diff --git a/base.nix b/base.nix index 5d75e24..a6df078 100644 --- a/base.nix +++ b/base.nix @@ -162,8 +162,11 @@ ######################################## Misc. ################################################## nixpkgs.config.allowUnfree = true; - # Easiest to use and most distros use this by default. - networking.networkmanager.enable = true; + networking = { + # Easiest to use and most distros use this by default. + networkmanager.enable = true; + tempAddresses = "disabled"; + }; users.mutableUsers = false; # Force all user management to happen throught nix-files diff --git a/machine-confs/exoplasim.nix b/machine-confs/exoplasim.nix index 2fe83cb..b4c2754 100644 --- a/machine-confs/exoplasim.nix +++ b/machine-confs/exoplasim.nix @@ -29,6 +29,16 @@ }; }; + services.ddclient = { + enable = true; + usev4 = ""; + usev6 = "ifv6, ifv6=enp6s18"; + username = "vsinerva.fi-dynexo"; + domains = [ "exovpn.vsinerva.fi" ]; + passwordFile = "/var/lib/ddclient/password"; + server = "www.ovh.com"; + }; + # User worker users.users.worker = { isNormalUser = true; diff --git a/machine-confs/gitea.nix b/machine-confs/gitea.nix new file mode 100644 index 0000000..9356f1f --- /dev/null +++ b/machine-confs/gitea.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + networking.hostName = "gitea"; + + imports = [ + ../base.nix + ../services/gitea.nix + ]; + + # HARDWARE SPECIFIC + services.qemuGuest.enable = true; +} diff --git a/machine-confs/helium.nix b/machine-confs/helium.nix index 18c14b0..9dfcd7e 100644 --- a/machine-confs/helium.nix +++ b/machine-confs/helium.nix @@ -2,7 +2,6 @@ { networking = { hostName = "helium"; - tempAddresses = "disabled"; # For IP-based filtering to work better wg-quick.interfaces = { wg0 = { diff --git a/machine-confs/lithium.nix b/machine-confs/lithium.nix index 4257108..3c095ae 100644 --- a/machine-confs/lithium.nix +++ b/machine-confs/lithium.nix @@ -2,7 +2,6 @@ { networking = { hostName = "lithium"; - tempAddresses = "disabled"; # For IP-based filtering to work better wg-quick.interfaces = { wg0 = { diff --git a/machine-confs/nat64.nix b/machine-confs/nat64.nix index 3e8f81f..b68b8e8 100644 --- a/machine-confs/nat64.nix +++ b/machine-confs/nat64.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - # ../services/nat64.nix + ../services/nat64.nix ]; # HARDWARE SPECIFIC diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..1f7708d --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,64 @@ +{ config, ... }: +{ + imports = [ ./acme-dns.nix ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + networking.firewall.allowedUDPPorts = [ 443 ]; + + services = { + gitea = { + enable = true; + lfs.enable = true; + appName = "Gitea for Vili Sinervä"; + mailerPasswordFile = "${config.services.gitea.stateDir}/smtp_pass"; # TODO + + settings = { + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + ui.DEFAULT_SHOW_FULL_NAME = true; + "ui.meta".AUTHOR = "Gitea, hosted by Vili Sinervä"; + server = { + DOMAIN = "gitea.vsinerva.fi"; + HTTP_PORT = 8000; + ROOT_URL = "https://${config.services.gitea.settings.server.DOMAIN}"; + }; + service.DISABLE_REGISTRATION = true; # Disable for initial setup + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.gmail.com"; + SMTP_PORT = 587; + USER = "vmsskv12@gmail.com"; # Password set in file + FROM = "gitea@vsinerva.fi"; + }; + cron = { + ENABLED = true; + RUN_AT_START = true; + }; + time.DEFAULT_UI_LOCATION = "Europe/Helsinki"; + }; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts.${config.services.gitea.settings.server.DOMAIN} = { + forceSSL = true; + kTLS = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; +} diff --git a/services/nat64.nix b/services/nat64.nix index 0662315..bf6f298 100644 --- a/services/nat64.nix +++ b/services/nat64.nix @@ -5,42 +5,6 @@ enable = true; nat64.default = { global.pool6 = "64:ff9b::/96"; # Default value made explicit for clarity - - # Port forwarding - bib = [ - { - # ExoPlaSim WireGuard - "protocol" = "UDP"; - "ipv4 address" = "192.168.1.2#51821"; - "ipv6 address" = "fd08:d473:bcca:1:210:3292:4922:b9aa#51821"; - } - ]; - - pool4 = [ - # Ports for static BIB entries - { - protocol = "UDP"; - prefix = "192.168.1.2/32"; - "port range" = "51821"; - } - - # Port ranges for dynamic translation - { - protocol = "TCP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - { - protocol = "UDP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - { - protocol = "ICMP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - ]; }; }; }; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 58706ad..5d9041c 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -28,6 +28,9 @@ nginx = { recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; virtualHosts.${config.services.nextcloud.hostName} = { forceSSL = true; diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 189cddc..7e05a7d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -36,6 +36,9 @@ nginx = { enable = true; recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; virtualHosts."vaultwarden.vsinerva.fi" = { forceSSL = true; @@ -43,7 +46,7 @@ enableACME = true; acmeRoot = null; locations."/" = { - proxyPass = "http://127.0.0.1:8000"; + proxyPass = "http://localhost:8000"; }; }; };