ktiu/omniflake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactored system

Browse source
This commit is contained in:
Till 2026-01-22 00:13:33 +01:00
parent 6a62e2f23f
commit 386d889455
55 changed files with 336 additions and 580 deletions
Download patch file Download diff file Expand all files Collapse all files

14
system/alt.nix
View file

@ -1,14 +0,0 @@
{ config, pkgs, ... }:
{
users.users.alt = {
home = "/home/alt";
isSystemUser = true;
group = "users";
description = "Alt";
extraGroups = [
"networkmanager"
];
shell = pkgs.fish;
};
}

18
system/btrbk.nix
View file

@ -1,18 +0,0 @@
{ config, pkgs, ... }:
{
services.btrbk = {
instances.btrbk = {
onCalendar = "hourly";
settings = {
subvolume = "/home";
snapshot_preserve = "40d";
snapshot_preserve_min = "4d";
snapshot_dir = "/btrbk_snapshots";
target = "/run/media/till/backup/${config.networking.hostName}";
target_preserve_min = "no";
target_preserve = "10d 10w 24m";
};
};
};
}

5
system/cosmic.nix
View file

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
services.desktopManager.cosmic.enable = true;
}

37
system/default.nix
View file

@ -1,6 +1,14 @@
{ config, pkgs, ... }:
{
imports = [
../users/till.nix
];
networking.networkmanager.enable = true;
users.mutableUsers = true;
time.timeZone = "Europe/Berlin";
programs.fish.enable = true;
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
@ -9,22 +17,6 @@
optimise.automatic = true;
};
time.timeZone = "Europe/Berlin";
programs.fish.enable = true;
users.mutableUsers = true;
users.users.till = {
isNormalUser = true;
description = "Till";
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = [
./ssh/till${"@"}nova.pub
];
};
environment.systemPackages = with pkgs; [
dig.dnsutils
file
@ -32,19 +24,20 @@
htop
killall
neovim
netutils
pwgen
tree
unzip
wget
];
services = {
ntp.enable = true;
openssh.enable = true;
openssh.settings.PasswordAuthentication = false;
openssh.settings.PermitRootLogin = "no";
services.ntp.enable = true;
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = "no";
};
system.stateVersion = "22.11";
}

16
system/desktop/btrbk.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, ... }:
{
services.btrbk.instances.btrbk = {
onCalendar = "hourly";
settings = {
subvolume = "/home";
snapshot_preserve = "40d";
snapshot_preserve_min = "4d";
snapshot_dir = "/btrbk_snapshots";
target = "/run/media/till/backup/${config.networking.hostName}";
target_preserve_min = "no";
target_preserve = "10d 10w 24m";
};
};
}

0
system/cast.nix → system/desktop/cast.nix
View file

11
system/desktop.nix → system/desktop/default.nix
View file

@ -3,12 +3,9 @@
{
imports = [
./interception-tools.nix
./secrets.nix
./btrbk.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager = {
enable = true;
plugins = with pkgs; [ networkmanager-openvpn ];
@ -20,12 +17,6 @@
LC_PAPER = "de_DE.UTF-8";
};
users.users.till = {
extraGroups = [
"networkmanager"
];
};
services.pulseaudio.enable = false;
services.pipewire = {

8
system/ergodox.nix → system/desktop/ergodox-udev.nix
View file

@ -1,9 +1,7 @@
{ config, pkgs, ... }:
{ ... }:
{
services.udev = {
extraRules = ''
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="wheel"
'';
};
'';
}

8
system/gnome.nix → system/desktop/gnome.nix
View file

@ -9,13 +9,13 @@
defaultSession = "gnome";
};
environment.gnome.excludePackages = (with pkgs; [
environment.gnome.excludePackages = with pkgs; [
gnome-tour
geary
yelp
gnome-contacts
gnome-initial-setup
]);
];
environment.systemPackages = with pkgs; [
gnome-sound-recorder
@ -24,12 +24,10 @@
];
services.gnome.gnome-browser-connector.enable = true;
services.gnome.gnome-keyring.enable = lib.mkForce false;
# services.gnome.gnome-keyring.enable = lib.mkForce false;
programs.kdeconnect = {
enable = true;
package = lib.mkForce pkgs.gnomeExtensions.gsconnect;
};
}

0
system/interception-tools.nix → system/desktop/interception-tools.nix
View file

0
system/media.nix → system/desktop/media.nix
View file

5
system/desktop/remote-desktop.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
services.gnome.gnome-remote-desktop.enable = true;
}

10
system/yubikey.nix → system/desktop/yubikey-pam.nix
View file

@ -1,7 +1,6 @@
{ config, pkgs, ... }:
{
services.pcscd.enable = true;
environment.systemPackages = with pkgs; [
@ -20,9 +19,8 @@
# '';
};
security.pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
};
# security.pam.services = {
# login.u2fAuth = true;
# sudo.u2fAuth = true;
# };
}

10
system/distrobox.nix
View file

@ -1,10 +0,0 @@
{ config, pkgs, ... }:
{
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
environment.systemPackages = [ pkgs.distrobox ];
}

17
system/guest.nix
View file

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
users.users.guest = {
home = "/home/guest";
isNormalUser = true;
group = "users";
description = "Guest";
extraGroups = [
"networkmanager"
];
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = [
./ssh/till${"@"}nova.pub
];
};
}

33
system/hardware/arielle.nix
View file

@ -1,33 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/087544b8-4941-436b-be6c-e32bc3787b12";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/9408a2ce-646d-406e-8407-c9bafd0a728c"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

33
system/hardware/ernst.nix
View file

@ -1,33 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "ums_realtek" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/35ee7723-47bd-49de-b211-73550c14d765";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

67
system/hardware/homer.nix
View file

@ -1,67 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/hardware/network/broadcom-43xx.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = ''
options snd_hda_intel power_save=0
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/809e9e9e-ff44-4ecb-8754-e3f2000e5788";
fsType = "btrfs";
options = [ "subvol=root" ];
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/68a19b7d-358a-419c-9507-1e103526f44a";
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/809e9e9e-ff44-4ecb-8754-e3f2000e5788";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/809e9e9e-ff44-4ecb-8754-e3f2000e5788";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/553D-668A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/var/mediathek" = {
device = "/dev/disk/by-uuid/7b0b589f-5759-411a-975a-08a3c7a0f953";
fsType = "ext4";
options = [ # If you don't have this options attribute, it'll default to "defaults"
# boot options for fstab. Search up fstab mount options you can use
"users" # Allows any user to mount and unmount
"nofail" # Prevent system from failing if this drive doesn't mount
];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

62
system/hardware/nova.nix
View file

@ -1,62 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
subvolume = {
device = "/dev/disk/by-uuid/6a0d25d4-0253-4467-85cc-ab3e0ef71f54";
fsType = "btrfs";
};
in
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "v4l2loopback" ];
boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/eaad533f-8586-4002-9c53-5aecf8e7abd8";
allowDiscards = true;
};
fileSystems."/" = subvolume // {
options = [ "subvol=root" "compress=zstd" "discard=async" ];
};
# the following subvolumes are automatically mounted and won't be snapshotted:
# /home/till/.local/share/Steam
# /home/till/.local/share/Trash
# /home/till/.cache
# /home/till/tmp
# /home/till/.mozilla/firefox/till/storage
# /home/till/.config/Mattermost/Cache
# /home/till/.config/Mattermost/Code\ Cache
fileSystems."/nix" = subvolume // {
options = [ "subvol=nix" "compress=zstd" "noatime" "discard=async" ];
};
fileSystems."/home" = subvolume // {
options = [ "subvol=home" "compress=zstd" "discard=async" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7362-C4C4";
fsType = "vfat";
};
swapDevices = [{
device = "/swapfile";
size = 8 * 1045;
}];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint.enable = true;
boot.kernelParams = [ "psmouse.elantech_smbus=0" ];
}

58
system/hardware/romulus.nix
View file

@ -1,58 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d1bb3d19-d95f-4486-8350-2f3a5b473881";
fileSystems."/swap" =
{ device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/d9731b0f-57a1-42ba-b9bd-92e225df5bc2";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" "compress=zstd" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/EB36-69BF";
fsType = "vfat";
};
swapDevices = [ { device = "/swap/swapfile"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

64
system/hardware/tron.nix
View file

@ -1,64 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
subvolume = {
# device = "/dev/disk/by-uuid/6a0d25d4-0253-4467-85cc-ab3e0ef71f54";
fsType = "btrfs";
};
in
{
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "v4l2loopback" ];
boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
boot.initrd.luks.devices."cryptroot" = {
# device = "/dev/disk/by-uuid/eaad533f-8586-4002-9c53-5aecf8e7abd8";
allowDiscards = true;
};
fileSystems."/" = subvolume // {
options = [ "subvol=root" "compress=zstd" "discard=async" ];
};
# the following subvolumes are automatically mounted and won't be snapshotted:
# /home/till/.local/share/Steam
# /home/till/.local/share/Trash
# /home/till/.cache
# /home/till/tmp
# /home/till/.mozilla/firefox/till/storage
# /home/till/.config/Mattermost/Cache
# /home/till/.config/Mattermost/Code\ Cache
fileSystems."/nix" = subvolume // {
options = [ "subvol=nix" "compress=zstd" "noatime" "discard=async" ];
};
fileSystems."/home" = subvolume // {
options = [ "subvol=home" "compress=zstd" "discard=async" ];
};
fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/7362-C4C4";
fsType = "vfat";
};
swapDevices = [{
device = "/swapfile";
size = 8 * 1045;
}];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint.enable = true;
boot.kernelParams = [ "psmouse.elantech_smbus=0" ];
}

17
system/hyprland.nix
View file

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
programs.uwsm.enable = true;
programs.hyprland = {
enable = true;
withUWSM = true;
};
programs.waybar.enable = true;
environment.systemPackages = with pkgs; [
swaynotificationcenter
tofi
];
}

0
system/web-server/mail/default.nix → system/mail-server/default.nix
View file

0
system/web-server/mail/dkim.nix → system/mail-server/dkim.nix
View file

0
system/web-server/mail/dovecot.nix → system/mail-server/dovecot.nix
View file

0
system/web-server/mail/postfix.nix → system/mail-server/postfix.nix
View file

0
system/web-server/mail/roundcube.nix → system/mail-server/roundcube.nix
View file

5
system/plasma.nix
View file

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
services.desktopManager.plasma6.enable = true;
}

5
system/remote-desktop.nix
View file

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
services.gnome.gnome-remote-desktop.enable = true
}

14
system/secrets.nix
View file

@ -1,14 +0,0 @@
{ config, pkgs, ... }:
{
programs.gnupg.agent = {
enable = true;
pinentryPackage = pkgs.pinentry-gnome3;
enableSSHSupport = true;
settings = {
# disable-scdaemon = "";
};
};
}

1
system/ssh/till@nova.pub
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDr1G6eXwR8t8k/2Vm1CX8ARt7q2GVPtX+xdOFqDonQy0yPai85s1Y+wkIivC9GvdyK1Q5EM2Vl7PKOvJxAJwwevgPTp6hsg9JOc2v0WNJ12p9a0NF2cXJwmgIVs2z0GTritJpO0VwWUdjI+RJORpTAkkMskEWB4IU/ub1nOUya2Hq7xvI9GcvnVoA7nWRs2X6VHHQLIbkrc9+a3MdGtJim1/yJ/CfiX/RueWZ8ANBpieUmgwjQJn6WYCCl/q2fId4vc/njtwmF/Tx5H4MxVCMpPmbbD7XAN04cXMpZOKKAHHbwM14SpslQFDPnfmF9f3BdEvTaxJOu7Fs8nE6XEJs+gUgY4lGQfaoPOKN7uyD/reVfqTwkvF7PzhiT7FEhPycpU5gNGyTka/o63xB3kCdlXhWBb3qmWB8E+0va0XdUj0STzjws3EtLLkoGJoXjp9UTQxqL31sxfPZQWQ7NmHne4/UR/R8xlv2Ul4VKBou8ZV6+5thsYo08JJiSbfnN9Ms= till@nova

5
system/steam.nix
View file

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
programs.steam.enable = true;
}

20
system/sway.nix
View file

@ -1,20 +0,0 @@
{ config, pkgs, ... }:
{
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
};
programs.waybar.enable = true;
services.gnome.gnome-keyring.enable = true;
environment.systemPackages = with pkgs; [
grim
slurp
wl-clipboard
swaynotificationcenter
tofi
];
}

70
system/web-server/default.nix
View file

@ -1,64 +1,16 @@
{ config, pkgs, ... }:
{ ... }:
{
nixpkgs.config.allowUnfree = true;
imports = [
./nginx.nix
./letsencrypt.nix
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"${config.networking.domain}" = {
onlySSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
return = "200 'This domain used for e-mail hosting only.'";
extraConfig = ''
add_header Content-Type text/plain;
'';
};
};
"${config.networking.fqdn}-80" = {
serverAliases = [
"*.ktiu.net"
"*.t9e.me"
];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
"${config.networking.fqdn}" = {
onlySSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
return = "404";
};
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "till@ktiu.net";
certs."${config.networking.domain}" = {
domain = config.networking.domain;
webroot = "/var/lib/acme/.challenges";
group = config.services.nginx.group;
extraDomainNames = [ config.networking.fqdn ];
};
};
./forgejo.nix
./outline.nix
./radicale.nix
# ./ksh.nix
./ksh-map.nix
./oopsidenfiy.nix
];
}

23
system/web-server/jenkins.nix
View file

@ -1,23 +0,0 @@
{ config, pkgs, ... }:
{
services.jenkins = {
enable = true;
port = 7401;
};
security.acme.certs."${config.networking.domain}".extraDomainNames = [
"jenkins.${config.networking.domain}"
];
services.nginx.virtualHosts = {
"jenkins.${config.networking.domain}" = {
onlySSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.jenkins.port}";
proxyWebsockets = true;
};
};
};
}

2
system/web-server/kein-schlussstrich-hessen.org → system/web-server/ksh.nix
View file

@ -11,7 +11,7 @@
serverAliases = [
"www.kein-schlussstrich-hessen.de"
"www.kein-schlussstrich-hessen.org"
]
];
globalRedirect = "kein-schlussstrich-hessen.org";
enableACME = true;
};

29
system/web-server/letsencrypt.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "till@ktiu.net";
certs."${config.networking.domain}" = {
domain = config.networking.domain;
webroot = "/var/lib/acme/.challenges";
group = config.services.nginx.group;
extraDomainNames = [ config.networking.fqdn ];
};
};
services.nginx.virtualHosts = {
"${config.networking.fqdn}-80" = {
serverAliases = [
"*.ktiu.net"
"*.t9e.me"
];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
};
}

34
system/web-server/nginx.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"${config.networking.domain}" = {
onlySSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
return = "200 'This domain used for e-mail hosting only.'";
extraConfig = ''
add_header Content-Type text/plain;
'';
};
};
"${config.networking.fqdn}" = {
onlySSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
return = "404";
};
};
};
};
}

1
system/web-server/outline.nix
View file

@ -1,6 +1,7 @@
{ config, pkgs, ... }:
{
# imports = [ ./dex.nix ];
# environment.systemPackages = with pkgs; [
# openssl

7
system/xfce.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.xfce.enable = true;
}