{ config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix ../../common/users/julia.nix ../../common/fragments/bin.nix ../../common/fragments/fail2ban.nix ../../common/fragments/frq-friend.nix ../../common/fragments/grafana.nix ../../common/fragments/mastodon-ebooks.nix ../../common/fragments/mastodon.nix ../../common/fragments/matrix-ril100.nix ../../common/fragments/matterbridge.nix ../../common/fragments/mc-status-bot.nix ../../common/fragments/minecraft.nix ../../common/fragments/nyandroid.nix ../../common/fragments/postgres.nix ../../common/fragments/prometheus_exporters.nix ../../common/fragments/prosody.nix ../../common/fragments/vsftpd.nix ../../common/home_manager/common.nix ]; nixpkgs.overlays = [ (final: prev: { bin = final.callPackage ../../common/pkgs/bin.nix { }; agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { }; }) ]; # Bootloader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; boot.loader.grub.useOSProber = true; networking.hostName = "bloodletting"; # Enable networking networking.networkmanager.enable = true; networking.interfaces.ens20 = { ipv4.addresses = [{ address = "91.198.192.199"; prefixLength = 27; }]; ipv6.addresses = [{ address = "2001:67c:b54:1::6"; prefixLength = 64; }]; }; networking.defaultGateway = { address = "91.198.192.193"; interface = "ens20"; }; networking.defaultGateway6 = { address = "2001:67c:b54:1::1"; interface = "ens20"; }; # Open ports in the firewall. networking.firewall = { allowedTCPPorts = [ 20 21 22 80 443 990 ]; allowedTCPPortRanges = [{ from = 40000; to = 40200; }]; trustedInterfaces = [ "podman0" ]; }; virtualisation = { podman = { enable = true; dockerCompat = true; defaultNetwork.settings.dns_enabled = true; }; oci-containers = { backend = "podman"; }; }; # SSL/TLS Certificates security.acme.acceptTerms = true; security.acme.defaults.email = "letsencrypt@technogothic.net"; security.acme.certs."technogothic.net" = { domain = "*.technogothic.net"; extraDomainNames = [ "technogothic.net" "*.argent.technogothic.net" ]; dnsProvider = "hurricane"; credentialsFile = "/var/lib/secrets/hurricane-tokens"; group = "nginx"; }; security.acme.defaults.reloadServices = [ "nginx" "vsftpd" "prosody" ]; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; # Nginx services.nginx = { enable = true; statusPage = true; # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; upstreams = { "backend-mastodon-streaming" = { servers = builtins.listToAttrs (map (i: { name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; value = { fail_timeout = "0"; }; }) (lib.range 1 config.services.mastodon.streamingProcesses)); extraConfig = '' least_conn; ''; }; }; virtualHosts."technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; root = pkgs.vampysite; serverAliases = [ "agatha.technogothic.net" ]; locations."=/cv.pdf" = { alias = "/home/ftp/cv.pdf"; }; locations."=/.well-known/host-meta" = { return = "301 https://fv.technogothic.net$request_uri"; }; locations."=/.well-known/webfinger" = { return = "301 https://fv.technogothic.net$request_uri"; extraConfig = '' add_header Access-Control-Allow-Origin '*'; ''; }; locations."=/5idbsp9q8d.txt".return = "200 uwu"; extraConfig = '' error_page 404 /404.html; ''; }; virtualHosts."www.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; globalRedirect = "technogothic.net"; }; virtualHosts."grafana.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:2342"; proxyWebsockets = true; }; }; virtualHosts."thermalpaste.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:6162"; proxyWebsockets = true; extraConfig = "client_max_body_size ${ toString config.services.bin.textUploadLimit }M;"; }; }; virtualHosts."ftp.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; root = "/home/ftp"; locations."/" = { extraConfig = "autoindex on;"; }; }; virtualHosts."fv.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; root = "${config.services.mastodon.package}/public/"; locations."/system/".alias = "/var/lib/mastodon/public-system/"; locations."/" = { tryFiles = "$uri @proxy"; }; locations."@proxy" = { proxyPass = "http://unix:/run/mastodon-web/web.socket"; proxyWebsockets = true; }; locations."^~ /api/v1/streaming/" = { proxyPass = "http://backend-mastodon-streaming/"; proxyWebsockets = true; priority = 2300; extraConfig = '' proxy_buffering off; proxy_redirect off; tcp_nodelay on; ''; }; extraConfig = "client_max_body_size 64M;"; }; }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? }