diff --git a/hosts/netcup/configuration.nix b/hosts/netcup/configuration.nix index dd98cf3..4b3bc69 100644 --- a/hosts/netcup/configuration.nix +++ b/hosts/netcup/configuration.nix @@ -1,15 +1,25 @@ -{ pkgs, ... }: +{ pkgs, modulesPath, ... }: { - imports = [ ./disk-config.nix ]; + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/headless.nix") + ]; boot.loader.grub = { enable = true; efiSupport = true; efiInstallAsRemovable = true; device = "nodev"; + configurationLimit = 3; }; + documentation.enable = false; + hardware.enableRedistributableFirmware = false; + fonts.fontconfig.enable = false; + networking = { hostName = "netcup"; useDHCP = false; @@ -67,6 +77,7 @@ enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; + clientMaxBodySize = "512m"; virtualHosts."vault.barrettruth.com" = { enableACME = true; forceSSL = true; @@ -93,21 +104,71 @@ services.forgejo = { enable = true; + user = "git"; + group = "git"; settings = { server = { DOMAIN = "git.barrettruth.com"; ROOT_URL = "https://git.barrettruth.com/"; HTTP_PORT = 3000; + SSH_DOMAIN = "git.barrettruth.com"; }; service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; }; }; + users.users.git = { + isSystemUser = true; + home = "/var/lib/forgejo"; + group = "git"; + shell = "${pkgs.bash}/bin/bash"; + }; + + users.groups.git = { }; + environment.systemPackages = with pkgs; [ vim git ]; + systemd.services.vaultwarden-r2-backup = { + description = "Backup Vaultwarden to Cloudflare R2"; + after = [ "backup-vaultwarden.service" ]; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "/etc/vaultwarden-r2-backup.env"; + }; + path = [ pkgs.awscli2 pkgs.gawk ]; + script = '' + export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID" + export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY" + ENDPOINT="$R2_ENDPOINT" + DATE=$(date +%Y-%m-%d) + + aws s3 cp /var/backup/vaultwarden/db.sqlite3 \ + "s3://vaultwarden/$DATE/db.sqlite3" \ + --endpoint-url "$ENDPOINT" + + CUTOFF=$(date -d '30 days ago' +%Y-%m-%d) + aws s3 ls s3://vaultwarden/ --endpoint-url "$ENDPOINT" \ + | awk '{print $2}' | tr -d '/' \ + | while read dir; do + if [ "$dir" \< "$CUTOFF" ]; then + aws s3 rm "s3://vaultwarden/$dir" --recursive --endpoint-url "$ENDPOINT" + fi + done + ''; + }; + + systemd.timers.vaultwarden-r2-backup = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; + nix.settings = { auto-optimise-store = true; experimental-features = [ @@ -119,8 +180,13 @@ nix.gc = { automatic = true; dates = "weekly"; - options = "--delete-older-than 7d"; + options = "--delete-older-than 3d"; }; + nix.extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + system.stateVersion = "24.11"; } diff --git a/hosts/netcup/hardware-configuration.nix b/hosts/netcup/hardware-configuration.nix new file mode 100644 index 0000000..12adf63 --- /dev/null +++ b/hosts/netcup/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}