# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
let
baseDomain = "push-f.com";
acmeEmail = "martin@push-f.com";
sources = import ../../npins;
helpers = import <top/helpers.nix> { inherit config; };
in
{
imports = [
./hardware-configuration.nix
<top/profiles/server>
<top/shared/postgresql.nix>
<top/shared/tailscale.nix>
./web-personal.nix
./git.nix
./gotify.nix
./headscale.nix
./matrix.nix
./monitoring.nix
"${sources.my-lex-surf}/service.nix"
"${sources.my-osm-proposals}/service.nix"
"${sources.my-geopos-link}/service.nix"
"${sources.my-rust-features}/service.nix"
"${sources.my-spec-pub}/service.nix"
];
web-personal.domain = baseDomain;
web-personal.matrixApiDomain = config.matrix.apiDomain;
git.webUiDomain = "git.${baseDomain}";
headscale.domain = "tailscale.${baseDomain}";
matrix.serverName = baseDomain;
matrix.apiDomain = "matrix.${baseDomain}";
users.users.www-generator = {
isSystemUser = true;
group = "www-generator";
};
users.groups.www-generator = {};
services.lex-surf =
let
domain = "lex.surf";
in
{
enable = true;
domain = domain;
enableACME = true;
fetchUser = "www-generator";
nginx = {
forceSSL = true;
extraConfig = helpers.mkNginxConfig domain;
};
};
services.osm_proposals =
let
domain = "osm-proposals.${baseDomain}";
in
{
enable = true;
virtualHost = domain;
nginx = {
enableACME = true;
forceSSL = true;
extraConfig = helpers.mkNginxConfig domain;
};
};
services.geopos-share =
let
domain = "geopos.link";
in
{
enable = true;
virtualHost = domain;
nginx = {
enableACME = true;
forceSSL = true;
extraConfig = helpers.mkNginxConfig domain;
};
};
services.rust-features =
let
domain = "rust-features.${baseDomain}";
in
{
enable = true;
user = "www-generator";
virtualHost = domain;
nginx = {
enableACME = true;
forceSSL = true;
extraConfig = helpers.mkNginxConfig domain;
};
};
services.spec-pub =
let
domain = "spec.pub";
in
{
enable = true;
virtualHost = domain;
nginx = {
enableACME = true;
forceSSL = true;
extraConfig = helpers.mkNginxConfig domain;
};
};
monitoring.grafanaUiPort = 3000;
monitoring.alloyUiPort = 3001;
monitoring.lokiPort = 3030;
gotify.port = 4000;
monitoring.prometheusNodeExporterPort = 9002;
monitoring.prometheusSqlExporterPort = 9003;
headscale.port = 8080;
matrix.port = 8008;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "tente"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Vienna";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
users.users.martin = {
isNormalUser = true;
extraGroups = [
"wheel" # Enable ‘sudo’ for the user.
"www-data"
];
packages = with pkgs; [
];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
# Enabling openssh automatically opens its port in the firewall.
# For all other services we need to manually list the ports here.
80 443
];
networking.firewall.allowedUDPPorts = [];
# comes with a pre-configured SSH jail
services.fail2ban.enable = true;
users.groups.www-data = {};
systemd.tmpfiles.rules = [
"d /srv/www 2770 root www-data -"
];
services = {
nginx = {
enable = true;
group = "www-data";
appendHttpConfig = ''
# Close the connection for unknown Host headers.
# If we don't do this nginx serves some random virtualhost.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_reject_handshake on;
return 444;
}
'';
commonHttpConfig = helpers.commonHttpConfig;
};
};
security.acme = {
acceptTerms = true; # https://letsencrypt.org/repository/
defaults.email = acmeEmail;
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}