summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/chaski/configuration.nix39
-rw-r--r--hosts/chaski/services/cgit.nix18
-rw-r--r--hosts/chaski/services/coturn.nix3
3 files changed, 16 insertions, 44 deletions
diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix
index 6aa24bc..14b297b 100644
--- a/hosts/chaski/configuration.nix
+++ b/hosts/chaski/configuration.nix
@@ -22,9 +22,6 @@
networking.hostName = "chaski"; # Define your hostname.
- # Set your time zone.
- time.timeZone = "Europe/Amsterdam";
-
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
@@ -32,10 +29,6 @@
networking.interfaces.ens10.useDHCP = true;
networking.interfaces.ens3.useDHCP = true;
- environment.systemPackages = with pkgs; [
- wget curl htop iftop vim git
- ];
-
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
@@ -45,37 +38,5 @@
system.stateVersion = "20.09"; # Did you read the comment?
boot.loader.grub.devices = [ "/dev/sda" ];
- # Initial empty root password for easy login:
- users.users.root.initialHashedPassword = "";
- services.openssh.permitRootLogin = "prohibit-password";
- services.openssh.enable = true;
- # Replace this by your SSH pubkey
- users.users.root.openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw=="
- ];
-
- users.users.git = {
- openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
- home = "/var/git";
- isNormalUser = true;
- };
-
- security.sudo.enable = false;
- security.acme = {
- acceptTerms = true;
- email = "stuebinm@disroot.org";
- };
-
-
- services.nginx = {
- enable = true;
- virtualHosts."stuebinm.eu" = {
- forceSSL = true;
- enableACME = true;
- };
- };
-
- networking.firewall.allowedTCPPorts = [ 80 442 ];
}
-
diff --git a/hosts/chaski/services/cgit.nix b/hosts/chaski/services/cgit.nix
index abe69e5..7ce041c 100644
--- a/hosts/chaski/services/cgit.nix
+++ b/hosts/chaski/services/cgit.nix
@@ -11,7 +11,7 @@
hostPath = "/var/git/public";
isReadOnly = true;
};
-
+
config = {pkgs, config, ...}: {
services.lighttpd.enable = true;
services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"'';
@@ -75,5 +75,19 @@
};
services.nginx.recommendedProxySettings = true;
- services.nginx.virtualHosts."stuebinm.eu".locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]";
+ services.nginx.virtualHosts."stuebinm.eu" = {
+ locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]";
+ enableACME = true;
+ forceSSL = true;
+ };
+
+ # user for git repo administration
+ users.users.git = {
+ openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+ home = "/var/git";
+ isNormalUser = true;
+ };
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
}
diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix
index 9a2211f..54ec6d6 100644
--- a/hosts/chaski/services/coturn.nix
+++ b/hosts/chaski/services/coturn.nix
@@ -4,10 +4,7 @@
services.coturn = {
enable = true;
realm = "chaski.stuebinm.eu";
-# static-auth-secret = "chaski";
-# use-auth-secret = true;
no-cli = true;
-# no-tcp-relay = true;
lt-cred-mech = true;
extraConfig = ''
verbose