diff options
Diffstat (limited to 'nix/machines/vm-hetzner')
-rw-r--r-- | nix/machines/vm-hetzner/default.nix | 202 | ||||
-rw-r--r-- | nix/machines/vm-hetzner/hardware.nix | 24 |
2 files changed, 226 insertions, 0 deletions
diff --git a/nix/machines/vm-hetzner/default.nix b/nix/machines/vm-hetzner/default.nix new file mode 100644 index 0000000..a268779 --- /dev/null +++ b/nix/machines/vm-hetzner/default.nix @@ -0,0 +1,202 @@ +{ pkgs, lib, ... }: { + imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + networking.hostName = "vm-hetzner"; + networking.domain = "net"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = + [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [{ + address = "5.78.87.68"; + prefixLength = 32; + }]; + ipv6.addresses = [ + { + address = "2a01:4ff:1f0:d1a3::1"; + prefixLength = 64; + } + { + address = "fe80::9400:3ff:fe98:d6dc"; + prefixLength = 64; + } + ]; + ipv4.routes = [{ + address = "172.31.1.1"; + prefixLength = 32; + }]; + ipv6.routes = [{ + address = "fe80::1"; + prefixLength = 128; + }]; + }; + + }; + firewall.allowedTCPPorts = [ + 22 # ssh + 80 # nginx + 443 # nginx + ]; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0" + + ''; + + security.acme = { + defaults.email = "acme@fcuny.net"; + acceptTerms = true; + }; + + # FIXME: I also ran the following as the git user: + # git config --global init.defaultBranch main + # to ensure that new repositories are created with the default + # branch set to `main'. + # TODO(fcuny): I could create the configuration file to set the default branch + services.gitolite = { + enable = true; + adminPubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + services.cgit.main = { + enable = true; + package = pkgs.cgit-pink; + user = "git"; + group = "git"; + nginx.virtualHost = "git.fcuny.net"; + scanPath = "/var/lib/gitolite/repositories"; + settings = { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + robots = "noindex, nofollow"; + readme = ":README.md"; + project-list = "/var/lib/gitolite/projects.list"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = + "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + clone-url = + (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + enable-blame = 1; + enable-commit-graph = 1; + enable-follow-links = 1; + enable-index-links = 1; + enable-remote-branches = 1; + enable-subject-links = 1; + enable-tree-linenumbers = 1; + max-atom-items = 108; + max-commit-count = 250; + max-repo-count = 500; + repository-sort = "age"; + snapshots = "tar.gz"; + root-title = "¯\\_(ツ)_/¯"; + root-desc = "source code of my various projects"; + }; + }; + + virtualisation.oci-containers.containers.excalidraw = { + autoStart = true; + image = "excalidraw/excalidraw:latest"; + environment = { TZ = "America/Los_Angeles"; }; + ports = [ "127.0.0.1:3030:80" ]; + extraOptions = [ "--pull=always" ]; + }; + + services.nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "fcuny.net" = { + # make it the default site: if a request goes through nginx + # without a host header, this will be the default site we serve + # for that request. + default = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { root = "/srv/www/fcuny.net"; }; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "git.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "draw.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:3030"; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + }; + }; + + services.restic.backups.git = { + user = "fcuny"; + passwordFile = "/etc/restic.pw"; + repository = "/srv/backups/git"; + initialize = true; + paths = [ "/var/lib/gitolite" ]; + exclude = [ + "/var/lib/gitolite/.bash_history" + "/var/lib/gitolite/.ssh" + "/var/lib/gitolite/.viminfo" + ]; + extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; + timerConfig = { OnCalendar = "*:0/30"; }; + pruneOpts = [ + "--keep-hourly 36" + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; +} diff --git a/nix/machines/vm-hetzner/hardware.nix b/nix/machines/vm-hetzner/hardware.nix new file mode 100644 index 0000000..89a92a9 --- /dev/null +++ b/nix/machines/vm-hetzner/hardware.nix @@ -0,0 +1,24 @@ +{ modulesPath, ... }: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + boot.initrd.kernelModules = [ "nvme" ]; + + fileSystems = { + "/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + "/srv" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_101115314"; + fsType = "ext4"; + }; + }; +} |