148 lines
3.8 KiB
Nix
148 lines
3.8 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
boot.loader.grub.enable = true;
|
|
networking.hostName = "videos";
|
|
boot.loader.grub.device = "/dev/vda";
|
|
|
|
users.users.knazarov = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework"
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira"
|
|
];
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ vim sops goaccess ];
|
|
|
|
services.openssh.enable = true;
|
|
services.openssh.settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
|
|
security.pam.enableSSHAgentAuth = true;
|
|
security.sudo.wheelNeedsPassword = false;
|
|
nix.settings.trusted-users = [ "@wheel" ];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
clientMaxBodySize = "1024m";
|
|
virtualHosts = {
|
|
"www.videos.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
globalRedirect = "videos.knazarov.com";
|
|
};
|
|
"videos.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = { proxyPass = "http://127.0.0.1:9000"; };
|
|
};
|
|
};
|
|
};
|
|
security.acme.acceptTerms = true;
|
|
security.acme.certs = {
|
|
"www.videos.knazarov.com".email = "mail@knazarov.com";
|
|
"videos.knazarov.com".email = "mail@knazarov.com";
|
|
};
|
|
|
|
|
|
networking.interfaces.ens3 = {
|
|
ipv4.addresses = [{
|
|
address = "107.189.7.30";
|
|
prefixLength = 24;
|
|
}];
|
|
ipv6.addresses = [{
|
|
#address = "2605:6400:30:eb21::";
|
|
address = "2605:6400:30:eb21:c7c2:1dfa:e144:b0a9";
|
|
prefixLength = 48;
|
|
}];
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
enableTCPIP = true;
|
|
authentication = ''
|
|
hostnossl peertube_local peertube_test 127.0.0.1/32 md5
|
|
'';
|
|
initialScript = config.sops.secrets.postgresql_init.path;
|
|
};
|
|
|
|
services.redis.servers.peertube = {
|
|
enable = true;
|
|
bind = "0.0.0.0";
|
|
requirePassFile = config.sops.secrets.redis_password.path;
|
|
port = 31638;
|
|
};
|
|
|
|
|
|
services.peertube = {
|
|
enable = true;
|
|
localDomain = "videos.knazarov.com";
|
|
configureNginx = true;
|
|
enableWebHttps = true;
|
|
listenWeb = 443;
|
|
|
|
secrets.secretsFile = config.sops.secrets.peertube_secrets.path;
|
|
database = {
|
|
host = "127.0.0.1";
|
|
name = "peertube_local";
|
|
user = "peertube_test";
|
|
passwordFile = config.sops.secrets.postgresql_password.path;
|
|
};
|
|
redis = {
|
|
host = "127.0.0.1";
|
|
port = 31638;
|
|
passwordFile = config.sops.secrets.redis_password_peertube.path;
|
|
};
|
|
settings = {
|
|
listen.hostname = "0.0.0.0";
|
|
instance.name = "Konstantin Nazarov's Videos";
|
|
};
|
|
};
|
|
|
|
sops.defaultSopsFile = ./secrets-videos.yaml;
|
|
sops.secrets = {
|
|
postgresql_password = {
|
|
mode = "0440";
|
|
group = config.users.groups.peertube.name;
|
|
};
|
|
postgresql_init = {
|
|
mode = "0440";
|
|
group = config.users.groups.postgres.name;
|
|
};
|
|
redis_password = {
|
|
mode = "0440";
|
|
group = config.users.groups.redis-peertube.name;
|
|
};
|
|
redis_password_peertube = {
|
|
mode = "0440";
|
|
group = config.users.groups.peertube.name;
|
|
};
|
|
peertube_secrets = {
|
|
mode = "0440";
|
|
group = config.users.groups.peertube.name;
|
|
};
|
|
};
|
|
|
|
|
|
|
|
networking.defaultGateway = "107.189.7.1";
|
|
networking.defaultGateway6 = {
|
|
address = "2605:6400:30::1";
|
|
interface = "ens3";
|
|
};
|
|
networking.nameservers = [ "107.189.0.68" ];
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 80 443 22 ];
|
|
allowedUDPPorts = [ ];
|
|
allowedUDPPortRanges = [ ];
|
|
};
|
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|