diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/default.nix | 31 | ||||
| -rw-r--r-- | hosts/p-body/default.nix | 139 |
2 files changed, 170 insertions, 0 deletions
diff --git a/hosts/default.nix b/hosts/default.nix index 1ad7953..97574c5 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -18,6 +18,7 @@ with inputs; let secrets = { rootPassword.file = "${self}/users/_secrets/rootPassword.age"; sethPassword.file = "${self}/users/_secrets/sethPassword.age"; + pbodyPassword.file = "${self}/users/_secrets/pbodyPassword.age"; }; }; @@ -44,6 +45,7 @@ in { nixos-hardware.nixosModules.common-gpu-nvidia-nonprime nixos-hardware.nixosModules.common-pc-ssd lanzaboote.nixosModules.lanzaboote + (import "${self}/modules/nixos/virtualisation") ]; }; glados-wsl = { @@ -54,4 +56,33 @@ in { nixos-wsl.nixosModules.wsl ]; }; + p-body = { + builder = nixpkgs.lib.nixosSystem; + inherit (common) system; + + specialArgs = let + unstable = import nixpkgsUnstable { + inherit (common) system; + overlays = [guzzle_api.overlays.default]; + }; + in {inherit (unstable) guzzle-api-server;}; + + modules = [ + agenix.nixosModules.default + guzzle_api.nixosModules.guzzle_api + (import "${self}/modules/base") + (import "${self}/modules/nixos") + + { + age = { + identityPaths = ["/etc/age/key"]; + secrets = { + rootPassword.file = "${self}/users/_secrets/rootPassword.age"; + pbodyPassword.file = "${self}/users/_secrets/pbodyPassword.age"; + }; + }; + nixos.enable = true; + } + ]; + }; } diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix new file mode 100644 index 0000000..385f5bd --- /dev/null +++ b/hosts/p-body/default.nix @@ -0,0 +1,139 @@ +{ + config, + modulesPath, + pkgs, + guzzle-api-server, + ... +}: { + imports = [ + (modulesPath + "/virtualisation/digital-ocean-image.nix") + ]; + + base = { + documentation.enable = false; + defaultPackages.enable = false; + }; + + networking = { + hostName = "p-body"; + firewall = let + ports = [80 420]; + in { + allowedUDPPorts = ports; + allowedTCPPorts = ports; + }; + }; + + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + + security = { + pam.enableSSHAgentAuth = true; + }; + + services = { + caddy = { + enable = true; + + email = "[email protected]"; + + logFormat = '' + output stdout + format json + ''; + + extraConfig = '' + (strip-www) { + redir https://{args.0}{uri} + } + + (common_domain) { + encode gzip + + handle { + try_files {path} {path}/ + } + + handle_errors { + @404 { + expression {http.error.status_code} == 404 + } + rewrite @404 /404.html + file_server + } + } + + (no_embeds) { + header /{args.0} X-Frame-Options DENY + } + + (container_proxy) { + handle_path /{args.0}/* { + reverse_proxy {args.1} + } + } + ''; + + globalConfig = '' + auto_https off + ''; + + virtualHosts = { + guzzle = rec { + hostName = "198.199.68.30"; + serverAliases = [ + "www.${hostName}" + ]; + extraConfig = '' + root * /var/www + import common_domain + + file_server + + import container_proxy api :8000 + ''; + }; + }; + }; + + endlessh = { + enable = true; + port = 22; + openFirewall = true; + }; + + guzzle-api = { + enable = true; + url = "http://198.199.68.30/api/api"; + port = "8000"; + package = guzzle-api-server; + }; + + hercules-ci-agent.enable = true; + + openssh = { + enable = true; + passwordAuthentication = false; + ports = [420]; + }; + }; + + system.stateVersion = "22.11"; + + users.users = let + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOeEbjzzzwf9Qyl0JorokhraNYG4M2hovyAAaA6jPpM7 seth@glados" + ]; + in { + root = {inherit openssh;}; + p-body = { + extraGroups = ["wheel"]; + isNormalUser = true; + shell = pkgs.bash; + passwordFile = config.age.secrets.pbodyPassword.path; + inherit openssh; + }; + }; +} |