diff options
Diffstat (limited to 'users/tazjin/nixos/camden')
-rw-r--r-- | users/tazjin/nixos/camden/default.nix | 84 |
1 files changed, 39 insertions, 45 deletions
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index 4b5e4b4872c2..130b51dd38c1 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -1,7 +1,8 @@ # This file configures camden.tazj.in, my homeserver. { depot, pkgs, lib, ... }: -config: let +config: +let nginxRedirect = { from, to, acmeHost }: { serverName = from; useACMEHost = acmeHost; @@ -9,22 +10,13 @@ config: let extraConfig = "return 301 https://${to}$request_uri;"; }; -in lib.fix(self: { - # Disable the current ACME module and use the old one from 19.09 - # instead, until the various regressions have been sorted out. - # TODO(tazjin): Remove this once the new ACME module works. - disabledModules = [ "security/acme" ]; - imports = - let oldChannel = fetchTarball { - # NixOS 19.09 on 2020-10-04 - url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; - sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; - }; - in [ - "${depot.path}/ops/modules/quassel.nix" - "${depot.path}/ops/modules/smtprelay.nix" - "${oldChannel}/nixos/modules/security/acme.nix" - ]; + mod = name: depot.path.origSrc + ("/ops/modules/" + name); +in +lib.fix (self: { + imports = [ + (mod "quassel.nix") + (mod "smtprelay.nix") + ]; # camden is intended to boot unattended, despite having an encrypted # root partition. @@ -37,8 +29,14 @@ in lib.fix(self: { boot = { initrd = { availableKernelModules = [ - "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" - "rtsx_usb_sdmmc" "r8169" + "ahci" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + "rtsx_usb_sdmmc" + "r8169" ]; kernelModules = [ "dm-snapshot" ]; @@ -56,7 +54,7 @@ in lib.fix(self: { efi.canTouchEfiVariables = true; }; - cleanTmpDir = true; + tmp.cleanOnBoot = true; }; fileSystems = { @@ -76,16 +74,14 @@ in lib.fix(self: { }; }; - nix = { - maxJobs = lib.mkDefault 4; - - trustedUsers = [ "root" "tazjin" ]; - - binaryCaches = [ + nix.settings = { + max-jobs = lib.mkDefault 4; + trusted-users = [ "root" "tazjin" ]; + substituters = [ "https://tazjin.cachix.org" ]; - binaryCachePublicKeys = [ + trusted-public-keys = [ "tazjin.cachix.org-1:IZkgLeqfOr1kAZjypItHMg1NoBjm4zX9Zzep8oRSh7U=" ]; }; @@ -112,7 +108,7 @@ in lib.fix(self: { programs.mosh.enable = true; fonts = { - fonts = [ pkgs.jetbrains-mono ]; + packages = [ pkgs.jetbrains-mono ]; fontconfig.defaultFonts.monospace = [ "JetBrains Mono" ]; }; @@ -128,7 +124,7 @@ in lib.fix(self: { bat curl direnv - emacs27-nox + emacs28-nox fswebcam git gnupg @@ -152,7 +148,7 @@ in lib.fix(self: { }; # Set up a user & group for general git shenanigans - groups.git = {}; + groups.git = { }; users.git = { group = "git"; isSystemUser = true; @@ -167,7 +163,7 @@ in lib.fix(self: { services.tailscale.enable = true; # Allow sudo-ing via the forwarded SSH agent. - security.pam.enableSSHAgentAuth = true; + security.pam.sshAgentAuth.enable = true; # NixOS 20.03 broke nginx and I can't be bothered to debug it # anymore, all solution attempts have failed, so here's a @@ -191,38 +187,36 @@ in lib.fix(self: { # Provision a TLS certificate outside of nginx to avoid # nixpkgs#38144 security.acme = { - # acceptTerms = true; + acceptTerms = true; certs."tazj.in" = { email = "mail@tazj.in"; - user = "nginx"; group = "nginx"; webroot = "/var/lib/acme/acme-challenge"; - extraDomains = { - "cs.tazj.in" = null; - "git.tazj.in" = null; - "www.tazj.in" = null; + postRun = "systemctl reload nginx"; + + extraDomainNames = [ + "cs.tazj.in" + "git.tazj.in" + "www.tazj.in" # Local domains (for this machine only) - "camden.tazj.in" = null; - }; - postRun = "systemctl reload nginx"; + "camden.tazj.in" + ]; }; certs."quassel.tazj.in" = { email = "mail@tazj.in"; webroot = "/var/lib/acme/challenge-quassel"; - user = "nginx"; # required because of a bug in the ACME module group = "quassel"; - allowKeysForGroup = true; }; }; # Forward logs to Google Cloud Platform services.journaldriver = { - enable = true; - logStream = "home"; - googleCloudProject = "tazjins-infrastructure"; + enable = true; + logStream = "home"; + googleCloudProject = "tazjins-infrastructure"; applicationCredentials = "/etc/gcp/key.json"; }; |