John Lancaster
120 lines
3.5 KiB
Nix
120 lines
3.5 KiB
Nix
{ withSystem, self, inputs, lib, ... }:
|
|
let
|
|
username = "john";
|
|
hostname = "soteria";
|
|
in
|
|
{
|
|
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
|
|
modules = with inputs.self.modules; [
|
|
nixos.lxc
|
|
nixos."${username}"
|
|
nixos.mysops
|
|
nixos.step-ssh-host
|
|
nixos.login-text
|
|
nixos.docker
|
|
nixos.mtls
|
|
nixos.janus-ca
|
|
nixos.forgejo
|
|
# nixos.restic-server
|
|
# nixos.restic-envoy
|
|
({ config, pkgs, ... }: {
|
|
networking.hostName = hostname;
|
|
time.timeZone = "America/Chicago";
|
|
|
|
# Removes password for sudo
|
|
security.sudo-rs.extraRules = lib.mkAfter [
|
|
{
|
|
users = [ username ];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
users.users."${username}".extraGroups = [ "mtls" ];
|
|
mtls = {
|
|
enable = true;
|
|
certDir = config.janus-ca.certDir;
|
|
subject = hostname;
|
|
san = [
|
|
"${hostname}.john-stream.com"
|
|
# "192.168.1.142"
|
|
"forgejo.john-stream.com"
|
|
"192.168.1.244"
|
|
];
|
|
lifetime = "12h";
|
|
renew.onCalendar = "*:3/15";
|
|
renew.reloadUnits = [ "forgejo.service" "restic-rest-server.service" ];
|
|
certReaders = [ config.services.forgejo.user "restic" ];
|
|
};
|
|
forgejo = {
|
|
enable = true;
|
|
root_url = "https://forgejo.john-stream.com";
|
|
https = true;
|
|
port = 443;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 8000 ];
|
|
services.restic.server = {
|
|
enable = true;
|
|
privateRepos = true;
|
|
listenAddress = "0.0.0.0:8000";
|
|
extraFlags = [
|
|
"--no-auth"
|
|
"--tls"
|
|
"--tls-cert=${config.mtls.certFile}"
|
|
"--tls-key=${config.mtls.keyFile}"
|
|
];
|
|
};
|
|
|
|
loginText.extraServiceStatus = {
|
|
Docker = "docker";
|
|
"mTLS Renewal" = "mtls-renew.timer";
|
|
Forgejo = "forgejo.service";
|
|
"Forgejo Backup" = "forgejo-dump.timer";
|
|
"Restic REST Server" = "restic-rest-server.service";
|
|
};
|
|
|
|
step-ssh-host.hostname = hostname;
|
|
|
|
# This provides the secrets at install time
|
|
sops.defaultSopsFile = ./secrets.yaml;
|
|
|
|
programs.zsh.enable = true;
|
|
|
|
home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
|
|
|
|
environment.systemPackages = [
|
|
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
|
|
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
|
|
];
|
|
})
|
|
];
|
|
};
|
|
|
|
flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
|
|
imports = [
|
|
inputs.self.modules.homeManager.rebuild
|
|
inputs.self.modules.homeManager.mysops
|
|
({ config, pkgs, lib, ... }: {
|
|
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
|
|
docker.enable = true;
|
|
|
|
# This will provide the edit-secrets script targeting this file
|
|
mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
|
|
})
|
|
];
|
|
};
|
|
|
|
flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
|
|
inputs.home-manager.lib.homeManagerConfiguration {
|
|
pkgs = inputs'.nixpkgs.legacyPackages;
|
|
modules = [
|
|
inputs.self.modules.homeManager."${username}"
|
|
inputs.self.modules.homeManager.soteria
|
|
];
|
|
});
|
|
} |