diff options
Diffstat (limited to '')
| -rw-r--r-- | hosts/chaski/configuration.nix | 39 | ||||
| -rw-r--r-- | hosts/chaski/services/cgit.nix | 18 | ||||
| -rw-r--r-- | hosts/chaski/services/coturn.nix | 3 |
3 files changed, 16 insertions, 44 deletions
diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix index 6aa24bc..14b297b 100644 --- a/hosts/chaski/configuration.nix +++ b/hosts/chaski/configuration.nix @@ -22,9 +22,6 @@ networking.hostName = "chaski"; # Define your hostname. - # Set your time zone. - time.timeZone = "Europe/Amsterdam"; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. @@ -32,10 +29,6 @@ networking.interfaces.ens10.useDHCP = true; networking.interfaces.ens3.useDHCP = true; - environment.systemPackages = with pkgs; [ - wget curl htop iftop vim git - ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -45,37 +38,5 @@ system.stateVersion = "20.09"; # Did you read the comment? boot.loader.grub.devices = [ "/dev/sda" ]; - # Initial empty root password for easy login: - users.users.root.initialHashedPassword = ""; - services.openssh.permitRootLogin = "prohibit-password"; - services.openssh.enable = true; - # Replace this by your SSH pubkey - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw==" - ]; - - users.users.git = { - openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; - home = "/var/git"; - isNormalUser = true; - }; - - security.sudo.enable = false; - security.acme = { - acceptTerms = true; - email = "stuebinm@disroot.org"; - }; - - - services.nginx = { - enable = true; - virtualHosts."stuebinm.eu" = { - forceSSL = true; - enableACME = true; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 442 ]; } - diff --git a/hosts/chaski/services/cgit.nix b/hosts/chaski/services/cgit.nix index abe69e5..7ce041c 100644 --- a/hosts/chaski/services/cgit.nix +++ b/hosts/chaski/services/cgit.nix @@ -11,7 +11,7 @@ hostPath = "/var/git/public"; isReadOnly = true; }; - + config = {pkgs, config, ...}: { services.lighttpd.enable = true; services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"''; @@ -75,5 +75,19 @@ }; services.nginx.recommendedProxySettings = true; - services.nginx.virtualHosts."stuebinm.eu".locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]"; + services.nginx.virtualHosts."stuebinm.eu" = { + locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]"; + enableACME = true; + forceSSL = true; + }; + + # user for git repo administration + users.users.git = { + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + home = "/var/git"; + isNormalUser = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + } diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix index 9a2211f..54ec6d6 100644 --- a/hosts/chaski/services/coturn.nix +++ b/hosts/chaski/services/coturn.nix @@ -4,10 +4,7 @@ services.coturn = { enable = true; realm = "chaski.stuebinm.eu"; -# static-auth-secret = "chaski"; -# use-auth-secret = true; no-cli = true; -# no-tcp-relay = true; lt-cred-mech = true; extraConfig = '' verbose |