# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, rebuilder, config, ... }:
let
inherit (depot.ops) secrets;
in {
imports =
[ ../../../third_party/nixpkgs/nixos/modules/installer/scan/not-detected.nix ../lib/client.nix ../lib/whitby-distributed.nix ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.kernelModules = lib.mkAfter [ "kvm-intel" ];
boot.kernelParams = [ "mitigations=off" ];
fileSystems = let
zfs = device: {
device = device;
fsType = "zfs";
};
in {
"/" = zfs "zboot/safe/root";
"/nix" = zfs "zboot/local/nix";
"/home" = zfs "tank/safe/home";
"/export" = zfs "tank/safe/export";
"/srv" = zfs "tank/safe/srv";
"/srv/pancake" = zfs "tank/safe/srv/pancake";
"/boot" = {
device = "/dev/disk/by-uuid/D178-4E19";
fsType = "vfat";
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
virtualisation = {
podman.enable = true;
};
# Extra packages.
environment.systemPackages = with pkgs; [
oven-media-engine
(depot.nix.pkgs.secretsync.configure {
workingDir = "/home/lukegb/depot";
gitlabAccessToken = secrets.deployer.gitlabAccessToken;
manifestVariable = "SECRETS_MANIFEST";
variablesToFile = {
"OPS_SECRETS_DEFAULT_NIX" = "ops/secrets/default.nix";
};
})
];
# Networking!
networking = {
hostName = "totoro"; # Define your hostname.
domain = "lukegb.xyz";
hostId = "676c08c4";
useDHCP = false;
interfaces.br-ext.useDHCP = true;
bridges.br-ext.interfaces = [ "enp0s31f6" ];
interfaces.br-int = {
virtual = true;
useDHCP = false;
ipv4.addresses = [{ address = "10.0.0.2"; prefixLength = 24; }];
};
bridges.br-int.interfaces = [];
};
my.ip.tailscale = "100.122.86.11";
# Virtualisation
virtualisation.libvirtd = {
enable = true;
allowedBridges = [ "virbr0" "br-ext" ];
};
users.users.lukegb = {
packages = with depot.pkgs; [ irssi ];
extraGroups = lib.mkAfter [ "libvirtd" ];
};
users.users.pancake = {
isSystemUser = true;
group = "pancake";
home = "/srv/pancake";
};
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
users.groups.pancake = {
members = ["pancake" "nginx"];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.tmpfiles.rules = [
"L /var/lib/export - - - - /export"
];
services.nginx = {
enable = true;
virtualHosts = {
"invoices.lukegb.com" = let
fastcgi = {
extraConfig = ''
rewrite ^(.*)$ /index.php break;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.pancake.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
in {
root = "/srv/pancake/public_html";
useACMEHost = "invoices.lukegb.com";
forceSSL = true;
locations."/" = {
tryFiles = "$uri $uri/ @router";
index = "index.html index.php";
extraConfig = ''
error_page 403 = @router;
error_page 404 = @router;
'';
};
locations."~ (.php|\\/[^./]+)$" = fastcgi;
locations."@router" = fastcgi;
};
};
};
services.phpfpm = let settingsBase = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
}; in {
pools.pancake = {
user = "pancake";
group = "pancake";
settings = settingsBase;
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = ["pancake"];
ensureUsers = [{
name = "pancake";
ensurePermissions = {
"pancake.*" = "ALL PRIVILEGES";
};
}];
};
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."invoices.lukegb.com" = {
domain = "invoices.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
postRun = ''
systemctl reload nginx
'';
};
};
services.prometheus = {
enable = true;
stateDir = "export/monitoring/prometheus";
alertmanagers = [{
scheme = "http";
static_configs = [{
targets = ["localhost:${toString config.services.prometheus.alertmanager.port}"];
}];
}];
scrapeConfigs = builtins.attrValues depot.ops.nixos.systemExporters;
pushgateway.enable = true;
alertmanager = {
enable = true;
configuration = {
global = {};
route = {
receiver = "default-receiver";
};
receivers = [{
name = "default-receiver";
slack_configs = [{
send_resolved = true;
api_url = secrets.monitoring.alertmanager.discord.api_url;
channel = "#alerts";
}];
}];
};
};
};
system.stateVersion = "20.03";
}