138 lines
3.8 KiB
Nix
138 lines
3.8 KiB
Nix
{ config, pkgs, ... }: {
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./containers.nix
|
|
./proxy.nix
|
|
../system-default.nix
|
|
../../../modules/wireguard.nix
|
|
../../../modules/podman.nix
|
|
../../../modules/traefik.nix
|
|
../../../modules/borg/client.nix
|
|
../../../modules/login-display.nix
|
|
];
|
|
|
|
# GRUB bootloader with UEFI support
|
|
boot.loader.grub = {
|
|
enable = true;
|
|
device = "nodev"; # Required for EFI systems
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true; # Better compatibility with VPS
|
|
configurationLimit = 5; # Keep only 5 boot entries to save storage
|
|
};
|
|
|
|
# Automatic garbage collection to save storage
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
|
|
# Automatic store optimization to deduplicate files
|
|
nix.optimise = {
|
|
automatic = true;
|
|
dates = [ "weekly" ];
|
|
};
|
|
|
|
# Network configuration
|
|
networking = {
|
|
hostName = "vps";
|
|
hostId = "a8c06f42"; # Required for some services, generated randomly
|
|
networkmanager.enable = false; # Use systemd-networkd for VPS
|
|
useDHCP = true; # VPS typically use DHCP
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
|
|
trustedInterfaces = [ "wg0" ]; # Allow all traffic through WireGuard interface
|
|
};
|
|
};
|
|
|
|
|
|
# Host-specific SSH configuration
|
|
services.openssh = {
|
|
settings = {
|
|
PermitRootLogin = "prohibit-password"; # Allow key-based root login for nixos-anywhere
|
|
};
|
|
};
|
|
|
|
# Root user configuration (for nixos-anywhere initial access)
|
|
users.users.root = {
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGVvviqbwBEGDIbAUnmgHQJi+N5Qfvo5u49biWl6R7oC yanlin@MacBook-Air"
|
|
];
|
|
};
|
|
|
|
# Host-specific user configuration
|
|
users.users.yanlin = {
|
|
extraGroups = [ "wheel" ]; # Enable sudo
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGVvviqbwBEGDIbAUnmgHQJi+N5Qfvo5u49biWl6R7oC yanlin@MacBook-Air"
|
|
];
|
|
};
|
|
|
|
# Borg backup configuration
|
|
services.borg-client-custom = {
|
|
enable = true;
|
|
# Use SSH alias from SSH config for remote backup to thinkpad borg server
|
|
repositoryUrl = "ssh://borg-box/./vps";
|
|
backupPaths = [
|
|
"/home"
|
|
"/var/lib/containers/config"
|
|
"/etc"
|
|
];
|
|
# Examples:
|
|
# backupFrequency = "daily"; # Midnight (default)
|
|
# backupFrequency = "*-*-* 03:00:00"; # Every day at 3:00 AM
|
|
# backupFrequency = "*-*-* 22:30:00"; # Every day at 10:30 PM
|
|
# backupFrequency = "Mon,Wed,Fri 02:00:00"; # Mon/Wed/Fri at 2:00 AM
|
|
backupFrequency = "daily";
|
|
retention = {
|
|
keepDaily = 7;
|
|
keepWeekly = 4;
|
|
keepMonthly = 6;
|
|
keepYearly = 2;
|
|
};
|
|
passphraseFile = "/etc/borg-passphrase";
|
|
|
|
preHook = ''
|
|
echo "$(date): Starting Borg backup of ${config.networking.hostName}"
|
|
'';
|
|
postHook = ''
|
|
echo "$(date): Borg backup of ${config.networking.hostName} completed successfully"
|
|
'';
|
|
};
|
|
|
|
services.login-display = {
|
|
enable = true;
|
|
showSystemInfo = true;
|
|
showSmartStatus = false;
|
|
showDiskUsage = true;
|
|
showBorgStatus = true;
|
|
};
|
|
|
|
# WireGuard VPN configuration (VPS as hub/server)
|
|
services.wireguard-custom = {
|
|
enable = true;
|
|
mode = "server";
|
|
serverConfig = {
|
|
address = "10.2.2.1/24";
|
|
peers = [
|
|
{
|
|
name = "hs";
|
|
publicKey = "HZY7V8QlnFvY6ZWNiI0WgUgWUISnEqUdzXi7Oq9M1Es=";
|
|
allowedIPs = [ "10.2.2.20/32" ];
|
|
}
|
|
{
|
|
name = "thinkpad";
|
|
publicKey = "p3442J2HBGY5Pksu+0F4SFkBGjG99KIgwyk8eAt4YmA=";
|
|
allowedIPs = [ "10.2.2.30/32" ];
|
|
}
|
|
{
|
|
name = "rpi-wg-10-2-2-200";
|
|
publicKey = "vA+jDEtpkqHG0h3AfE0sZXuvw7kkLy/rq5VwwtCOnyE=";
|
|
allowedIPs = [ "10.2.2.200/32" ];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
}
|