diff options
Diffstat (limited to 'ops/machines/sanduny/default.nix')
-rw-r--r-- | ops/machines/sanduny/default.nix | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/ops/machines/sanduny/default.nix b/ops/machines/sanduny/default.nix new file mode 100644 index 000000000000..ba14fbd32a60 --- /dev/null +++ b/ops/machines/sanduny/default.nix @@ -0,0 +1,137 @@ +# sanduny.tvl.su +# +# This is a VPS hosted with Bitfolk, intended to additionally serve +# some of our public services like cgit, josh and the websites. +# +# In case of whitby going down, sanduny will keep depot available. + +_: # ignore readTree options + +{ config, depot, lib, pkgs, ... }: + +let + mod = name: depot.path.origSrc + ("/ops/modules/" + name); +in +{ + imports = [ + (mod "cgit.nix") + (mod "depot-inbox.nix") + (mod "depot-replica.nix") + (mod "journaldriver.nix") + (mod "known-hosts.nix") + (mod "tvl-cache.nix") + (mod "tvl-headscale.nix") + (mod "tvl-users.nix") + (mod "www/inbox.tvl.su.nix") + (mod "www/self-redirect.nix") + ]; + + networking = { + hostName = "sanduny"; + domain = "tvl.su"; + useDHCP = false; + + interfaces.eth0 = { + ipv4.addresses = lib.singleton { + address = "85.119.82.231"; + prefixLength = 21; + }; + + ipv6.addresses = lib.singleton { + address = "2001:ba8:1f1:f109::feed:edef:beef"; + prefixLength = 64; + }; + }; + + defaultGateway = "85.119.80.1"; + defaultGateway6.address = "2001:ba8:1f1:f109::1"; + + firewall.allowedTCPPorts = [ 22 80 443 ]; + + # https://bitfolk.com/customer_information.html#toc_2_DNS + nameservers = [ + "85.119.80.232" + "85.119.80.233" + "2001:ba8:1f1:f205::53" + "2001:ba8:1f1:f206::53" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + emacs-nox + vim + curl + unzip + htop + ]; + + programs.mtr.enable = true; + + services.openssh.enable = true; + services.fail2ban.enable = true; + + # Run tailscale for the TVL net.tvl.fyi network. + # tailscale up --login-server https://net.tvl.fyi --accept-dns=false --advertise-exit-node + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; # for exit-node usage + }; + + # Automatically collect garbage from the Nix store. + services.depot.automatic-gc = { + enable = true; + interval = "1 hour"; + diskThreshold = 2; # GiB + maxFreed = 5; # GiB + preserveGenerations = "90d"; + }; + + # Allow Gerrit to replicate depot to /var/lib/depot + services.depot.replica.enable = true; + + # Run git serving tools locally ... + services.depot.cgit = { + enable = true; + repo = "/var/lib/depot"; + }; + + # Serve public-inbox ... + services.depot.inbox.enable = true; + + time.timeZone = "UTC"; + + # GRUB does not actually need to be installed on disk; Bitfolk have + # their own way of booting systems as long as config is in place. + boot.loader.grub.device = "nodev"; + boot.loader.grub.enable = true; + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + + hardware.cpu.intel.updateMicrocode = true; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/aabc3638-43ca-45f3-af89-c451e8448e92"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/75aa99d5-fed7-4c5c-8570-7745f6cff9f5"; + fsType = "ext3"; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/d1721678-c294-482b-b72e-3b15f2c56c63"; + fsType = "ext4"; + }; + }; + + tvl.cache.enable = true; + + swapDevices = lib.singleton { + device = "/dev/disk/by-uuid/df4ad9da-0a06-4c27-93e5-5d44e4750e55"; + }; + + system.stateVersion = "22.05"; # Did you read the comment? +} |