2023-06-26 15:25:26 +01:00
|
|
|
{
|
2024-02-05 13:13:44 +00:00
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}: {
|
|
|
|
imports = [
|
|
|
|
# Include the results of the hardware scan.
|
|
|
|
./hardware.nix
|
|
|
|
];
|
2023-07-14 16:32:54 +01:00
|
|
|
|
2023-09-19 23:59:44 +01:00
|
|
|
age.secrets.action-token = {
|
|
|
|
file = ../../secrets/vancouver-action-runner.age;
|
|
|
|
owner = "gitea-runner";
|
|
|
|
};
|
2023-09-10 12:04:39 +01:00
|
|
|
age.secrets.restic-b2-credentials = {
|
|
|
|
file = ../../secrets/vancouver-restic-b2.age;
|
|
|
|
group = "users";
|
|
|
|
mode = "770";
|
|
|
|
};
|
|
|
|
age.secrets.restic-password = {
|
|
|
|
file = ../../secrets/vancouver-restic-password.age;
|
|
|
|
group = "users";
|
|
|
|
mode = "770";
|
|
|
|
};
|
2023-09-13 23:01:51 +01:00
|
|
|
age.secrets.healthcheck-ping = {
|
|
|
|
file = ../../secrets/healthchecks-ping.sh.age;
|
|
|
|
group = "users";
|
|
|
|
mode = "770";
|
|
|
|
};
|
2023-10-08 22:54:43 +01:00
|
|
|
age.secrets.cloudflare-dns = {
|
|
|
|
file = ../../secrets/cloudflare-dns.age;
|
|
|
|
owner = "acme";
|
|
|
|
};
|
2023-06-26 15:25:26 +01:00
|
|
|
nix = {
|
|
|
|
settings = {
|
|
|
|
auto-optimise-store = true;
|
|
|
|
experimental-features = ["nix-command" "flakes"];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
boot = {
|
|
|
|
tmp.cleanOnBoot = true;
|
|
|
|
loader = {
|
|
|
|
systemd-boot.enable = true;
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
};
|
2024-03-10 12:19:09 +00:00
|
|
|
supportedFilesystems = ["zfs" "ntfs"];
|
2024-02-05 13:13:44 +00:00
|
|
|
kernelModules = ["coretemp" "kvm-amd" "it87"];
|
2023-12-02 20:56:08 +00:00
|
|
|
zfs.extraPools = ["tank"];
|
2023-06-26 15:25:26 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
services = {
|
2024-04-20 19:37:58 +01:00
|
|
|
paperless = {
|
|
|
|
enable = true;
|
|
|
|
dataDir = "/tank/documents";
|
|
|
|
settings = {
|
|
|
|
PAPERLESS_OCR_USER_ARGS = {
|
|
|
|
invalidate_digital_signatures = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-10-27 14:56:58 +01:00
|
|
|
fwupd.enable = true;
|
2023-10-08 22:55:20 +01:00
|
|
|
promtail = {
|
|
|
|
enable = true;
|
|
|
|
configuration = {
|
|
|
|
server = {
|
|
|
|
http_listen_port = 3031;
|
|
|
|
grpc_listen_port = 0;
|
|
|
|
};
|
|
|
|
positions = {
|
|
|
|
filename = "/tmp/positions.yaml";
|
|
|
|
};
|
2024-02-05 13:13:44 +00:00
|
|
|
clients = [
|
|
|
|
{
|
|
|
|
url = "http://monitoring:3030/loki/api/v1/push";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
scrape_configs = [
|
|
|
|
{
|
|
|
|
job_name = "journal";
|
|
|
|
journal = {
|
|
|
|
max_age = "12h";
|
|
|
|
labels = {
|
|
|
|
job = "systemd-journal";
|
|
|
|
host = "vancouver";
|
|
|
|
};
|
2023-10-08 22:55:20 +01:00
|
|
|
};
|
2024-02-05 13:13:44 +00:00
|
|
|
relabel_configs = [
|
|
|
|
{
|
|
|
|
source_labels = ["__journal__systemd_unit"];
|
|
|
|
target_label = "unit";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
2023-10-08 22:55:20 +01:00
|
|
|
};
|
|
|
|
};
|
2023-09-10 12:04:39 +01:00
|
|
|
restic = {
|
|
|
|
backups = {
|
|
|
|
"gsimmer" = {
|
|
|
|
user = "gsimmer";
|
|
|
|
environmentFile = config.age.secrets.restic-b2-credentials.path;
|
|
|
|
repository = "s3:s3.us-west-000.backblazeb2.com/gsimmer-backup";
|
|
|
|
paths = [
|
2023-12-08 23:42:33 +00:00
|
|
|
"/tank/gsimmer/projects"
|
|
|
|
"/tank/gsimmer/org"
|
2023-12-02 20:56:08 +00:00
|
|
|
"/tank/gsimmer/Backup/Pictures"
|
|
|
|
"/tank/gsimmer/Photos"
|
|
|
|
"/tank/shared"
|
2023-09-10 12:04:39 +01:00
|
|
|
];
|
2023-09-10 21:30:45 +01:00
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "daily";
|
|
|
|
Persistent = true;
|
2023-09-13 23:01:51 +01:00
|
|
|
RandomizedDelaySec = "6h";
|
2023-09-10 21:30:45 +01:00
|
|
|
};
|
2023-09-13 23:01:51 +01:00
|
|
|
pruneOpts = [
|
|
|
|
"--keep-daily 7"
|
|
|
|
"--keep-weekly 5"
|
|
|
|
"--keep-monthly 12"
|
2024-03-31 02:06:52 +01:00
|
|
|
"--keep-yearly 5"
|
2023-09-13 23:01:51 +01:00
|
|
|
];
|
2023-09-10 21:30:45 +01:00
|
|
|
passwordFile = config.age.secrets.restic-password.path;
|
2023-09-13 23:01:51 +01:00
|
|
|
backupPrepareCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/start
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
|
|
|
backupCleanupCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
output="$(journalctl --unit restic-backups-gsimmer.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
|
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/$?" --data-raw "$output"
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
2023-09-10 21:30:45 +01:00
|
|
|
};
|
|
|
|
"becki" = {
|
|
|
|
user = "becki";
|
|
|
|
environmentFile = config.age.secrets.restic-b2-credentials.path;
|
|
|
|
repository = "s3:s3.us-west-000.backblazeb2.com/bsimmer-backup";
|
|
|
|
paths = [
|
2023-12-24 01:06:36 +00:00
|
|
|
"/tank/becki/VRChat\ Avatars"
|
2023-12-02 20:56:08 +00:00
|
|
|
"/tank/becki/Pictures"
|
2023-09-10 21:30:45 +01:00
|
|
|
];
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "daily";
|
|
|
|
Persistent = true;
|
2023-09-13 23:01:51 +01:00
|
|
|
RandomizedDelaySec = "6h";
|
|
|
|
};
|
|
|
|
pruneOpts = [
|
|
|
|
"--keep-daily 7"
|
|
|
|
"--keep-weekly 5"
|
|
|
|
"--keep-monthly 12"
|
2024-03-31 02:06:52 +01:00
|
|
|
"--keep-yearly 5"
|
2023-09-13 23:01:51 +01:00
|
|
|
];
|
|
|
|
passwordFile = config.age.secrets.restic-password.path;
|
|
|
|
initialize = true;
|
|
|
|
backupPrepareCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/start
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
|
|
|
backupCleanupCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
output="$(journalctl --unit restic-backups-becki.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
|
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/$?" --data-raw "$output"
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
"apps" = {
|
|
|
|
user = "root";
|
|
|
|
environmentFile = config.age.secrets.restic-b2-credentials.path;
|
|
|
|
repository = "s3:s3.us-west-000.backblazeb2.com/gsimmer-app-backup";
|
|
|
|
paths = [
|
2023-12-02 20:56:08 +00:00
|
|
|
"/tank/k3scluster"
|
|
|
|
"/tank/forgejo"
|
2024-04-20 19:37:58 +01:00
|
|
|
"/tank/documents"
|
2023-09-13 23:01:51 +01:00
|
|
|
];
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "daily";
|
|
|
|
Persistent = true;
|
|
|
|
RandomizedDelaySec = "12h";
|
2023-09-10 21:30:45 +01:00
|
|
|
};
|
2023-09-13 23:01:51 +01:00
|
|
|
pruneOpts = [
|
|
|
|
"--keep-daily 7"
|
|
|
|
"--keep-weekly 5"
|
|
|
|
"--keep-monthly 12"
|
2024-03-31 02:06:52 +01:00
|
|
|
"--keep-yearly 5"
|
2023-09-13 23:01:51 +01:00
|
|
|
];
|
|
|
|
backupPrepareCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/start
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
|
|
|
backupCleanupCommand = ''
|
2023-09-25 10:49:19 +01:00
|
|
|
output="$(journalctl --unit restic-backups-apps.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
|
|
|
|
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/$?" --data-raw "$output"
|
2023-09-13 23:01:51 +01:00
|
|
|
'';
|
2023-09-10 12:04:39 +01:00
|
|
|
passwordFile = config.age.secrets.restic-password.path;
|
|
|
|
initialize = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-09-10 12:04:55 +01:00
|
|
|
syncthing = {
|
|
|
|
enable = true;
|
|
|
|
overrideDevices = false;
|
|
|
|
overrideFolders = false;
|
|
|
|
user = "gsimmer";
|
2023-12-02 20:56:08 +00:00
|
|
|
dataDir = "/tank/gsimmer";
|
2023-09-10 12:04:55 +01:00
|
|
|
guiAddress = "100.116.48.47:8384";
|
|
|
|
};
|
2023-09-05 17:08:43 +01:00
|
|
|
prometheus.exporters = {
|
|
|
|
blackbox = {
|
|
|
|
enable = true;
|
|
|
|
configFile = "/var/lib/blackbox/config.yml";
|
|
|
|
};
|
|
|
|
node = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = "100.116.48.47";
|
|
|
|
enabledCollectors = [
|
2024-02-05 13:13:44 +00:00
|
|
|
"systemd"
|
|
|
|
"zfs"
|
|
|
|
"processes"
|
2023-09-05 17:08:43 +01:00
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
2023-08-05 12:05:53 +01:00
|
|
|
pipewire = {
|
|
|
|
enable = true;
|
|
|
|
alsa.enable = true;
|
|
|
|
alsa.support32Bit = true;
|
|
|
|
pulse.enable = true;
|
|
|
|
jack.enable = true;
|
|
|
|
};
|
2023-06-26 15:25:26 +01:00
|
|
|
zfs.autoScrub.enable = true;
|
|
|
|
tailscale.enable = true;
|
|
|
|
openssh.enable = true;
|
2024-02-05 13:13:44 +00:00
|
|
|
xserver.videoDrivers = ["nvidia"];
|
2023-06-26 15:25:26 +01:00
|
|
|
nfs.server.enable = true;
|
|
|
|
samba-wsdd.enable = true;
|
|
|
|
samba = {
|
|
|
|
enable = true;
|
|
|
|
securityType = "user";
|
2023-08-15 09:13:41 +01:00
|
|
|
openFirewall = true;
|
2023-06-26 15:25:26 +01:00
|
|
|
extraConfig = ''
|
2024-02-05 13:13:44 +00:00
|
|
|
workgroup = WORKGROUP
|
|
|
|
server string = smbnix
|
|
|
|
netbios name = smbnix
|
|
|
|
security = user
|
|
|
|
#use sendfile = yes
|
|
|
|
#max protocol = smb2
|
|
|
|
# note: localhost is the ipv6 localhost ::1
|
|
|
|
hosts allow = 100. 192.168.50. 127.0.0.1 localhost
|
|
|
|
hosts deny = 0.0.0.0/0
|
|
|
|
guest account = nobody
|
|
|
|
map to guest = bad user
|
|
|
|
'';
|
2023-06-26 15:25:26 +01:00
|
|
|
shares = {
|
2023-12-24 01:07:04 +00:00
|
|
|
streamboxes = {
|
|
|
|
path = "/tank/streamboxes";
|
|
|
|
browseable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"guest ok" = "yes";
|
|
|
|
"create mask" = "0644";
|
|
|
|
"directory mask" = "0755";
|
|
|
|
};
|
2023-06-26 15:25:26 +01:00
|
|
|
media = {
|
2023-12-02 20:56:08 +00:00
|
|
|
path = "/tank/media";
|
2023-06-26 15:25:26 +01:00
|
|
|
browseable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"guest ok" = "yes";
|
|
|
|
"create mask" = "0644";
|
|
|
|
"directory mask" = "0755";
|
|
|
|
};
|
|
|
|
becki = {
|
2023-12-02 20:56:08 +00:00
|
|
|
path = "/tank/becki";
|
2023-06-26 15:25:26 +01:00
|
|
|
browseable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"guest ok" = "no";
|
|
|
|
"create mask" = "0644";
|
|
|
|
"directory mask" = "0755";
|
|
|
|
"admin users" = "becki";
|
|
|
|
};
|
|
|
|
shared = {
|
2023-12-02 20:56:08 +00:00
|
|
|
path = "/tank/shared";
|
2023-06-26 15:25:26 +01:00
|
|
|
browseable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"guest ok" = "no";
|
|
|
|
"create mask" = "0644";
|
|
|
|
"directory mask" = "0755";
|
|
|
|
};
|
|
|
|
gabriel = {
|
2023-12-02 20:56:08 +00:00
|
|
|
path = "/tank/gsimmer";
|
2023-06-26 15:25:26 +01:00
|
|
|
browseable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"guest ok" = "no";
|
|
|
|
"create mask" = "0644";
|
|
|
|
"directory mask" = "0755";
|
|
|
|
"admin users" = "gsimmer";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
plex = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
};
|
2023-06-28 16:57:26 +01:00
|
|
|
nginx = {
|
|
|
|
enable = true;
|
2023-07-15 12:03:11 +01:00
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedBrotliSettings = true;
|
|
|
|
recommendedZstdSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
2023-08-05 12:05:53 +01:00
|
|
|
recommendedTlsSettings = true;
|
2024-02-05 13:13:44 +00:00
|
|
|
virtualHosts."git.gmem.ca" = {
|
2023-08-05 12:05:53 +01:00
|
|
|
enableACME = true;
|
|
|
|
addSSL = true;
|
|
|
|
acmeRoot = null;
|
|
|
|
locations."/" = {
|
2024-02-05 13:13:44 +00:00
|
|
|
extraConfig = ''
|
2023-08-05 12:05:53 +01:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2023-08-15 09:14:14 +01:00
|
|
|
|
2023-12-24 01:07:04 +00:00
|
|
|
client_max_body_size 500M;
|
2024-02-05 13:13:44 +00:00
|
|
|
'';
|
2023-08-05 12:05:53 +01:00
|
|
|
proxyPass = "http://127.0.0.1:8973/";
|
|
|
|
};
|
|
|
|
};
|
2024-04-20 19:37:58 +01:00
|
|
|
virtualHosts."docs.gmem.ca" = {
|
|
|
|
enableACME = true;
|
|
|
|
addSSL = true;
|
|
|
|
acmeRoot = null;
|
|
|
|
locations."/" = {
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
client_max_body_size 500M;
|
|
|
|
'';
|
|
|
|
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
|
|
|
|
};
|
|
|
|
};
|
2023-07-14 16:32:54 +01:00
|
|
|
};
|
2024-04-24 13:52:57 +01:00
|
|
|
|
|
|
|
forgejo = {
|
2023-07-14 16:32:54 +01:00
|
|
|
enable = true;
|
2023-12-02 20:56:08 +00:00
|
|
|
stateDir = "/tank/forgejo";
|
2024-04-24 13:52:57 +01:00
|
|
|
user = "git";
|
|
|
|
group = "git";
|
2023-07-14 16:32:54 +01:00
|
|
|
settings = {
|
2023-08-15 09:14:14 +01:00
|
|
|
DEFAULT = {
|
|
|
|
APP_NAME = "Arch's Git Forge";
|
|
|
|
};
|
2023-07-14 16:32:54 +01:00
|
|
|
server = {
|
2023-08-05 12:05:53 +01:00
|
|
|
ROOT_URL = "https://git.gmem.ca/";
|
2023-12-09 22:54:40 +00:00
|
|
|
HTTP_ADDR = "127.0.0.1";
|
2023-07-14 16:32:54 +01:00
|
|
|
HTTP_PORT = 8973;
|
|
|
|
};
|
|
|
|
service = {
|
|
|
|
DISABLE_REGISTRATION = true;
|
|
|
|
COOKIE_SECURE = true;
|
2023-06-28 16:57:26 +01:00
|
|
|
};
|
2023-07-15 12:03:11 +01:00
|
|
|
actions = {
|
|
|
|
ENABLED = true;
|
|
|
|
};
|
2023-07-19 11:59:28 +01:00
|
|
|
federation = {
|
|
|
|
ENABLED = true;
|
|
|
|
};
|
2023-09-05 17:08:43 +01:00
|
|
|
metrics = {
|
|
|
|
ENABLED = true;
|
|
|
|
};
|
2023-09-19 23:59:44 +01:00
|
|
|
"repository.signing" = {
|
|
|
|
SIGNING_KEY = "default";
|
|
|
|
INITIAL_COMMIT = "always";
|
|
|
|
WIKI = "always";
|
|
|
|
CRUD_ACTIONS = "always";
|
|
|
|
MERGES = "always";
|
|
|
|
};
|
2023-09-25 10:49:56 +01:00
|
|
|
indexer = {
|
|
|
|
REPO_INDEXER_ENABLED = true;
|
|
|
|
};
|
2023-06-28 16:57:26 +01:00
|
|
|
};
|
|
|
|
};
|
2023-07-15 18:30:28 +01:00
|
|
|
gitea-actions-runner = {
|
2023-09-01 20:19:14 +01:00
|
|
|
package = pkgs.forgejo-actions-runner;
|
2023-07-15 18:30:28 +01:00
|
|
|
instances = {
|
|
|
|
vancouver = {
|
|
|
|
name = "vancouver";
|
|
|
|
enable = true;
|
|
|
|
labels = [
|
|
|
|
"debian-latest:docker://node:18-bullseye"
|
2024-04-24 13:52:57 +01:00
|
|
|
"ubuntu-latest:docker://node:18-bullseye"
|
2023-08-15 21:38:06 +01:00
|
|
|
"docker:docker://gitea/act_runner:nightly-dind-rootless"
|
2023-07-19 11:59:28 +01:00
|
|
|
"nix:docker://nixos/nix"
|
2023-07-15 18:30:28 +01:00
|
|
|
];
|
2023-08-05 12:05:53 +01:00
|
|
|
url = "https://git.gmem.ca/";
|
2023-09-07 19:10:23 +01:00
|
|
|
tokenFile = config.age.secrets.action-token.path;
|
2023-08-15 21:38:06 +01:00
|
|
|
settings = {
|
|
|
|
cache.port = 4328;
|
2024-02-05 13:09:27 +00:00
|
|
|
container.network = "podman3";
|
2023-08-15 21:38:06 +01:00
|
|
|
};
|
2023-07-15 18:30:28 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-08-25 21:15:33 +01:00
|
|
|
sanoid = {
|
|
|
|
enable = true;
|
|
|
|
datasets = {
|
2023-12-24 01:06:36 +00:00
|
|
|
"tank/becki" = {
|
2023-08-25 21:15:33 +01:00
|
|
|
autoprune = true;
|
|
|
|
autosnap = true;
|
|
|
|
daily = 4;
|
|
|
|
monthly = 3;
|
|
|
|
yearly = 1;
|
|
|
|
};
|
2023-12-24 01:06:36 +00:00
|
|
|
"tank/gsimmer" = {
|
2023-08-25 21:15:33 +01:00
|
|
|
autoprune = true;
|
|
|
|
autosnap = true;
|
|
|
|
daily = 4;
|
|
|
|
monthly = 3;
|
|
|
|
yearly = 1;
|
|
|
|
};
|
2023-12-24 01:06:36 +00:00
|
|
|
"tank/shared" = {
|
2023-08-25 21:15:33 +01:00
|
|
|
autoprune = true;
|
|
|
|
autosnap = true;
|
|
|
|
daily = 2;
|
|
|
|
monthly = 2;
|
|
|
|
};
|
2023-12-24 01:06:36 +00:00
|
|
|
"tank/k3scluster" = {
|
2023-08-25 21:15:33 +01:00
|
|
|
autoprune = true;
|
|
|
|
autosnap = true;
|
|
|
|
daily = 2;
|
|
|
|
monthly = 2;
|
|
|
|
};
|
2023-12-24 01:06:36 +00:00
|
|
|
"tank/forgejo" = {
|
2023-08-25 21:15:33 +01:00
|
|
|
autoprune = true;
|
|
|
|
autosnap = true;
|
|
|
|
daily = 2;
|
|
|
|
monthly = 2;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-06-28 16:57:26 +01:00
|
|
|
};
|
|
|
|
|
2023-06-26 15:25:26 +01:00
|
|
|
networking = {
|
|
|
|
hostId = "e1e29bf4";
|
|
|
|
hostName = "vancouver";
|
|
|
|
domain = "gmem.ca";
|
|
|
|
firewall = {
|
2023-12-24 01:06:55 +00:00
|
|
|
trustedInterfaces = ["tailscale0"];
|
2023-06-26 15:25:26 +01:00
|
|
|
checkReversePath = "loose";
|
2023-08-05 12:05:53 +01:00
|
|
|
enable = true;
|
2024-04-06 00:27:46 +01:00
|
|
|
allowedTCPPorts = [22 80 443 9798 2049 4328];
|
2024-02-05 13:13:44 +00:00
|
|
|
allowedUDPPorts = [41641];
|
2023-06-26 15:25:26 +01:00
|
|
|
};
|
|
|
|
nftables.enable = true;
|
|
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
vim
|
|
|
|
wget
|
|
|
|
git
|
|
|
|
htop
|
|
|
|
tailscale
|
|
|
|
home-manager
|
|
|
|
lm_sensors
|
|
|
|
screen
|
|
|
|
nix-output-monitor
|
2023-07-14 16:32:54 +01:00
|
|
|
cifs-utils
|
2023-08-05 12:05:53 +01:00
|
|
|
cloudflared
|
|
|
|
bat
|
2023-09-19 23:59:44 +01:00
|
|
|
gnupg
|
|
|
|
pinentry
|
2023-06-26 15:25:26 +01:00
|
|
|
];
|
|
|
|
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
hardware = {
|
|
|
|
opengl.enable = true;
|
|
|
|
nvidia.modesetting.enable = true;
|
|
|
|
pulseaudio.enable = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
programs = {
|
|
|
|
zsh.enable = true;
|
|
|
|
fish.enable = true;
|
|
|
|
};
|
2024-02-05 13:13:44 +00:00
|
|
|
environment.shells = with pkgs; [zsh fish];
|
2023-06-26 15:25:26 +01:00
|
|
|
|
2024-04-24 13:52:57 +01:00
|
|
|
users = {
|
|
|
|
groups.git = {};
|
|
|
|
users = {
|
|
|
|
git = {
|
|
|
|
home = "/tank/forgejo";
|
|
|
|
useDefaultShell = true;
|
|
|
|
group = "git";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
gsimmer = {
|
|
|
|
shell = pkgs.fish;
|
|
|
|
isNormalUser = true;
|
|
|
|
home = "/tank/gsimmer";
|
|
|
|
extraGroups = ["wheel" "libvirtd" "qemu-libvirtd"];
|
|
|
|
openssh.authorizedKeys.keys = let
|
|
|
|
authorizedKeys = pkgs.fetchurl {
|
|
|
|
url = "https://gmem.ca/ssh";
|
|
|
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
|
|
|
};
|
|
|
|
in
|
|
|
|
pkgs.lib.splitString "\n" (builtins.readFile
|
|
|
|
authorizedKeys);
|
|
|
|
};
|
|
|
|
becki = {
|
|
|
|
shell = pkgs.fish;
|
|
|
|
isNormalUser = true;
|
|
|
|
home = "/tank/becki";
|
|
|
|
};
|
|
|
|
root.openssh.authorizedKeys.keys = let
|
2023-07-30 22:40:43 +01:00
|
|
|
authorizedKeys = pkgs.fetchurl {
|
|
|
|
url = "https://gmem.ca/ssh";
|
2023-09-19 23:59:44 +01:00
|
|
|
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
|
2023-07-30 22:40:43 +01:00
|
|
|
};
|
2024-02-05 13:13:44 +00:00
|
|
|
in
|
|
|
|
pkgs.lib.splitString "\n" (builtins.readFile
|
|
|
|
authorizedKeys);
|
2023-06-26 15:25:26 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-02-05 13:13:44 +00:00
|
|
|
home-manager.users.gsimmer = {pkgs, ...}: {
|
2023-06-26 15:25:26 +01:00
|
|
|
programs.git = {
|
|
|
|
userName = "Gabriel Simmer";
|
|
|
|
userEmail = "git@gmem.ca";
|
|
|
|
};
|
|
|
|
programs.bash.enable = false;
|
|
|
|
|
|
|
|
home.stateVersion = "23.05";
|
|
|
|
};
|
|
|
|
|
|
|
|
virtualisation = {
|
|
|
|
docker = {
|
|
|
|
enable = true;
|
2023-08-05 13:16:29 +01:00
|
|
|
rootless = {
|
|
|
|
enable = true;
|
|
|
|
setSocketVariable = true;
|
|
|
|
};
|
2023-06-26 15:25:26 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-09-05 17:08:43 +01:00
|
|
|
virtualisation.oci-containers.containers = {
|
|
|
|
speedtest = {
|
|
|
|
image = "ghcr.io/miguelndecarvalho/speedtest-exporter";
|
2024-02-05 13:13:44 +00:00
|
|
|
ports = ["9798:9798"];
|
2023-09-05 17:08:43 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-06-26 15:25:26 +01:00
|
|
|
sound.enable = true;
|
|
|
|
security.rtkit.enable = true;
|
2023-08-05 12:05:53 +01:00
|
|
|
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
security.acme.defaults.email = "acme@gmem.ca";
|
|
|
|
security.acme.certs."git.gmem.ca" = {
|
2023-08-05 13:15:42 +01:00
|
|
|
domain = "*.gmem.ca";
|
2023-10-08 22:54:43 +01:00
|
|
|
dnsProvider = "cloudflare";
|
|
|
|
credentialsFile = config.age.secrets.cloudflare-dns.path;
|
2023-06-26 15:25:26 +01:00
|
|
|
};
|
2024-04-20 19:37:58 +01:00
|
|
|
security.acme.certs."docs.gmem.ca" = {
|
|
|
|
domain = "*.gmem.ca";
|
|
|
|
dnsProvider = "cloudflare";
|
|
|
|
credentialsFile = config.age.secrets.cloudflare-dns.path;
|
|
|
|
};
|
2023-08-05 12:05:53 +01:00
|
|
|
|
2023-06-26 15:25:26 +01:00
|
|
|
system.stateVersion = "23.05";
|
|
|
|
}
|