nixos-config/hosts/chunk/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:
{
  imports = [
    ../common.nix
    ../zsh.nix
    ./hardware-configuration.nix
    ./backup.nix
    ./rclone.nix
    ./postgres.nix
    ./wireguard.nix
    ./adguard.nix
    ./hedgedoc.nix
    ./miniflux.nix
    ./redlib.nix
    ./vaultwarden.nix
    ./wireguard.nix
    ./grafana.nix
    ./conduwuit.nix
    ./immich.nix
    ./element.nix
    ./attic.nix
    ./forgejo.nix
    ./garage.nix
  ];

  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
  sops.secrets = {
    "borg/rsyncnet" = {
      sopsFile = ../../secrets/borg/chunk.yaml;
    };
    "services/ntfy" = {
      sopsFile = ../../secrets/services/ntfy.yaml;
    };
    "rclone/config" = {
      sopsFile = ../../secrets/rclone.yaml;
    };
    "vaultwarden/env" = {
      sopsFile = ../../secrets/services/vaultwarden.yaml;
    };
    "caddy/env" = {
      sopsFile = ../../secrets/services/caddy.yaml;
    };
    "hedgedoc/env" = {
      sopsFile = ../../secrets/services/hedgedoc.yaml;
    };
    "wireguard/private" = {
      sopsFile = ../../secrets/wireguard/chunk.yaml;
    };
    "wireguard/psk-yt" = {
      sopsFile = ../../secrets/wireguard/chunk.yaml;
    };
    "wireguard/psk-phone" = {
      sopsFile = ../../secrets/wireguard/chunk.yaml;
    };
    "miniflux/env" = {
      sopsFile = ../../secrets/services/miniflux.yaml;
    };
    "rsyncnet/id_ed25519" = {
      sopsFile = ../../secrets/zh5061/chunk.yaml;
    };
    "attic/env" = {
      sopsFile = ../../secrets/services/attic.yaml;
    };

    "garage/env" = {
      sopsFile = ../../secrets/services/garage.yaml;
    };
  };

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  system.stateVersion = "24.05";

  # network stuff

  networking.hostName = "chunk";
  networking.networkmanager.enable = true;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      22
      80
      443
      53
      853
    ];
    allowedUDPPorts = [
      443
      51820
      53
      853
    ]; # 51820 is wireguard
    trustedInterfaces = [ "wg0" ];
  };
  networking.interfaces.ens18 = {
    ipv6.addresses = [
      {
        address = "2a0f:85c1:840:2bfb::1";
        prefixLength = 64;
      }
    ];
    ipv4.addresses = [
      {
        address = "31.59.129.225";
        prefixLength = 24;
      }
    ];
  };
  networking.defaultGateway6 = {
    address = "2a0f:85c1:840::1";
    interface = "ens18";
  };
  networking.defaultGateway = {
    address = "31.59.129.1";
    interface = "ens18";
  };

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    useXkbConfig = true;
  };

  users.users.yt = {
    extraGroups = [
      "wheel"
      "networkmanager"
      "podman"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"
    ];
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"
  ];
  # for forgejo
  users.users.git = {
    isNormalUser = true;
    home = "/var/lib/forgejo";
    group = "git";
  };
  users.groups.git = { };

  environment.systemPackages = with pkgs; [
    vim
    wget
    curl
    tree
    tmux
    file
    sops
    attic-server
  ];

  environment.variables = {
    EDITOR = "nvim";
    VISUAL = "nvim";
  };

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };

  security.sudo.enable = true;
  security.sudo.wheelNeedsPassword = false;

  programs.gnupg.agent.enable = true;
  programs.git.enable = true;

  services.caddy = {
    enable = true;
    configFile = ./Caddyfile;
    environmentFile = config.sops.secrets."caddy/env".path;
    logFormat = lib.mkForce "level INFO";
  };

  # container stuff
  virtualisation.containers.enable = true;
  virtualisation.podman = {
    enable = true;
    # create 'docker' alias for podman, to use as
    # drop-in replacement
    dockerCompat = true;
    defaultNetwork.settings = {
      dns_enabled = true;
      ipv6_enabled = true;
    };
  };
  virtualisation.oci-containers.backend = "podman";
}
cleanup and change gitlab domain 2024-12-15 01:58:51 -05:00			`{`
nix fmt 2024-12-15 01:59:29 -05:00			`config,`
			`lib,`
			`pkgs,`
			`...`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`}:`
			`{`
nix fmt 2024-12-15 01:59:29 -05:00			`imports = [`
			`../common.nix`
name things better 2024-12-30 23:44:48 -05:00			`../zsh.nix`
titan doesn't need a home 2024-12-30 18:06:16 -05:00			`./hardware-configuration.nix`
use backup module on chunk 2024-12-30 22:13:45 -05:00			`./backup.nix`
Revert "rsync.net cutoff" This reverts commit 5c7d5ee4f2e7ca76435c820d45ce2a58af7060d8. 2025-01-06 18:43:50 -05:00			`./rclone.nix`
massive restructuring 2024-12-15 02:44:50 -05:00			`./postgres.nix`
			`./wireguard.nix`
			`./adguard.nix`
			`./hedgedoc.nix`
			`./miniflux.nix`
			`./redlib.nix`
			`./vaultwarden.nix`
			`./wireguard.nix`
make grafana work again by overlaying from small 2024-12-30 17:27:24 -05:00			`./grafana.nix`
nixify conduwuit 2025-01-05 00:42:57 -05:00			`./conduwuit.nix`
Revert "rsync.net cutoff" This reverts commit 5c7d5ee4f2e7ca76435c820d45ce2a58af7060d8. 2025-01-06 18:43:50 -05:00			`./immich.nix`
add element-web container 2024-12-23 21:11:08 -05:00			`./element.nix`
Revert "rsync.net cutoff" This reverts commit 5c7d5ee4f2e7ca76435c820d45ce2a58af7060d8. 2025-01-06 18:43:50 -05:00			`./attic.nix`
migrate to forgejo 2025-01-10 01:27:05 -05:00			`./forgejo.nix`
bring back garage (#1) make it work with my fork Reviewed-on: https://git.cy7.sh/cy/infra/pulls/1 2025-01-11 23:18:22 -05:00			`./garage.nix`
nix fmt 2024-12-15 01:59:29 -05:00			`];`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00
secrets/chunk: add missing secrets and rewrite everything to new structure 2024-12-16 23:20:51 -05:00			`sops.age.keyFile = "/root/.config/sops/age/keys.txt";`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`sops.secrets = {`
secrets/chunk: add missing secrets and rewrite everything to new structure 2024-12-16 23:20:51 -05:00			`"borg/rsyncnet" = {`
			`sopsFile = ../../secrets/borg/chunk.yaml;`
			`};`
			`"services/ntfy" = {`
			`sopsFile = ../../secrets/services/ntfy.yaml;`
			`};`
include rclone config in secrets 2024-12-26 19:30:22 -05:00			`"rclone/config" = {`
make yt privy to rclone secret and rm grafana cause prometheus chokes 2024-12-30 15:55:59 -05:00			`sopsFile = ../../secrets/rclone.yaml;`
secrets/chunk: add missing secrets and rewrite everything to new structure 2024-12-16 23:20:51 -05:00			`};`
			`"vaultwarden/env" = {`
			`sopsFile = ../../secrets/services/vaultwarden.yaml;`
			`};`
			`"caddy/env" = {`
			`sopsFile = ../../secrets/services/caddy.yaml;`
			`};`
			`"hedgedoc/env" = {`
			`sopsFile = ../../secrets/services/hedgedoc.yaml;`
			`};`
			`"wireguard/private" = {`
			`sopsFile = ../../secrets/wireguard/chunk.yaml;`
			`};`
			`"wireguard/psk-yt" = {`
			`sopsFile = ../../secrets/wireguard/chunk.yaml;`
			`};`
			`"wireguard/psk-phone" = {`
			`sopsFile = ../../secrets/wireguard/chunk.yaml;`
			`};`
			`"miniflux/env" = {`
			`sopsFile = ../../secrets/services/miniflux.yaml;`
			`};`
borg: use new ssh keys and add -x flag 2024-12-20 18:43:11 -05:00			`"rsyncnet/id_ed25519" = {`
migrate to new rsync.net host 2025-01-06 19:10:07 -05:00			`sopsFile = ../../secrets/zh5061/chunk.yaml;`
borg: use new ssh keys and add -x flag 2024-12-20 18:43:11 -05:00			`};`
add attic and rm tor 2025-01-05 05:42:52 -05:00			`"attic/env" = {`
			`sopsFile = ../../secrets/services/attic.yaml;`
			`};`
bring back garage (#1) make it work with my fork Reviewed-on: https://git.cy7.sh/cy/infra/pulls/1 2025-01-11 23:18:22 -05:00
			`"garage/env" = {`
			`sopsFile = ../../secrets/services/garage.yaml;`
			`};`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`};`

			`boot.loader.grub.enable = true;`
			`boot.loader.grub.device = "/dev/vda";`

			`system.stateVersion = "24.05";`

massive restructuring 2024-12-15 02:44:50 -05:00			`# network stuff`

bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`networking.hostName = "chunk";`
			`networking.networkmanager.enable = true;`
			`networking.firewall = {`
			`enable = true;`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`allowedTCPPorts = [`
			`22`
			`80`
			`443`
			`53`
			`853`
			`];`
			`allowedUDPPorts = [`
			`443`
			`51820`
			`53`
			`853`
			`]; # 51820 is wireguard`
			`trustedInterfaces = [ "wg0" ];`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`};`
			`networking.interfaces.ens18 = {`
nix fmt 2024-12-15 01:59:29 -05:00			`ipv6.addresses = [`
			`{`
			`address = "2a0f:85c1:840:2bfb::1";`
			`prefixLength = 64;`
			`}`
			`];`
add grafana 2024-12-15 18:42:50 -05:00			`ipv4.addresses = [`
			`{`
			`address = "31.59.129.225";`
			`prefixLength = 24;`
			`}`
			`];`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`};`
			`networking.defaultGateway6 = {`
			`address = "2a0f:85c1:840::1";`
			`interface = "ens18";`
			`};`
add grafana 2024-12-15 18:42:50 -05:00			`networking.defaultGateway = {`
			`address = "31.59.129.1";`
			`interface = "ens18";`
			`};`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00
			`i18n.defaultLocale = "en_US.UTF-8";`
			`console = {`
			`font = "Lat2-Terminus16";`
			`useXkbConfig = true;`
			`};`

			`users.users.yt = {`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`extraGroups = [`
			`"wheel"`
			`"networkmanager"`
			`"podman"`
			`];`
			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"`
add the new ssh key to chunk's authorized_keys 2024-12-20 18:56:44 -05:00			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`];`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`};`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`users.users.root.openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"`
add the new ssh key to chunk's authorized_keys 2024-12-20 18:56:44 -05:00			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"`
use rfc-style formatter 2024-12-19 02:32:58 -05:00			`];`
migrate to forgejo 2025-01-10 01:27:05 -05:00			`# for forgejo`
			`users.users.git = {`
fix git user for forgejo 2025-01-10 01:37:57 -05:00			`isNormalUser = true;`
			`home = "/var/lib/forgejo";`
migrate to forgejo 2025-01-10 01:27:05 -05:00			`group = "git";`
			`};`
nix fmt 2025-01-10 23:17:27 -05:00			`users.groups.git = { };`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00
			`environment.systemPackages = with pkgs; [`
			`vim`
			`wget`
			`curl`
			`tree`
			`tmux`
			`file`
			`sops`
attic: configure garbage collection 2025-01-05 20:19:16 -05:00			`attic-server`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`];`

			`environment.variables = {`
			`EDITOR = "nvim";`
			`VISUAL = "nvim";`
			`};`

			`services.openssh = {`
			`enable = true;`
			`settings.PasswordAuthentication = false;`
			`};`

			`security.sudo.enable = true;`
			`security.sudo.wheelNeedsPassword = false;`

			`programs.gnupg.agent.enable = true;`
			`programs.git.enable = true;`

			`services.caddy = {`
			`enable = true;`
bring caddyfile here 2024-12-13 22:01:01 -05:00			`configFile = ./Caddyfile;`
secrets/chunk: add missing secrets and rewrite everything to new structure 2024-12-16 23:20:51 -05:00			`environmentFile = config.sops.secrets."caddy/env".path;`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`logFormat = lib.mkForce "level INFO";`
			`};`

init 2024-12-17 00:55:28 -05:00			`# container stuff`
make ghost work on podman 2024-12-17 02:09:57 -05:00			`virtualisation.containers.enable = true;`
			`virtualisation.podman = {`
init 2024-12-17 00:55:28 -05:00			`enable = true;`
			`# create 'docker' alias for podman, to use as`
			`# drop-in replacement`
			`dockerCompat = true;`
make ghost work on podman 2024-12-17 02:09:57 -05:00			`defaultNetwork.settings = {`
			`dns_enabled = true;`
			`ipv6_enabled = true;`
			`};`
init 2024-12-17 00:55:28 -05:00			`};`
			`virtualisation.oci-containers.backend = "podman";`
bring chunk here and some restructuring 2024-12-13 21:54:49 -05:00			`}`