···

       
22
       
22
       
 
       


     

       
23
       
23
       
 
       
    # Running Services

     

       
24
       
24
       
 
       
    ./services/acme.nix

     

       
25
       
25
       
-
       
    # ./services/blog-update.nix

     

       
26
       
25
       
 
       
    ./services/caddy.nix

     

       
27
       
27
       
-
       
    # ./services/dn42-peerfinder.nix

     

       
28
       
26
       
 
       
    ./services/fail2ban.nix

     

       
29
       
29
       
-
       
    # ./services/headscale.nix

     

       
30
       
27
       
 
       
    ./services/mailserver

     

       
31
       
31
       
-
       
    # ./services/netdata.nix

     

       
32
       
32
       
-
       
    # ./services/nginx

     

       
33
       
28
       
 
       
    ./services/prometheus.nix

     

       
34
       
29
       
 
       
    ./services/secrets.nix

     

       
35
       
30
       
 
       
    ./services/tailscale.nix

     

       
36
       
36
       
-
       
    # ./services/zerotier.nix

     

       
37
       
31
       
 
       
  ];

     

       
38
       
32
       
 
       
  fileSystems = {

     

       
39
       
33
       
 
       
    "/" = {

     

···

       
1
       
1
       
-
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
-
       
{

     

       
3
       
3
       
-
       
  systemd.timers.blog-update = {

     

       
4
       
4
       
-
       
    enable = false;

     

       
5
       
5
       
-
       
    after = [ "network.target" ];

     

       
6
       
6
       
-
       
    wantedBy = [ "multi-user.target" ];

     

       
7
       
7
       
-
       
    description = "Blog Update Timer";

     

       
8
       
8
       
-
       
    timerConfig = {

     

       
9
       
9
       
-
       
      Unit = "blog-update.service";

     

       
10
       
10
       
-
       
      OnUnitActiveSec = 300;

     

       
11
       
11
       
-
       
    };

     

       
12
       
12
       
-
       
  };

     

       
13
       
13
       
-
       


     

       
14
       
14
       
-
       
  systemd.services.blog-update = {

     

       
15
       
15
       
-
       
    enable = false;

     

       
16
       
16
       
-
       
    wantedBy = [ "multi-user.target" ];

     

       
17
       
17
       
-
       
    description = "Blog Update Service";

     

       
18
       
18
       
-
       
    path = [

     

       
19
       
19
       
-
       
      "${pkgs.git}"

     

       
20
       
20
       
-
       
    ];

     

       
21
       
21
       
-
       
    serviceConfig = {

     

       
22
       
22
       
-
       
      WorkingDirectory = "/var/www/blog";

     

       
23
       
23
       
-
       
      User = "caddy";

     

       
24
       
24
       
-
       
      Group = "caddy";

     

       
25
       
25
       
-
       
      Type = "oneshot";

     

       
26
       
26
       
-
       
      ExecStartPre = "${lib.getExe pkgs.git} fetch origin pages";

     

       
27
       
27
       
-
       
      ExecStart = "${lib.getExe pkgs.git} reset --hard origin/pages";

     

       
28
       
28
       
-
       
    };

     

       
29
       
29
       
-
       
  };

     

       
30
       
30
       
-
       
}

     

···

       
1
       
1
       
-
       
node scripts/precommit.js

     

       
2
       
2
       
-
       
node scripts/predeploy.js

     

       
3
       
3
       
-
       
hugo -d out

     

       
4
       
4
       
-
       
cp -fvr out/ /var/www/blog/

     

       
5
       
5
       
-
       
exit 0

     

···

       
1
       
1
       
-
       
{ config, ... }:

     

       
2
       
2
       
-
       
{

     

       
3
       
3
       
-
       
  config.py.services.dn42-pingfinder.uuidFile = config.age.secrets.dn42-peerfinder-uuid.path;

     

       
4
       
4
       
-
       
}

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  services.netdata = {

     

       
3
       
3
       
-
       
    enable = true;

     

       
4
       
4
       
-
       
    python.enable = true;

     

       
5
       
5
       
-
       
    enableAnalyticsReporting = false;

     

       
6
       
6
       
-
       
  };

     

       
7
       
7
       
-
       
}

     

···

       
1
       
1
       
-
       
{ lib, ... }:

     

       
2
       
2
       
-
       
{

     

       
3
       
3
       
-
       
  services.nginx = {

     

       
4
       
4
       
-
       
    enable = true;

     

       
5
       
5
       
-
       
    additionalModules = [ ];

     

       
6
       
6
       
-
       
    recommendedOptimisation = true;

     

       
7
       
7
       
-
       
    recommendedTlsSettings = true;

     

       
8
       
8
       
-
       
    recommendedGzipSettings = true;

     

       
9
       
9
       
-
       
    recommendedProxySettings = true;

     

       
10
       
10
       
-
       
    virtualHosts = lib.mkForce { };

     

       
11
       
11
       
-
       
    streamConfig = ''

     

       
12
       
12
       
-
       
      server {

     

       
13
       
13
       
-
       
          listen 34197 udp;

     

       
14
       
14
       
-
       
          proxy_pass 100.123.15.72:34197;

     

       
15
       
15
       
-
       
          proxy_responses 0;

     

       
16
       
16
       
-
       
      }

     

       
17
       
17
       
-
       
    '';

     

       
18
       
18
       
-
       
    appendHttpConfig = ''

     

       
19
       
19
       
-
       
      # Add X-Frame-Options to prevent clickjacking

     

       
20
       
20
       
-
       
      add_header X-Frame-Options SAMEORIGIN;

     

       
21
       
21
       
-
       


     

       
22
       
22
       
-
       
      # Prevent mime type sniffing

     

       
23
       
23
       
-
       
      add_header X-Content-Type-Options nosniff;

     

       
24
       
24
       
-
       


     

       
25
       
25
       
-
       
      # Never send Referer header

     

       
26
       
26
       
-
       
      add_header Referrer-Policy no-referrer;

     

       
27
       
27
       
-
       


     

       
28
       
28
       
-
       
      # Require CORS or CORP headers for cross-origin resources

     

       
29
       
29
       
-
       
      add_header Cross-Origin-Embedder-Policy require-corp;

     

       
30
       
30
       
-
       


     

       
31
       
31
       
-
       
      # Keep our own Browsing Context Group

     

       
32
       
32
       
-
       
      add_header Cross-Origin-Opener-Policy same-origin;

     

       
33
       
33
       
-
       


     

       
34
       
34
       
-
       
      # Sites that require CORP will not load my assets

     

       
35
       
35
       
-
       
      add_header Cross-Origin-Resource-Policy same-origin;

     

       
36
       
36
       
-
       
    '';

     

       
37
       
37
       
-
       
  };

     

       
38
       
38
       
-
       
}

     

···

       
1
       
1
       
-
       
{ }

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  services.zerotierone = {

     

       
3
       
3
       
-
       
    enable = true;

     

       
4
       
4
       
-
       
    joinNetworks = [ "a84ac5c10a3b1d69" ];

     

       
5
       
5
       
-
       
  };

     

       
6
       
6
       
-
       
}