Harald Hoyer
12c25bcde8
Headscale is moving off the mx mailserver onto the attic cache host. The new public URL is https://headscale.hoyer.world. - Switch from useACMEHost = "hoyer.xyz" (mx wildcard DNS-01) to enableACME = true, since attic only has HTTP-01 configured. - Move headscale port to 8081 to avoid clashing with atticd on 8080. - Drop the 192.168.178.254 LAN nameserver from dns.nameservers.global, which isn't reachable from the Hetzner instance. Operational steps still required on attic: - Provision /var/lib/headscale/client_secret - Migrate the headscale state DB from mx - Point headscale.hoyer.world DNS at attic - Update the Nextcloud OIDC client's redirect URI
112 lines
2 KiB
Nix
112 lines
2 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
# ./goaccess.nix
|
|
./acme.nix
|
|
./backup.nix
|
|
./coturn.nix
|
|
./disk-check.nix
|
|
./forgejo.nix
|
|
./hardware-configuration.nix
|
|
./kicker.nix
|
|
./mailserver.nix
|
|
./network.nix
|
|
./nextcloud.nix
|
|
./nextcloud-claude-bot
|
|
./nginx.nix
|
|
./ntfy.nix
|
|
./postgresql.nix
|
|
./rspamd.nix
|
|
./rustdesk.nix
|
|
./users.nix
|
|
];
|
|
|
|
services.tailscale.enable = true;
|
|
|
|
metacfg = {
|
|
services.nginxBase.enable = true;
|
|
services.acmeBase.enable = true;
|
|
emailOnFailure.enable = true;
|
|
base.enable = true;
|
|
nix.enable = true;
|
|
podman.enable = true;
|
|
secureboot.enable = false;
|
|
tools = {
|
|
direnv.enable = true;
|
|
};
|
|
};
|
|
|
|
security = {
|
|
tpm2.enable = lib.mkDefault true;
|
|
tpm2.abrmd.enable = lib.mkDefault true;
|
|
};
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
dates = "04:00";
|
|
operation = "switch";
|
|
allowReboot = true;
|
|
flake = lib.mkForce "/root/nixcfg/.#mx";
|
|
};
|
|
|
|
systemd.services.nixos-upgrade = {
|
|
path = [ pkgs.git ];
|
|
preStart = ''
|
|
cd /root/nixcfg
|
|
git fetch origin
|
|
git reset --hard origin/HEAD
|
|
'';
|
|
};
|
|
|
|
nix.gc = {
|
|
dates = "daily";
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
|
|
programs.git.config = {
|
|
safe.directory = "/var/lib/gitea/repositories/harald/nixcfg.git";
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
age
|
|
apacheHttpd # for mkpasswd
|
|
efibootmgr
|
|
fgallery
|
|
git
|
|
htop
|
|
mdadm
|
|
rrsync
|
|
tpm2-pkcs11
|
|
tpm2-pkcs11.out
|
|
tpm2-tools
|
|
zola
|
|
];
|
|
|
|
sops.secrets.ntfy = {
|
|
sopsFile = ../../../.secrets/hetzner/ntfy.yaml;
|
|
};
|
|
|
|
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
hostKeys = [
|
|
{
|
|
path = "/var/lib/secrets/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}
|
|
{
|
|
path = "/var/lib/secrets/ssh_host_rsa_key";
|
|
type = "rsa";
|
|
bits = 4096;
|
|
}
|
|
];
|
|
};
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|