System/machines/tounge/configuration.nix

156 lines
3.7 KiB
Nix

{ config, lib, pkgs, inputs, ... }:
{
# Setup hardware
imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ];
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
# Sops setup for this machine
sops.secrets = {
"borg-ssh-key" = {
sopsFile = ../../secrets/tounge/borg.yaml;
format = "yaml";
};
"borg-password" = {
sopsFile = ../../secrets/tounge/borg.yaml;
format = "yaml";
};
"cloudflare-api" = {
sopsFile = ../../secrets/tounge/cloudflare-api;
format = "binary";
};
};
# Setup system configuration
nathan = {
services = {
nginx = {
enable = true;
acme = true;
};
borg = {
enable = true;
extraExcludes = [ "/var/lib/docker" "/var/log" ];
passwordFile = config.sops.secrets."borg-password".path;
sshKey = config.sops.secrets."borg-ssh-key".path;
};
};
config = {
setupGrub = false;
nix = {
autoUpdate = true;
autoGC = true;
};
harden = false;
virtualization = { docker = true; };
};
};
# Configure networking
networking = {
domain = "mccarty.io";
useDHCP = false;
interfaces.eth0 = {
ipv4.addresses = [{
address = "10.0.0.10";
prefixLength = 21;
}];
};
defaultGateway = "10.0.4.1";
nameservers = [ "1.1.1.1" "1.0.0.1" ];
# Open ports in firewall
firewall = {
allowedTCPPorts = [ 3080 30443 ];
allowedUDPPorts = [ 53 ];
};
};
# Setup home manager
home-manager.users.nathan = import ./home.nix;
# Setup pi hole
virtualisation.oci-containers.containers."pihole" = {
image = "pihole/pihole:latest";
ports = [
"10.0.0.10:53:53/tcp"
"10.0.0.10:53:53/udp"
"100.75.37.98:53:53/tcp"
"100.75.37.98:53:53/udp"
"3080:80"
"30443:443"
];
volumes =
[ "/var/lib/pihole/:/etc/pihole/" "/var/lib/dnsmasq.d:/etc/dnsmasq.d/" ];
extraOptions = [ "--cap-add=NET_ADMIN" "--dns=1.1.1.1" ];
};
# Nginx virtual hosts
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"pihole.mccarty.io" = {
forceSSL = true;
useACMEHost = "mccarty.io";
locations."/" = {
proxyPass = "http://localhost:3080";
extraConfig = ''
allow 100.64.0.0/10;
deny all;
'';
};
};
"sonarr.mccarty.io" = {
forceSSL = true;
useACMEHost = "mccarty.io";
locations."/" = {
proxyPass = "http://100.67.146.101:8989";
extraConfig = ''
allow 100.64.0.0/10;
deny all;
'';
};
};
"radarr.mccarty.io" = {
forceSSL = true;
useACMEHost = "mccarty.io";
locations."/" = {
proxyPass = "http://100.67.146.101:7878";
extraConfig = ''
allow 100.64.0.0/10;
deny all;
'';
};
};
"sabnzbd.mccarty.io" = {
forceSSL = true;
useACMEHost = "mccarty.io";
locations."/" = {
proxyPass = "http://100.67.146.101:8080";
extraConfig = ''
allow 100.64.0.0/10;
deny all;
'';
};
};
};
};
# Now we can configure ACME so we can get a star cert
security.acme.certs."mccarty.io" = {
domain = "*.mccarty.io";
group = "nginx";
extraDomainNames = [ "mccarty.io" ];
dnsProvider = "cloudflare";
credentialsFile = config.sops.secrets."cloudflare-api".path;
dnsPropagationCheck = true;
};
}