forked from fediversity/fediversity
66 lines
1.6 KiB
Nix
66 lines
1.6 KiB
Nix
{ lib, ... }:
|
|
|
|
let
|
|
inherit (lib) mkDefault mkMerge;
|
|
|
|
in
|
|
{
|
|
_class = "nixos";
|
|
|
|
config = {
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "yes";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
networking = mkMerge [
|
|
{
|
|
domain = lib.mkDefault "abundos.eu";
|
|
|
|
## REVIEW: Do we actually need that, considering that we have static IPs?
|
|
useDHCP = mkDefault true;
|
|
|
|
## Disable the default firewall and use nftables instead, with a custom
|
|
## Procolix-made ruleset.
|
|
firewall.enable = false;
|
|
nftables = {
|
|
enable = true;
|
|
rulesetFile = ./nftables-ruleset.nft;
|
|
};
|
|
}
|
|
|
|
{
|
|
defaultGateway = {
|
|
interface = lib.mkDefault "eth0";
|
|
};
|
|
nameservers = [
|
|
"95.215.185.6"
|
|
"95.215.185.7"
|
|
];
|
|
}
|
|
|
|
{
|
|
defaultGateway6 = {
|
|
interface = lib.mkDefault "eth0";
|
|
};
|
|
nameservers = [
|
|
"2a00:51c0::5fd7:b906"
|
|
"2a00:51c0::5fd7:b907"
|
|
];
|
|
}
|
|
];
|
|
|
|
## FIXME distinguish `staging` vs. `production`
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
# TODO: configure a mailserver so we can set up acme
|
|
# use a priority more urgent than mkDefault for panel deployment to work,
|
|
# yet looser than default so this will not clash with the setting in tests.
|
|
defaults.email = lib.modules.mkOverride 200 "systeemmail@procolix.com";
|
|
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
};
|
|
}
|