2016-04-14 14:02:16 +02:00
|
|
|
|
# Edit this configuration file to define what should be installed on
|
|
|
|
|
|
# your system. Help is available in the configuration.nix(5) man page
|
|
|
|
|
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
|
|
|
|
|
|
|
|
|
|
{ config, pkgs, lib, ... }:
|
2020-05-21 17:39:38 +02:00
|
|
|
|
let
|
|
|
|
|
|
sslforward = proxyPass: {
|
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
enableACME = true;
|
|
|
|
|
|
locations."/" = {
|
|
|
|
|
|
inherit proxyPass;
|
|
|
|
|
|
proxyWebsockets = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
vpn = import ../vpn.nix;
|
|
|
|
|
|
in
|
2016-04-14 14:02:16 +02:00
|
|
|
|
{
|
|
|
|
|
|
imports = [
|
2020-05-21 17:39:38 +02:00
|
|
|
|
../physical/hetznercloud.nix
|
|
|
|
|
|
../roles/server.nix
|
2021-01-03 22:06:31 +01:00
|
|
|
|
../modules/muflax-blog.nix
|
|
|
|
|
|
../services/backup.nix
|
|
|
|
|
|
../services/email.nix
|
2016-04-14 14:02:16 +02:00
|
|
|
|
];
|
|
|
|
|
|
|
2020-05-21 17:39:38 +02:00
|
|
|
|
system.stateVersion = "19.03";
|
2017-02-02 16:58:48 +01:00
|
|
|
|
|
2018-03-11 18:28:25 +01:00
|
|
|
|
services.nginx.enable = true;
|
|
|
|
|
|
services.yorick = {
|
2018-11-20 22:28:58 +01:00
|
|
|
|
public = { enable = true; vhost = "pub.yori.cc"; };
|
2018-03-11 18:28:25 +01:00
|
|
|
|
website = { enable = true; vhost = "yorickvanpelt.nl"; };
|
2020-05-21 17:39:38 +02:00
|
|
|
|
git = { enable = true; vhost = "git.yori.cc"; };
|
|
|
|
|
|
muflax-church = { enable = true; vhost = "muflax.church"; };
|
|
|
|
|
|
};
|
2016-04-21 22:45:06 +02:00
|
|
|
|
|
2016-04-29 01:07:06 +02:00
|
|
|
|
services.muflax-blog = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
web-server = {
|
|
|
|
|
|
port = 9001;
|
|
|
|
|
|
};
|
|
|
|
|
|
hidden-service = {
|
|
|
|
|
|
hostname = "muflax65ngodyewp.onion";
|
2018-03-11 23:17:55 +01:00
|
|
|
|
private_key = "/root/keys/http.muflax.key";
|
2016-04-29 01:07:06 +02:00
|
|
|
|
};
|
|
|
|
|
|
};
|
2020-05-21 17:39:38 +02:00
|
|
|
|
services.nginx.commonHttpConfig = ''
|
|
|
|
|
|
access_log off;
|
|
|
|
|
|
'';
|
|
|
|
|
|
services.nginx.virtualHosts = {
|
|
|
|
|
|
"yori.cc" = {
|
|
|
|
|
|
enableACME = true;
|
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
globalRedirect = "yorickvanpelt.nl";
|
2018-05-25 00:27:43 +02:00
|
|
|
|
};
|
2021-01-03 19:00:46 +01:00
|
|
|
|
"yorickvanpelt.nl".locations."/p1".return = "301 https://git.yori.cc/yorick/meterkast";
|
2020-05-21 17:39:38 +02:00
|
|
|
|
"grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
|
|
|
|
|
|
"ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443";
|
|
|
|
|
|
"prometheus.yori.cc" = {
|
|
|
|
|
|
# only over vpn
|
|
|
|
|
|
listen = [ { addr = "10.209.0.1"; port = 80; } ];
|
|
|
|
|
|
locations."/".proxyPass = "http://10.209.0.3:9090";
|
|
|
|
|
|
};
|
|
|
|
|
|
"pub.yori.cc".locations."/muflax/".extraConfig = ''
|
|
|
|
|
|
rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
|
|
|
|
|
|
'';
|
2018-05-25 00:27:43 +02:00
|
|
|
|
};
|
2018-03-11 23:17:55 +01:00
|
|
|
|
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
2020-05-21 17:39:38 +02:00
|
|
|
|
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
|
|
|
|
|
networking.wireguard.interfaces.wg-y.peers =
|
|
|
|
|
|
lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
|
|
|
|
|
|
inherit publicKey;
|
|
|
|
|
|
allowedIPs = [ "${vpn.ips.${machine}}/32" ];
|
|
|
|
|
|
}) vpn.keys);
|
2021-01-03 19:00:33 +01:00
|
|
|
|
services.prometheus.exporters.wireguard = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9586 ];
|
2020-05-21 17:39:38 +02:00
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
|
|
|
|
|
environment.noXlibs = true;
|
|
|
|
|
|
users.users.yorick.packages = with pkgs; [
|
2021-01-03 22:06:31 +01:00
|
|
|
|
python2 sshfs-fuse weechat ripgrep
|
2020-05-21 17:39:38 +02:00
|
|
|
|
];
|
2021-01-03 22:06:31 +01:00
|
|
|
|
|
2016-04-14 14:02:16 +02:00
|
|
|
|
}
|
