110 lines
2.6 KiB
Nix
110 lines
2.6 KiB
Nix
{
|
|
inputs,
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
ngx_http_geoip2_module = pkgs.stdenv.mkDerivation {
|
|
name = "ngx_http_geoip2_module-a28ceff";
|
|
src = pkgs.fetchgit {
|
|
url = "https://github.com/leev/ngx_http_geoip2_module";
|
|
rev = "445df24ef3781e488cee3dfe8a1e111997fc1dfe";
|
|
sha256 = "1h2xkxpb2nk4r3pkbzgas5rbl95i59jpa59rh94x2hyzxmzrzvv8";
|
|
};
|
|
installPhase = ''
|
|
mkdir $out
|
|
cp *.c config $out/
|
|
'';
|
|
fixupPhase = "";
|
|
};
|
|
instance = builtins.fromJSON (builtins.readFile "/etc/tjo.cloud/meta.json");
|
|
|
|
base_configuration = pkgs.fetchurl {
|
|
url = "";
|
|
sha256 = "";
|
|
};
|
|
in
|
|
{
|
|
system.stateVersion = "24.05";
|
|
|
|
# FIXME: Also import the pre-defined generator config.
|
|
imports = [
|
|
base_configuration
|
|
];
|
|
|
|
nix.nixPath = [ "nixos-config=/etc/tjo.cloud/configuration.nix" ];
|
|
|
|
# NETWORK
|
|
networking.hostName = instance.name;
|
|
networking.domain = instance.domain;
|
|
|
|
# USER MANAGEMENT
|
|
security.sudo.wheelNeedsPassword = false;
|
|
nix.settings.trusted-users = [ "nixos" ];
|
|
users.users.nixos = {
|
|
isNormalUser = true;
|
|
password = "hunter2";
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = instance.ssh_keys;
|
|
};
|
|
|
|
# SSH
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
settings.PermitRootLogin = "no";
|
|
};
|
|
|
|
# TAILSCALE
|
|
services.tailscale = {
|
|
enable = true;
|
|
authKeyFile = "/etc/tjo.cloud/secrets/tailscale.com/authkey";
|
|
extraUpFlags = [
|
|
"--ssh"
|
|
"--accept-routes"
|
|
];
|
|
};
|
|
systemd.services.qemu-guest-agent.after = [ "tailscaled-autoconnect.service" ];
|
|
systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ];
|
|
|
|
# FIREWALL
|
|
networking.firewall = {
|
|
enable = true;
|
|
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
|
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
|
allowedTCPPorts = [
|
|
22
|
|
80
|
|
443
|
|
];
|
|
};
|
|
|
|
# NGINX
|
|
services.nginx = {
|
|
enable = true;
|
|
package = pkgs.nginx.overrideAttrs (oldAttrs: {
|
|
configureFlags = oldAttrs.configureFlags ++ [ "--add-module=${ngx_http_geoip2_module}" ];
|
|
buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ];
|
|
});
|
|
};
|
|
|
|
# WEBHOOK
|
|
# TODO: we will have multiple instances of these,
|
|
# should they somehow broadcast changes to eachother?
|
|
# Should this be a GO service instead? With some raft mechanism?
|
|
# At that point, we could also switch from nginx to envoy or something...
|
|
services.webhook = {
|
|
enable = true;
|
|
port = 9000;
|
|
hooks = {
|
|
test = {
|
|
execute-command = "echo 'test'";
|
|
};
|
|
};
|
|
};
|
|
}
|