diff options
| author | Vincent Ambo <mail@tazj.in> | 2021-12-13T22·51+0300 |
|---|---|---|
| committer | Vincent Ambo <mail@tazj.in> | 2021-12-13T23·15+0300 |
| commit | 019f8fd2113df4c5247c3969c60fd4f0e08f91f7 (patch) | |
| tree | 76a857f61aa88f62a30e854651e8439db77fd0ea /users/wpcarro/nixos/socrates/default.nix | |
| parent | 464bbcb15c09813172c79820bcf526bb10cf4208 (diff) | |
| parent | 6123e976928ca3d8d93f0b2006b10b5f659eb74d (diff) | |
subtree(users/wpcarro): docking briefcase at '24f5a642' r/3226
git-subtree-dir: users/wpcarro git-subtree-mainline: 464bbcb15c09813172c79820bcf526bb10cf4208 git-subtree-split: 24f5a642af3aa1627bbff977f0a101907a02c69f Change-Id: I6105b3762b79126b3488359c95978cadb3efa789
Diffstat (limited to 'users/wpcarro/nixos/socrates/default.nix')
| -rw-r--r-- | users/wpcarro/nixos/socrates/default.nix | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/users/wpcarro/nixos/socrates/default.nix b/users/wpcarro/nixos/socrates/default.nix new file mode 100644 index 000000000000..8b762a56de5f --- /dev/null +++ b/users/wpcarro/nixos/socrates/default.nix @@ -0,0 +1,218 @@ +let + briefcase = import <briefcase> {}; + pkgs = briefcase.third_party.pkgs; +in { + imports = [ ./hardware.nix ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 6697 ]; + }; + + time.timeZone = "UTC"; + + programs.fish.enable = true; + programs.mosh.enable = true; + + environment.systemPackages = with pkgs; [ + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git + ]; + + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + nixPath = []; + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## + + systemd.services.bitlbee-stunnel = { + description = "Provides TLS termination for Bitlbee."; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Restart = "always"; + User = "nginx"; # This is a hack to easily get certificate access. + }; + script = let configFile = builtins.toFile "stunnel.conf" '' + foreground = yes + debug = 7 + + [ircs] + accept = 0.0.0.0:6697 + connect = 6667 + cert = /var/lib/acme/wpcarro.dev/full.pem + ''; in "${pkgs.stunnel}/bin/stunnel ${configFile}"; + }; + + nixpkgs.config.bitlbee.enableLibPurple = true; + services.bitlbee = { + interface = "0.0.0.0"; + enable = true; + libpurple_plugins = [ + pkgs.telegram-purple + ]; + }; + + services.journaldriver = { + enable = true; + logStream = "home"; + googleCloudProject = "wpcarros-infrastructure"; + applicationCredentials = "/etc/gcp/key.json"; + }; + + services.openssh.enable = true; + + services.gitea = { + enable = true; + # Without this the links to clone a repository like briefcase will be + # "http://localhost:3000/wpcarro/briefcase". + rootUrl = "https://git.wpcarro.dev/"; + }; + + services.buildkite-agents = { + socrates = { + enable = true; + tokenPath = "/etc/secrets/buildkite-agent-token"; + privateSshKeyPath = "/etc/ssh/buildkite_agent_id_rsa"; + }; + }; + + systemd.services.zoo = { + enable = true; + description = "Run my monoserver"; + script = "${briefcase.zoo}/zoo"; + environment = {}; + serviceConfig = { + Restart = "always"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + polkit.log("subject.user: " + subject.user + " is attempting action.id: " + action.id); + }); + ''; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"remote_addr":"$remote_addr",' + '"method":"$request_method",' + '"host":"$host",' + '"uri":"$request_uri",' + '"status":$status,' + '"request_size":$request_length,' + '"response_size":$body_bytes_sent,' + '"response_time":$request_time,' + '"referrer":"$http_referer",' + '"user_agent":"$http_user_agent"' + '}'; + + access_log syslog:server=unix:/dev/log,nohostname json_combined; + ''; + + virtualHosts = { + "wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website; + }; + "learn.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.learn; + }; + "git.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + "blog.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.blog; + }; + # "sandbox.wpcarro.dev" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox; + # }; + # "learnpianochords.app" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox.learnpianochords; + # }; + "zoo.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; + + system.stateVersion = "20.09"; +} |