From 4724971ef468ad792f56527f6b7ce570bf62601e Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Fri, 19 Mar 2021 23:08:35 +0100
Subject: simplify and deduplicate chaski config

---
 hosts/chaski/configuration.nix   | 39 ---------------------------------------
 hosts/chaski/services/cgit.nix   | 18 ++++++++++++++++--
 hosts/chaski/services/coturn.nix |  3 ---
 3 files changed, 16 insertions(+), 44 deletions(-)

(limited to 'hosts')

diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix
index 6aa24bc..14b297b 100644
--- a/hosts/chaski/configuration.nix
+++ b/hosts/chaski/configuration.nix
@@ -22,9 +22,6 @@
 
   networking.hostName = "chaski"; # Define your hostname.
 
-  # Set your time zone.
-  time.timeZone = "Europe/Amsterdam";
-
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
@@ -32,10 +29,6 @@
   networking.interfaces.ens10.useDHCP = true;
   networking.interfaces.ens3.useDHCP = true;
 
-  environment.systemPackages = with pkgs; [
-    wget curl htop iftop vim git
-  ];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -45,37 +38,5 @@
   system.stateVersion = "20.09"; # Did you read the comment?
 
   boot.loader.grub.devices = [ "/dev/sda" ];
-  # Initial empty root password for easy login:
-  users.users.root.initialHashedPassword = "";
-  services.openssh.permitRootLogin = "prohibit-password";
-  services.openssh.enable = true;
-  # Replace this by your SSH pubkey
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw=="
-  ];
-
-  users.users.git = {
-    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
-    home = "/var/git";
-    isNormalUser = true;
-  };
-
-  security.sudo.enable = false;
 
-  security.acme = {
-    acceptTerms = true;
-    email = "stuebinm@disroot.org";
-  };
-
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."stuebinm.eu" = {
-      forceSSL = true;
-      enableACME = true;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 442 ];
 }
-
diff --git a/hosts/chaski/services/cgit.nix b/hosts/chaski/services/cgit.nix
index abe69e5..7ce041c 100644
--- a/hosts/chaski/services/cgit.nix
+++ b/hosts/chaski/services/cgit.nix
@@ -11,7 +11,7 @@
       hostPath = "/var/git/public";
       isReadOnly = true;
     };
-    
+
     config = {pkgs, config, ...}: {
       services.lighttpd.enable = true;
       services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"'';
@@ -75,5 +75,19 @@
   };
 
   services.nginx.recommendedProxySettings = true;
-  services.nginx.virtualHosts."stuebinm.eu".locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]";
+  services.nginx.virtualHosts."stuebinm.eu" = {
+    locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]";
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # user for git repo administration
+  users.users.git = {
+    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+    home = "/var/git";
+    isNormalUser = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
 }
diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix
index 9a2211f..54ec6d6 100644
--- a/hosts/chaski/services/coturn.nix
+++ b/hosts/chaski/services/coturn.nix
@@ -4,10 +4,7 @@
   services.coturn = {
     enable = true;
     realm = "chaski.stuebinm.eu";
-#    static-auth-secret = "chaski";
-#    use-auth-secret = true;
     no-cli = true;
-#    no-tcp-relay = true;
     lt-cred-mech = true;
     extraConfig = ''
       verbose
-- 
cgit v1.2.3