2023-09-10 12:48:19 +01:00
|
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
imports = [
|
|
|
|
|
|
../../modules/common/default.nix
|
|
|
|
|
|
./hardware-configuration.nix
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
|
system.stateVersion = "23.05";
|
|
|
|
|
|
|
|
|
|
|
|
networking.hostName = "jorah";
|
|
|
|
|
|
networking.domain = "cx.ts.hillion.co.uk";
|
|
|
|
|
|
|
|
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
|
|
|
2023-09-11 21:41:04 +01:00
|
|
|
|
## Impermanence
|
|
|
|
|
|
custom.impermanence.enable = true;
|
|
|
|
|
|
|
2023-09-10 12:48:19 +01:00
|
|
|
|
## Custom Services
|
2023-09-14 21:13:45 +01:00
|
|
|
|
custom = {
|
|
|
|
|
|
locations.autoServe = true;
|
|
|
|
|
|
services.version_tracker.enable = true;
|
2023-11-25 16:35:10 +00:00
|
|
|
|
www.global.enable = true;
|
2023-09-14 21:13:45 +01:00
|
|
|
|
};
|
2023-09-10 12:48:19 +01:00
|
|
|
|
|
2023-10-24 22:03:15 +01:00
|
|
|
|
## Filesystems
|
|
|
|
|
|
services.btrfs.autoScrub = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
interval = "Tue, 02:00";
|
|
|
|
|
|
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
|
|
|
|
|
|
fileSystems = [ "/data" ];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2023-09-10 12:48:19 +01:00
|
|
|
|
## Networking
|
|
|
|
|
|
systemd.network = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
networks."enp5s0".extraConfig = ''
|
|
|
|
|
|
[Match]
|
|
|
|
|
|
Name = enp5s0
|
|
|
|
|
|
[Network]
|
|
|
|
|
|
Address = 2a01:4f9:4b:3953::2/64
|
|
|
|
|
|
Gateway = fe80::1
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
networking.firewall = {
|
2023-12-08 21:59:29 +00:00
|
|
|
|
trustedInterfaces = [ "tailscale0" ];
|
2023-09-10 12:48:19 +01:00
|
|
|
|
allowedTCPPorts = lib.mkForce [
|
|
|
|
|
|
22 # SSH
|
2023-12-30 22:34:27 +00:00
|
|
|
|
3022 # Gitea SSH (accessed via public 22)
|
2023-09-10 12:48:19 +01:00
|
|
|
|
];
|
|
|
|
|
|
allowedUDPPorts = lib.mkForce [ ];
|
|
|
|
|
|
interfaces = {
|
|
|
|
|
|
enp5s0 = {
|
|
|
|
|
|
allowedTCPPorts = lib.mkForce [
|
2023-11-25 16:35:10 +00:00
|
|
|
|
80 # HTTP 1-2
|
|
|
|
|
|
443 # HTTPS 1-2
|
2023-12-08 21:59:29 +00:00
|
|
|
|
8080 # Unifi (inform)
|
2023-09-10 12:48:19 +01:00
|
|
|
|
];
|
|
|
|
|
|
allowedUDPPorts = lib.mkForce [
|
2023-11-25 16:35:10 +00:00
|
|
|
|
443 # HTTP 3
|
2023-12-08 21:59:29 +00:00
|
|
|
|
3478 # Unifi STUN
|
2023-09-10 12:48:19 +01:00
|
|
|
|
];
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
## Tailscale
|
|
|
|
|
|
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
|
|
|
|
|
|
custom.tailscale = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
|
2023-11-25 16:35:10 +00:00
|
|
|
|
ipv4Addr = "100.96.143.138";
|
|
|
|
|
|
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
|
2023-09-10 12:48:19 +01:00
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
