aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis/services.nix
diff options
context:
space:
mode:
authorMark Nipper <nipsy@bitgnome.net>2024-11-11 00:59:35 -0800
committerMark Nipper <nipsy@bitgnome.net>2024-11-11 00:59:35 -0800
commit1df80e29d2110ef344a7af3499930d7ec12c615d (patch)
tree8223d3ed54bf5c47fe3f39cfc2f4beb5188a35c7 /hosts/arrakis/services.nix
parentedc175c5dc2bc20eaae974fde9dee1fb2a053299 (diff)
downloadnix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar.gz
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar.bz2
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar.lz
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar.xz
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.tar.zst
nix-1df80e29d2110ef344a7af3499930d7ec12c615d.zip
Add netboot image directly @arrakis
Diffstat (limited to 'hosts/arrakis/services.nix')
-rw-r--r--hosts/arrakis/services.nix173
1 files changed, 108 insertions, 65 deletions
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index 9a0f4b8..f4a5a33 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ config, inputs, lib, pkgs, ... }: {
environment.etc."gitconfig".text = ''
[safe]
@@ -84,81 +84,124 @@
};
};
- nginx = {
- appendHttpConfig = ''
- geo $geo {
- default 0;
- 127.0.0.1 1;
- ::1 1;
- 192.168.1.0/24 1;
- }
- '';
- enable = true;
+ let
- # Use recommended settings
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- #recommendedProxySettings = true;
- recommendedTlsSettings = true;
+ sys = inputs.nixos.lib.nixosSystem {
+ system = "x86_64-linux";
- # Only allow PFS-enabled ciphers with AES256
- sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+ modules = [
+ ({ config, pkgs, lib, modulesPath, ... }: {
+ imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ];
- virtualHosts = {
- "arrakis.bitgnome.net" = {
- addSSL = true;
- enableACME = true;
- extraConfig = ''
- if ($geo = 0) {
- return 301 https://$host$request_uri;
- }
- '';
- locations = {
- "/" = {
- tryFiles = "$uri $uri/ =404";
- };
- "/jellyfin" = {
- return = "302 $scheme://$host/jellyfin/";
+ config = {
+ services.openssh = {
+ enable = true;
+ openFirewall = true;
+
+ settings = {
+ PasswordAuthentication = false;
+ KbdInteractiveAuthentication = false;
+ };
+ };
+
+ users.users = {
+ nixos.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ];
+ root.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ];
+ };
};
- "/jellyfin/" = {
- extraConfig = ''
- proxy_pass_request_headers on;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $http_host;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $http_connection;
- proxy_buffering off;
+ })
+ ];
+ };
- # CORS setup
- add_header 'Access-Control-Allow-Origin' '*' always;
- add_header 'Access-Control-Expose-Headers' 'Content-Length';
+ build = sys.config.system.build;
- # Allow CORS preflight requests
- if ($request_method = 'OPTIONS') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'text/plain charset=UTF-8';
- add_header 'Content-Length' 0;
- return 204;
- }
- '';
- proxyPass = "http://192.168.1.2:8096/jellyfin/";
+ in {
+ nginx = {
+ appendHttpConfig = ''
+ geo $geo {
+ default 0;
+ 127.0.0.1 1;
+ ::1 1;
+ 192.168.1.0/24 1;
+ }
+ '';
+ enable = true;
+
+ # Use recommended settings
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ #recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+
+ # Only allow PFS-enabled ciphers with AES256
+ sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+ virtualHosts = {
+ "arrakis.bitgnome.net" = {
+ addSSL = true;
+ enableACME = true;
+ extraConfig = ''
+ if ($geo = 0) {
+ return 301 https://$host$request_uri;
+ }
+ '';
+ locations = {
+ "= /boot/bzImage" = {
+ alias = "${build.kernel}/bzImage";
+ };
+ "= /boot/initrd" = {
+ alias = "${build.netbootRamdisk}/initrd";
+ };
+ "= /boot/netboot.ipxe" = {
+ alias = "${build.netbootIpxeScript}/netboot.ipxe";
+ };
+ "/" = {
+ tryFiles = "$uri $uri/ =404";
+ };
+ "/jellyfin" = {
+ return = "302 $scheme://$host/jellyfin/";
+ };
+ "/jellyfin/" = {
+ extraConfig = ''
+ proxy_pass_request_headers on;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $http_host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $http_connection;
+ proxy_buffering off;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ '';
+ proxyPass = "http://192.168.1.2:8096/jellyfin/";
+
+ };
+ "/nipsy" = {
+ extraConfig = ''
+ autoindex on;
+ '';
+ tryFiles = "$uri $uri/ =404";
+ };
};
- "/nipsy" = {
- extraConfig = ''
- autoindex on;
- '';
- tryFiles = "$uri $uri/ =404";
- };
+ root = "/var/www";
};
- root = "/var/www";
};
};
- };
+ }
postfix = let my_email = "nipsy@bitgnome.net"; in {
enable = true;