commit 624cf0dc3c3ac0ce88fb0ffcfd125166659e5d7b · wiro.world/dotfiles

+8 -1

README.md

···

       98
       98
        
       

     

       99
       99
        
       ## Deploy server

     

       100
       100
        
       

     

       101
       101
       -
       nixos-anywhere --flake .#weird-row-server <user>@<ip>

     

       101
       101
       +
       ```bash

     

       102
       102
       +
       nixos-anywhere --flake .#weird-row-server user@ip

     

       103
       103
       +
       

     

       104
       104
       +
       nixos-rebuild switch \

     

       105
       105
       +
       	--flake .#weird-row-server \

     

       106
       106
       +
       	--target-host 2a01:4f8:c2c:76d2::1 \

     

       107
       107
       +
       	--use-remote-sudo

     

       108
       108
       +
       ```

     

       102
       109
        
       

     

       103
       110
        
       ---

     

       104
       111

+3 -3

flake.lock

···

       418
       418
        
           },

     

       419
       419
        
           "nixpkgs-unstable": {

     

       420
       420
        
             "locked": {

     

       421
       421
       -
               "lastModified": 1741379970,

     

       422
       422
       -
               "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",

     

       421
       421
       +
               "lastModified": 1743583204,

     

       422
       422
       +
               "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=",

     

       423
       423
        
               "owner": "nixos",

     

       424
       424
        
               "repo": "nixpkgs",

     

       425
       425
       -
               "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",

     

       425
       425
       +
               "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434",

     

       426
       426
        
               "type": "github"

     

       427
       427
        
             },

     

       428
       428
        
             "original": {

+53 -22

nixos/profiles/server.nix

···

       1
       1
        
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , upkgs

     

       2
       4
        
       , ...

     

       3
       5
        
       }:

     

       4
       6
        
       

     

       5
       7
        
       let

     

       6
       6
       -
         inherit (self.inputs) srvos;

     

       8
       8
       +
         inherit (self.inputs) srvos nixpkgs-unstable agenix;

     

       7
       9
        
       

     

       8
       8
       -
         ext-if = "eth0";

     

       10
       10
       +
         all-secrets = import ../../secrets;

     

       9
       11
        
       

     

       12
       12
       +
         ext-if = "eth0";

     

       13
       13
       +
         external-ip = "91.99.55.74";

     

       14
       14
       +
         external-netmask = 27;

     

       15
       15
       +
         external-gw = "144.x.x.255";

     

       10
       16
        
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       11
       17
        
         external-netmask6 = 64;

     

       12
       18
        
         external-gw6 = "fe80::1";

     

       19
       19
       +
       

     

       20
       20
       +
         pds-port = 3001;

     

       21
       21
       +
         pds-hostname = "pds.wiro.world";

     

       13
       22
        
       in

     

       14
       23
        
       {

     

       15
       24
        
         imports = [

     

       16
       25
        
           srvos.nixosModules.server

     

       17
       26
        
           srvos.nixosModules.hardware-hetzner-cloud

     

       18
       27
        
           srvos.nixosModules.mixins-terminfo

     

       28
       28
       +
       

     

       29
       29
       +
           agenix.nixosModules.default

     

       30
       30
       +
       

     

       31
       31
       +
           "${nixpkgs-unstable}/nixos/modules/services/web-apps/pds.nix"

     

       19
       32
        
         ];

     

       20
       33
        
       

     

       21
       34
        
         config = {

     

       35
       35
       +
           age.secrets = all-secrets.deploy;

     

       36
       36
       +
       

     

       22
       37
        
           boot.loader.grub.enable = true;

     

       23
       38
        
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       24
       39
        
       

     
···

       29
       44
        
       

     

       30
       45
        
           networking = {

     

       31
       46
        
             interfaces.${ext-if} = {

     

       32
       32
       -
               ipv6.addresses = [{

     

       33
       33
       -
                 address = external-ip6;

     

       34
       34
       -
                 prefixLength = external-netmask6;

     

       35
       35
       -
               }];

     

       36
       36
       -
             };

     

       37
       37
       -
             defaultGateway6 = {

     

       38
       38
       -
               interface = ext-if;

     

       39
       39
       -
               address = external-gw6;

     

       47
       47
       +
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       48
       48
       +
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       40
       49
        
             };

     

       50
       50
       +
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       51
       51
       +
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       41
       52
        
       

     

       42
       42
       -
             # # Rely on Hetzner firewall instead?

     

       53
       53
       +
             # TODO: rely on Hetzner firewall instead?

     

       43
       54
        
             # firewall.enable = false;

     

       44
       55
        
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       45
       56
        
           };

     
···

       66
       77
        
           };

     

       67
       78
        
       

     

       68
       79
        
           # TODO: switch to nightly channel

     

       69
       69
       -
           # services.pds = {

     

       70
       70
       -
           #   enable = true;

     

       71
       71
       -
           #   pdsadmin.enable = true;

     

       72
       72
       -
           # };

     

       80
       80
       +
           services.pds = {

     

       81
       81
       +
             enable = true;

     

       82
       82
       +
             # TODO: not possible with current unstable module import

     

       83
       83
       +
             pdsadmin.enable = false;

     

       84
       84
       +
             package = upkgs.pds;

     

       85
       85
       +
       

     

       86
       86
       +
             settings = {

     

       87
       87
       +
               PDS_HOSTNAME = "pds.wiro.world";

     

       88
       88
       +
               PDS_PORT = pds-port;

     

       89
       89
       +
               LOG_DESTINATION = "/etc/pds.log";

     

       90
       90
       +
             };

     

       91
       91
       +
       

     

       92
       92
       +
             environmentFiles = [

     

       93
       93
       +
               config.age.secrets.pds-config.path

     

       94
       94
       +
             ];

     

       95
       95
       +
           };

     

       73
       96
        
       

     

       74
       97
        
           services.caddy = {

     

       75
       98
        
             enable = true;

     

       76
       99
        
       

     

       100
       100
       +
             globalConfig = ''

     

       101
       101
       +
               on_demand_tls {

     

       102
       102
       +
                 ask http://localhost:${toString pds-port}/tls-check

     

       103
       103
       +
               }

     

       104
       104
       +
             '';

     

       105
       105
       +
       

     

       77
       106
        
             virtualHosts."ping.wiro.world".extraConfig = ''

     

       78
       78
       -
             	header Content-Type text/html

     

       79
       79
       -
             	respond <<HTML

     

       80
       80
       -
             		<html>

     

       81
       81
       -
             			<head><title>Foo</title></head>

     

       82
       82
       -
             			<body>Foo</body>

     

       83
       83
       -
             		</html>

     

       84
       84
       -
             		HTML 200

     

       107
       107
       +
               	respond "Hello, World! (from `weird-row-server`)"

     

       85
       108
        
             '';

     

       109
       109
       +
       

     

       110
       110
       +
             virtualHosts."${pds-hostname}" = {

     

       111
       111
       +
               serverAliases = [ "*.${pds-hostname}" ];

     

       112
       112
       +
               extraConfig = ''

     

       113
       113
       +
                 	tls { on_demand }

     

       114
       114
       +
                   reverse_proxy http://localhost:${toString pds-port}

     

       115
       115
       +
               '';

     

       116
       116
       +
             };

     

       86
       117
        
           };

     

       87
       118
        
       

     

       88
       119
        
           security.sudo.wheelNeedsPassword = false;