{ self, ... }: { pkgs, config, modulesPath, lib, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ../../users/root ../../users/erwin ./caddy ]; eboskma = { users.erwin = { enable = true; server = true; }; headscale = { enable = false; baseDomain = "asgard.datarift.nl"; serverUrl = "https://heimdall.datarift.nl"; }; keycloak.enable = true; nix-common = { enable = true; }; }; networking = { hostName = "heimdall"; domain = "datarift.nl"; usePredictableInterfaceNames = lib.mkForce false; useDHCP = false; networkmanager.enable = false; useNetworkd = true; firewall.trustedInterfaces = [ "tailscale0" ]; }; systemd = { network = { enable = true; networks = { "40-eth0" = { matchConfig = { Name = "eth0"; }; networkConfig = { Address = [ "159.69.211.175/32" "2a01:4f8:1c1e:5fb2::1/64" "fe80::9400:2ff:fe12:a2eb/64" ]; DHCP = "no"; Gateway = [ "172.31.1.1" "fe80::1" ]; }; routes = [ { Destination = "172.31.1.1/32"; Scope = "link"; Protocol = "static"; } { Destination = "fe80::1/128"; Scope = "link"; Protocol = "static"; } ]; }; }; }; services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ]; }; ### Hetzner stuff boot = { tmp.cleanOnBoot = true; loader.grub.device = "/dev/sda"; initrd = { availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; kernelModules = [ "nvme" ]; }; }; fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; zramSwap.enable = true; ### END Hetzner stuff time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; services = { udev.extraRules = '' ATTR{address}=="96:00:02:12:a2:eb", NAME="eth0" ''; openssh = { enable = true; settings = { PasswordAuthentication = false; }; }; tailscale = { enable = true; permitCertUid = "caddy"; }; caddy = { package = pkgs.caddy.withPlugins { plugins = [ "github.com/caddy-dns/cloudflare@89f16b99c18ef49c8bb470a82f895bce01cbaece" ]; hash = "sha256-Aqu2st8blQr/Ekia2KrH1AP/2BVZIN4jOJpdLc1Rr4g="; }; virtualHosts = { "garfield.datarift.nl" = let webRoot = pkgs.writeTextDir "index.html" (builtins.readFile ../proxy/index.html); in { extraConfig = '' root * ${webRoot} rewrite * /index.html file_server ''; }; }; }; }; security = { sudo-rs = { enable = true; }; sudo.enable = false; apparmor = { enable = true; killUnconfinedConfinables = true; }; protectKernelImage = true; }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { keycloak-db-password = { }; caddy-env = { }; }; system.stateVersion = "23.05"; }