about summary refs log tree commit diff
path: root/nix/machines/vm-hetzner
diff options
context:
space:
mode:
Diffstat (limited to 'nix/machines/vm-hetzner')
-rw-r--r--nix/machines/vm-hetzner/default.nix202
-rw-r--r--nix/machines/vm-hetzner/hardware.nix24
2 files changed, 226 insertions, 0 deletions
diff --git a/nix/machines/vm-hetzner/default.nix b/nix/machines/vm-hetzner/default.nix
new file mode 100644
index 0000000..a268779
--- /dev/null
+++ b/nix/machines/vm-hetzner/default.nix
@@ -0,0 +1,202 @@
+{ pkgs, lib, ... }: {
+  imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = "vm-hetzner";
+  networking.domain = "net";
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+  ];
+
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers =
+      [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [{
+          address = "5.78.87.68";
+          prefixLength = 32;
+        }];
+        ipv6.addresses = [
+          {
+            address = "2a01:4ff:1f0:d1a3::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9400:3ff:fe98:d6dc";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [{
+          address = "172.31.1.1";
+          prefixLength = 32;
+        }];
+        ipv6.routes = [{
+          address = "fe80::1";
+          prefixLength = 128;
+        }];
+      };
+
+    };
+    firewall.allowedTCPPorts = [
+      22 # ssh
+      80 # nginx
+      443 # nginx
+    ];
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0"
+
+  '';
+
+  security.acme = {
+    defaults.email = "acme@fcuny.net";
+    acceptTerms = true;
+  };
+
+  # FIXME: I also ran the following as the git user:
+  # git config --global init.defaultBranch main
+  # to ensure that new repositories are created with the default
+  # branch set to `main'.
+  # TODO(fcuny): I could create the configuration file to set the default branch
+  services.gitolite = {
+    enable = true;
+    adminPubkey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    user = "git";
+    group = "git";
+    extraGitoliteRc = ''
+      # Make dirs/files group readable, needed for webserver/cgit. (Default
+      # setting is 0077.)
+      $RC{UMASK} = 0027;
+      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
+      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
+      push( @{$RC{ENABLE}}, 'symbolic-ref' );
+    '';
+  };
+
+  services.cgit.main = {
+    enable = true;
+    package = pkgs.cgit-pink;
+    user = "git";
+    group = "git";
+    nginx.virtualHost = "git.fcuny.net";
+    scanPath = "/var/lib/gitolite/repositories";
+    settings = {
+      css = "/cgit.css";
+      logo = "/cgit.png";
+      favicon = "/favicon.ico";
+      robots = "noindex, nofollow";
+      readme = ":README.md";
+      project-list = "/var/lib/gitolite/projects.list";
+      about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
+      source-filter =
+        "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
+      clone-url =
+        (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]);
+      enable-log-filecount = 1;
+      enable-log-linecount = 1;
+      enable-git-config = 1;
+      enable-blame = 1;
+      enable-commit-graph = 1;
+      enable-follow-links = 1;
+      enable-index-links = 1;
+      enable-remote-branches = 1;
+      enable-subject-links = 1;
+      enable-tree-linenumbers = 1;
+      max-atom-items = 108;
+      max-commit-count = 250;
+      max-repo-count = 500;
+      repository-sort = "age";
+      snapshots = "tar.gz";
+      root-title = "¯\\_(ツ)_/¯";
+      root-desc = "source code of my various projects";
+    };
+  };
+
+  virtualisation.oci-containers.containers.excalidraw = {
+    autoStart = true;
+    image = "excalidraw/excalidraw:latest";
+    environment = { TZ = "America/Los_Angeles"; };
+    ports = [ "127.0.0.1:3030:80" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "fcuny.net" = {
+        # make it the default site: if a request goes through nginx
+        # without a host header, this will be the default site we serve
+        # for that request.
+        default = true;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = { root = "/srv/www/fcuny.net"; };
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+      "git.fcuny.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+      "draw.fcuny.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/".proxyPass = "http://127.0.0.1:3030";
+          "/.well-known/acme-challenge" = {
+            root = "/var/lib/acme/acme-challenges";
+          };
+        };
+      };
+    };
+  };
+
+  services.restic.backups.git = {
+    user = "fcuny";
+    passwordFile = "/etc/restic.pw";
+    repository = "/srv/backups/git";
+    initialize = true;
+    paths = [ "/var/lib/gitolite" ];
+    exclude = [
+      "/var/lib/gitolite/.bash_history"
+      "/var/lib/gitolite/.ssh"
+      "/var/lib/gitolite/.viminfo"
+    ];
+    extraBackupArgs = [ "--exclude-caches" "--compression=max" ];
+    timerConfig = { OnCalendar = "*:0/30"; };
+    pruneOpts = [
+      "--keep-hourly 36"
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
+}
diff --git a/nix/machines/vm-hetzner/hardware.nix b/nix/machines/vm-hetzner/hardware.nix
new file mode 100644
index 0000000..89a92a9
--- /dev/null
+++ b/nix/machines/vm-hetzner/hardware.nix
@@ -0,0 +1,24 @@
+{ modulesPath, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+    "/srv" = {
+      device = "/dev/disk/by-id/scsi-0HC_Volume_101115314";
+      fsType = "ext4";
+    };
+  };
+}