Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
7879431f17
nixos-config/modules/sv1/legacy.nix

348 lines
9.2 KiB
Nix
Raw Blame History

{
lib,
config,
pkgs,
...
}: {
imports = with lib.nixosModules; [
disko
impermanence
sops
];
disko.devices.disk.NixOS = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
BSP = {
type = "EF02";
size = "1M";
};
Crypt = {
size = "100%";
content = {
type = "luks";
name = "crypt";
extraFormatArgs = ["--type luks1"];
content = {
type = "btrfs";
postCreateHook = ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
umount "$btrfs"
rm -rf "$btrfs"
boot="$(mktemp -d)"
mount -o subvol=/boot /dev/mapper/crypt "$boot"
dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
cryptsetup luksAddKey \
/dev/disk/by-partlabel/disk-NixOS-Crypt \
"$boot/luks.bin"
umount "$boot"
rm -rf "$boot"
'';
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/boot" = {
mountpoint = "/boot";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/swap" = {
mountpoint = "/.swap";
swap.swapfile.size = "4G";
};
};
};
};
};
};
};
};
fileSystems = {
"/persist".neededForBoot = true;
"/var/log".neededForBoot = true;
"/mnt/sb1" = {
device = "//u424050.your-storagebox.de/backup";
fsType = "cifs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.idle-timeout=60"
"x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s"
"credentials=${config.sops.templates.sb1-credentials.path}"
];
};
};
sops = {
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = [];
keyFile = "/persist/sops.age";
};
secrets = {
sb1-username.sopsFile = lib.secrets.sb1;
sb1-password.sopsFile = lib.secrets.sb1;
};
templates.sb1-credentials.content = ''
username=${config.sops.placeholder.sb1-username}
password=${config.sops.placeholder.sb1-password}
'';
};
boot = {
loader = {
grub = {
enable = true;
enableCryptodisk = true;
};
};
initrd = {
availableKernelModules = [
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
secrets."/luks.bin" = "/boot/luks.bin";
luks.devices.crypt = {
device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
keyFile = "/luks.bin";
};
postDeviceCommands = lib.mkBefore ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
trap "umount $btrfs_root; rm -rf $btrfs" EXIT
btrfs subvolume list -o "$btrfs/root" \
| cut -f9 -d' ' \
| while read subvolume; do \
btrfs subvolume delete "$btrfs/$subvolume"
done \
&& btrfs subvolume delete "$btrfs/root"
btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
'';
};
};
networking = {
hostName = "sv1";
networkmanager.enable = true;
firewall.allowedTCPPorts = [
80
443
];
};
security.acme = {
acceptTerms = true;
defaults.email = "acme.evict519@simplelogin.com";
certs."dylanblades.com".extraDomainNames = [
"gitea.dylanblades.com"
"jellyfin.dylanblades.com"
];
};
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
users = {
mutableUsers = false;
users = {
root = {
isSystemUser = true;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
user = {
isNormalUser = true;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
};
};
services = {
openssh = {
enable = true;
settings.PermitRootLogin = "without-password";
};
gitea = {
enable = true;
useWizard = true;
appName = "Gitea";
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "gitea.dylanblades.com";
ROOT_URL = "https://gitea.dylanblades.com/";
};
ui.DEFAULT_THEME = "gitea-dark";
};
};
jellyfin.enable = true;
nginx = {
enable = true;
virtualHosts = {
"dylanblades.com" = {
forceSSL = true;
enableACME = true;
root = pkgs.my-site;
};
"gitea.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
"jellyfin.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations = {
"/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
};
nixpkgs.overlays = [lib.overlays.pkgs];
environment = {
persistence."/persist" = {
hideMounts = true;
directories = [
{
directory = "/var/lib/nixos";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/gitea";
user = "gitea";
group = "gitea";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/jellyfin";
user = "jellyfin";
group = "jellyfin";
mode = "u=rwx,g=rx,o=";
}
];
};
systemPackages = with pkgs; [
cifs-utils
git
my-vim
];
};
nix.settings = {
trusted-users = ["root"];
experimental-features = [
"nix-command"
"flakes"
];
};
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink