\n"
|
|
(builtins.readFile ./secrets/admin_password);
|
|
openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
|
|
};
|
|
users.groups.admin = {};
|
|
|
|
# [SOFTWARE]
|
|
programs.bash.interactiveShellInit = ''
|
|
set -o vi
|
|
'';
|
|
|
|
# [NIX]
|
|
nix = {
|
|
settings = {
|
|
experimental-features = [ "nix-command" "flakes" ];
|
|
auto-optimise-store = true;
|
|
};
|
|
gc = {
|
|
automatic = true;
|
|
dates = "monthly";
|
|
options = "--delete-older-than 30d";
|
|
};
|
|
};
|
|
|
|
security.sudo.enable = false;
|
|
security.doas.enable = true;
|
|
|
|
system.stateVersion = state-version;
|
|
|
|
}
|