{ config, lib, pkgs, inputs, ... }: { # Sops setup for this machine sops.secrets = { "borg-ssh-key" = { sopsFile = ../../secrets/oracles/borg.yaml; format = "yaml"; }; "borg-password" = { sopsFile = ../../secrets/oracles/borg.yaml; format = "yaml"; }; "friendpack-backblaze" = { format = "yaml"; sopsFile = ../../secrets/oracles/backblaze.yaml; owner = config.users.users.nathan.name; group = config.users.users.nathan.group; }; "nix-asuran" = { format = "yaml"; sopsFile = ../../secrets/oracles/gitlab.yaml; }; }; # Setup system configuration nathan = { programs = { utils = { devel = true; binfmt = true; }; }; services = { nginx = { enable = true; acme = true; }; matrix = { enable = true; baseDomain = "mccarty.io"; }; borg = { enable = true; extraExcludes = [ "*/.cache" "*/.tmp" "/home/nathan/minecraft/server/backup" "/var/lib/postgresql" "/var/lib/redis" "/var/lib/docker" "/var/log" "/var/minecraft" "/var/sharedstore" ]; passwordFile = config.sops.secrets."borg-password".path; sshKey = config.sops.secrets."borg-ssh-key".path; }; postgresql.backup = true; }; config = { setupGrub = false; nix = { autoUpdate = true; autoGC = true; }; harden = false; virtualization = { docker = true; }; }; }; # Configure bootloader boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Configure networking networking = { domain = "mccarty.io"; useDHCP = false; interfaces.enp1s0f1.ipv4.addresses = [{ address = "104.238.220.96"; prefixLength = 24; }]; defaultGateway = "104.238.220.1"; nameservers = [ "1.1.1.1" ]; # Open ports in firewall firewall = { allowedTCPPorts = [ 25565 ]; allowedUDPPorts = [ 25565 ]; }; }; # Setup home manager home-manager.users.nathan = import ./home.nix; # Setup vhost for pack website services.nginx.virtualHosts."pack.forward-progress.net" = { enableACME = true; forceSSL = true; locations."/".root = "/var/www/pack.forward-progress.net"; root = "/var/www/pack.forward-progress.net"; }; # Setup the gitlab runners services.gitlab-runner = let nix-shared = with lib; { dockerImage = "nixpkgs/nix-flakes"; dockerVolumes = [ "/var/sharedstore:/sharedstore" ]; dockerDisableCache = true; dockerPrivileged = true; }; in { enable = true; settings = { concurrent = 4; checkInterval = 1; }; services = { # default-asuran = { # registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default"; # dockerImage = "debian:stable"; # dockerVolumes = [ # "/var/run/docker.sock:/var/run/docker.sock" # ]; # dockerPrivileged = true; # tagList = [ "linux-own" ]; # }; nix-asuran = nix-shared // { registrationConfigFile = config.sops.secrets.nix-asuran.path; tagList = [ "nix" ]; requestConcurrency = 8; limit = 4; runUntagged = true; }; }; }; # Setup searx-ng docker virtualisation.oci-containers.containers = { "searx-ng" = { image = "searxng/searxng"; autoStart = true; ports = [ "8091:8080" ]; volumes = [ "/var/searxng:/etc/searxng" ]; }; }; services.nginx.virtualHosts."searx-ng.mccarty.io" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:8091"; }; }; # Setup hosts for gitea automation networking.hosts = { "100.99.69.14" = [ "git.stranger.systems" ]; }; }