{ config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; boot.loader.grub.enable = true; networking.hostName = "videos"; boot.loader.grub.device = "/dev/vda"; users.users.knazarov = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira" ]; }; environment.systemPackages = with pkgs; [ vim sops goaccess ]; services.openssh.enable = true; services.openssh.settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; security.pam.enableSSHAgentAuth = true; security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; services.nginx = { enable = true; clientMaxBodySize = "1024m"; virtualHosts = { "www.videos.knazarov.com" = { enableACME = true; forceSSL = true; globalRedirect = "videos.knazarov.com"; }; "videos.knazarov.com" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:9000"; }; }; }; }; security.acme.acceptTerms = true; security.acme.certs = { "www.videos.knazarov.com".email = "mail@knazarov.com"; "videos.knazarov.com".email = "mail@knazarov.com"; }; networking.interfaces.ens3 = { ipv4.addresses = [{ address = "107.189.7.30"; prefixLength = 24; }]; ipv6.addresses = [{ #address = "2605:6400:30:eb21::"; address = "2605:6400:30:eb21:c7c2:1dfa:e144:b0a9"; prefixLength = 48; }]; }; services.postgresql = { enable = true; enableTCPIP = true; authentication = '' hostnossl peertube_local peertube_test 127.0.0.1/32 md5 ''; initialScript = config.sops.secrets.postgresql_init.path; }; services.redis.servers.peertube = { enable = true; bind = "0.0.0.0"; requirePassFile = config.sops.secrets.redis_password.path; port = 31638; }; services.peertube = { enable = true; localDomain = "videos.knazarov.com"; configureNginx = true; enableWebHttps = true; listenWeb = 443; secrets.secretsFile = config.sops.secrets.peertube_secrets.path; database = { host = "127.0.0.1"; name = "peertube_local"; user = "peertube_test"; passwordFile = config.sops.secrets.postgresql_password.path; }; redis = { host = "127.0.0.1"; port = 31638; passwordFile = config.sops.secrets.redis_password_peertube.path; }; settings = { listen.hostname = "0.0.0.0"; instance.name = "Konstantin Nazarov's Videos"; }; }; sops.defaultSopsFile = ./secrets-videos.yaml; sops.secrets = { postgresql_password = { mode = "0440"; group = config.users.groups.peertube.name; }; postgresql_init = { mode = "0440"; group = config.users.groups.postgres.name; }; redis_password = { mode = "0440"; group = config.users.groups.redis-peertube.name; }; redis_password_peertube = { mode = "0440"; group = config.users.groups.peertube.name; }; peertube_secrets = { mode = "0440"; group = config.users.groups.peertube.name; }; }; networking.defaultGateway = "107.189.7.1"; networking.defaultGateway6 = { address = "2605:6400:30::1"; interface = "ens3"; }; networking.nameservers = [ "107.189.0.68" ]; networking.firewall = { allowedTCPPorts = [ 80 443 22 ]; allowedUDPPorts = [ ]; allowedUDPPortRanges = [ ]; }; # networking.firewall.allowedUDPPorts = [ ... ]; system.stateVersion = "23.05"; }