104 lines
2.6 KiB
Nix
104 lines
2.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
pkgsUnstable,
|
|
inputs,
|
|
...
|
|
}:
|
|
{
|
|
boot.loader.grub.device = "/dev/sda";
|
|
|
|
network-static = {
|
|
enable = true;
|
|
hardwareAddress = "96:00:04:60:6E:04";
|
|
staticAddresses = [
|
|
"91.99.166.211/32"
|
|
"2a01:4f8:1c1a:d167::1/64"
|
|
];
|
|
staticRoutes = [
|
|
{
|
|
Gateway = "172.31.1.1";
|
|
GatewayOnLink = true;
|
|
}
|
|
{
|
|
Gateway = "fe80::1";
|
|
}
|
|
];
|
|
};
|
|
qemu.enable = true;
|
|
spice.enable = true;
|
|
|
|
sops.secrets = {
|
|
"crowdsec/fwBouncerLapiKey" = { };
|
|
"crowdsec/wafLapiKey" = {
|
|
owner = "traefik";
|
|
mode = "0400";
|
|
};
|
|
"borgmatic_pass/local" = { };
|
|
"borgmatic_pass/remote" = { };
|
|
};
|
|
|
|
crowdsec-firewall-bouncer = {
|
|
enable = true;
|
|
apiKeyFile = config.sops.secrets."crowdsec/fwBouncerLapiKey".path;
|
|
};
|
|
|
|
crowdsec-traefik-bouncer = {
|
|
enable = true;
|
|
lapiKeyFile = config.sops.secrets."crowdsec/wafLapiKey".path;
|
|
};
|
|
|
|
traefik = {
|
|
enable = true;
|
|
redirectHttps = true;
|
|
};
|
|
uptimekuma.enable = true;
|
|
|
|
services.traefik = {
|
|
dynamicConfigOptions = {
|
|
http.middlewares = {
|
|
authentik = {
|
|
forwardauth = {
|
|
address = "http://lax-01.tail755c5.ts.net:9000/outpost.goauthentik.io/auth/traefik";
|
|
trustForwardHeader = true;
|
|
authResponseHeaders = [
|
|
"X-authentik-username"
|
|
"X-authentik-groups"
|
|
"X-authentik-email"
|
|
"X-authentik-name"
|
|
"X-authentik-uid"
|
|
"X-authentik-jwt"
|
|
"X-authentik-meta-jwks"
|
|
"X-authentik-meta-outpost"
|
|
"X-authentik-meta-provider"
|
|
"X-authentik-meta-app"
|
|
"X-authentik-meta-version"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
borg-config = {
|
|
enable = true;
|
|
|
|
backupLabel = "nbg-01";
|
|
localRepoPath = "ssh://borg@borg-01.tail755c5.ts.net/./";
|
|
remoteRepoPath = "ssh://fm1833@fm1833.rsync.net/./hosts/nbg-01";
|
|
sourceDirectories = [
|
|
"/var/lib/uptime-kuma"
|
|
];
|
|
hcPingUrlLocal = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-nbg-01";
|
|
hcPingUrlRemote = "https://hc.its-et.me/ping/PlGPBqq-0rLI4N4ya3jYmg/backup-nbg-01-remote";
|
|
};
|
|
|
|
base.userSSHKeys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDt43wa3heh97BfsDk+3RMteIltWOHcEKJdohasSjRif etorres@xenon"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEAPw4dzYQD0oMZnSBFmFlHvKvUadO705OwQKtrnQ46 etorres@radon"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdyqGEu5OYTutN5a776o70SU2U/l0icDR4y+jrGAZsD etorres@erics-mac"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPh9J3YzaYZNGX3IytAwRhiQOaAukYvFSfhzmBVcYbsF etorres@iphone"
|
|
];
|
|
}
|