{ pkgs, lib, ... }: { imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ]; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "vm-hetzner"; networking.domain = "net"; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" ]; # This file was populated at runtime with the networking # details gathered from the active system. networking = { nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ]; defaultGateway = "172.31.1.1"; defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; dhcpcd.enable = false; usePredictableInterfaceNames = lib.mkForce false; interfaces = { eth0 = { ipv4.addresses = [{ address = "5.78.87.68"; prefixLength = 32; }]; ipv6.addresses = [ { address = "2a01:4ff:1f0:d1a3::1"; prefixLength = 64; } { address = "fe80::9400:3ff:fe98:d6dc"; prefixLength = 64; } ]; ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }]; ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }]; }; }; firewall.allowedTCPPorts = [ 22 # ssh 80 # nginx 443 # nginx ]; }; services.udev.extraRules = '' ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0" ''; security.acme = { defaults.email = "acme@fcuny.net"; acceptTerms = true; }; # FIXME: I also ran the following as the git user: # git config --global init.defaultBranch main # to ensure that new repositories are created with the default # branch set to `main'. # TODO(fcuny): I could create the configuration file to set the default branch services.gitolite = { enable = true; adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; user = "git"; group = "git"; extraGitoliteRc = '' # Make dirs/files group readable, needed for webserver/cgit. (Default # setting is 0077.) $RC{UMASK} = 0027; $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; push( @{$RC{ENABLE}}, 'symbolic-ref' ); ''; }; services.cgit.main = { enable = true; package = pkgs.cgit-pink; user = "git"; group = "git"; nginx.virtualHost = "git.fcuny.net"; scanPath = "/var/lib/gitolite/repositories"; settings = { css = "/cgit.css"; logo = "/cgit.png"; favicon = "/favicon.ico"; robots = "noindex, nofollow"; readme = ":README.md"; project-list = "/var/lib/gitolite/projects.list"; about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; clone-url = (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); enable-log-filecount = 1; enable-log-linecount = 1; enable-git-config = 1; enable-blame = 1; enable-commit-graph = 1; enable-follow-links = 1; enable-index-links = 1; enable-remote-branches = 1; enable-subject-links = 1; enable-tree-linenumbers = 1; max-atom-items = 108; max-commit-count = 250; max-repo-count = 500; repository-sort = "age"; snapshots = "tar.gz"; root-title = "¯\\_(ツ)_/¯"; root-desc = "source code of my various projects"; }; }; virtualisation.oci-containers.containers.excalidraw = { autoStart = true; image = "excalidraw/excalidraw:latest"; environment = { TZ = "America/Los_Angeles"; }; ports = [ "127.0.0.1:3030:80" ]; extraOptions = [ "--pull=always" ]; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts = { "fcuny.net" = { # make it the default site: if a request goes through nginx # without a host header, this will be the default site we serve # for that request. default = true; forceSSL = true; enableACME = true; locations = { "/" = { root = "/srv/www/fcuny.net"; }; "/.well-known/acme-challenge" = { root = "/var/lib/acme/acme-challenges"; }; }; }; "git.fcuny.net" = { forceSSL = true; enableACME = true; locations = { "/.well-known/acme-challenge" = { root = "/var/lib/acme/acme-challenges"; }; }; }; "draw.fcuny.net" = { forceSSL = true; enableACME = true; locations = { "/".proxyPass = "http://127.0.0.1:3030"; "/.well-known/acme-challenge" = { root = "/var/lib/acme/acme-challenges"; }; }; }; }; }; services.restic.backups.git = { user = "fcuny"; passwordFile = "/etc/restic.pw"; repository = "/srv/backups/git"; initialize = true; paths = [ "/var/lib/gitolite" ]; exclude = [ "/var/lib/gitolite/.bash_history" "/var/lib/gitolite/.ssh" "/var/lib/gitolite/.viminfo" ]; extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; timerConfig = { OnCalendar = "*:0/30"; }; pruneOpts = [ "--keep-hourly 36" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" ]; }; }