hetzner/default.nix at dev · pci.express/dotfiles

pci.express / dotfiles
My NixOS dotfiles
dotfiles / hetzner / default.nix
at dev 2.4 kB view raw
 1{ pkgs, ... }:
 2{
 3  imports = [ ./hardware.nix ];
 4
 5  # Running Services
 6  services = {
 7    openssh.enable = true;
 8    openssh.settings.PasswordAuthentication = false;
 9    tangled-knot = {
10      enable = true;
11      openFirewall = false;
12      repo.mainBranch = "dev";
13      motd = "Bogos binted? 👽";
14      server = {
15        owner = "did:plc:nmpjck4rv6hjscoxnwdltfyj";
16        hostname = "knot.sydney.blue";
17      };
18    };
19    nginx = {
20      enable = true;
21      recommendedGzipSettings = true;
22      recommendedOptimisation = true;
23      recommendedTlsSettings = true;
24      recommendedProxySettings = true;
25      virtualHosts."knot.sydney.blue" = {
26        forceSSL = true;
27        enableACME = true;
28        locations."/" = {
29          proxyPass = "http://127.0.0.1:5555";
30          proxyWebsockets = true;
31        };
32      };
33      virtualHosts."bogos.binted.sydney.blue" = {
34        forceSSL = true;
35        enableACME = true;
36        root = "/var/www/bogosbinted";
37      };
38    };
39  };
40
41  # Base Packages
42  environment.systemPackages = with pkgs; [
43    ghostty.terminfo
44    tmux
45    arch-install-scripts
46    tcpdump
47    dig
48  ];
49
50  # Network Setup
51  networking = {
52    hostName = "hetzner";
53    nameservers = [
54      "9.9.9.9"
55      "149.112.112.112"
56    ];
57    useDHCP = true; # Switch this to a static setup later
58    firewall.enable = false;
59    nftables = {
60      enable = true;
61      ruleset = builtins.readFile ./nftables.conf;
62    };
63  };
64
65  # User Account
66  users.users.sydney = {
67    description = "Sydney Angelia";
68    isNormalUser = true;
69    extraGroups = [ "wheel" ];
70    shell = pkgs.zsh;
71    openssh.authorizedKeys.keys = [
72      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRJWbyvyeo8ykLovPOR+EuwqmjOsSrBBckpicVWhULl mac"
73      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYI8038ZK8GFZmX2j8gwe5OR70+gP2PZFz79TCFvZQH sydney@riptide"
74    ];
75  };
76
77  # Boot/Firmware stuff
78  boot = {
79    loader.systemd-boot.enable = true;
80    loader.efi.canTouchEfiVariables = true;
81    kernelPackages = pkgs.linuxPackages_latest;
82    kernel.sysctl = {
83      "net.ipv4.conf.all.forwarding" = true;
84      "net.ipv6.conf.all.forwarding" = true;
85    };
86  };
87
88  # Miscellaneous settings
89  system.stateVersion = "24.05";
90  nix.settings.trusted-users = [
91    "@wheel"
92  ];
93  security.acme.acceptTerms = true;
94  security.acme.defaults.email = "me@sydney.blue";
95}