{ config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ../../common/users/julia.nix ../../common/fragments/bin.nix ../../common/fragments/fail2ban.nix ../../common/fragments/frq-friend.nix ../../common/fragments/grafana.nix ../../common/fragments/homepage.nix ../../common/fragments/mastodon-ebooks.nix ../../common/fragments/matterbridge.nix ../../common/fragments/minecraft.nix ../../common/fragments/nyandroid.nix ../../common/fragments/prometheus_exporters.nix ../../common/fragments/vsftpd.nix ../../common/home_manager/common.nix ]; nixpkgs.overlays = [ (final: prev: { bin = final.callPackage ../../common/pkgs/bin.nix { }; vampysite = final.callPackage ../../common/pkgs/vampysite.nix { }; }) ]; # Bootloader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; boot.loader.grub.useOSProber = true; networking.hostName = "bloodletting"; # Enable networking networking.networkmanager.enable = true; networking.interfaces.ens19.ipv4.addresses = [{ address = "185.138.143.227"; prefixLength = 29; }]; networking.defaultGateway = { address = "185.138.143.225"; interface = "ens19"; }; # Enable the OpenSSH daemon. services.openssh = { enable = true; banner = '' Hello mistress ^,,^ ''; passwordAuthentication = false; }; # Open ports in the firewall. networking.firewall = { allowedTCPPorts = [ 20 21 22 80 443 990 ]; allowedTCPPortRanges = [{ from = 40000; to = 40200; }]; }; virtualisation = { podman = { enable = true; dockerCompat = true; defaultNetwork.dnsname.enable = true; }; oci-containers = { backend = "podman"; }; }; # SSL/TLS Certificates security.acme.acceptTerms = true; security.acme.defaults.email = "letsencrypt@technogothic.net"; security.acme.certs."technogothic.net" = { domain = "*.technogothic.net"; extraDomainNames = [ "technogothic.net" ]; dnsProvider = "rfc2136"; credentialsFile = "/var/lib/secrets/rfc2136-technogothic-net"; group = "nginx"; }; security.acme.defaults.reloadServices = [ "nginx" "vsftpd" ]; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; # Nginx services.nginx = { enable = true; statusPage = true; # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; root = pkgs.vampysite; serverAliases = [ "agatha.technogothic.net" ]; locations."=/cv.pdf" = { alias = "/home/ftp/cv.pdf"; }; extraConfig = '' error_page 404 /404.html; ''; }; virtualHosts."www.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; globalRedirect = "technogothic.net"; }; virtualHosts."grafana.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:2342"; proxyWebsockets = true; }; }; virtualHosts."home.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000"; proxyWebsockets = true; }; }; virtualHosts."thermalpaste.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:6162"; proxyWebsockets = true; }; }; virtualHosts."ftp.technogothic.net" = { useACMEHost = "technogothic.net"; forceSSL = true; root = "/home/ftp"; locations."/" = { extraConfig = "autoindex on;"; }; }; }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? }