Compare commits
7 Commits
master
...
vpn-and-vo
Author | SHA1 | Date |
---|---|---|
Illia Chub | d1620a9680 | |
Illia Chub | 8878832ff9 | |
Illia Chub | cccbd177be | |
Inex Code | 2a15727170 | |
Inex Code | 84e0ae01f9 | |
Inex Code | 9f54887254 | |
Inex Code | b79acbaf6a |
|
@ -1,3 +1 @@
|
||||||
userdata/userdata.json
|
userdata/userdata.json
|
||||||
hardware-configuration.nix
|
|
||||||
networking.nix
|
|
|
@ -4,13 +4,19 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.restic.backups = {
|
services.restic.backups = {
|
||||||
options = {
|
varBackup = {
|
||||||
passwordFile = "/etc/restic/resticPasswd";
|
passwordFile = "/var/lib/restic/pass";
|
||||||
repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
|
repository = "rclone:${cfg.backblaze.bucket}:/sfbackup";
|
||||||
|
extraOptions = [ "rclone.args='serve restic --stdio'" ];
|
||||||
|
rcloneConfig = {
|
||||||
|
type = "b2";
|
||||||
|
account = cfg.backblaze.accountId;
|
||||||
|
key = cfg.backblaze.accountKey;
|
||||||
|
hard_delete = false;
|
||||||
|
};
|
||||||
initialize = true;
|
initialize = true;
|
||||||
paths = [
|
paths = [
|
||||||
"/var/dkim"
|
"/var"
|
||||||
"/var/vmail"
|
|
||||||
];
|
];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
OnCalendar = [ "daily" ];
|
OnCalendar = [ "daily" ];
|
||||||
|
@ -25,11 +31,4 @@ in
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
environment.etc."restic/resticPasswd".text = ''
|
|
||||||
${cfg.resticPassword}
|
|
||||||
'';
|
|
||||||
environment.etc."restic/s3Passwd".text = ''
|
|
||||||
AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId}
|
|
||||||
AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey}
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@ in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
./variables-module.nix
|
./variables-module.nix
|
||||||
./variables.nix
|
./variables.nix
|
||||||
./files.nix
|
./files.nix
|
||||||
|
@ -34,9 +33,14 @@ in
|
||||||
boot.cleanTmpDir = true;
|
boot.cleanTmpDir = true;
|
||||||
networking = {
|
networking = {
|
||||||
hostName = config.services.userdata.hostname;
|
hostName = config.services.userdata.hostname;
|
||||||
|
usePredictableInterfaceNames = false;
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 8443 ];
|
allowedUDPPorts = lib.mkForce [ 8443 ];
|
||||||
|
extraCommands = ''
|
||||||
|
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
|
||||||
|
iptables --append FORWARD --in-interface vpn00 -j ACCEPT
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||||
};
|
};
|
||||||
|
@ -84,4 +88,4 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -22,10 +22,11 @@ in
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||||
"d /var/lib/restic 0600 restic - - -"
|
"d /var 0760 root shared - -"
|
||||||
|
"d /var/lib/restic 0700 restic - - -"
|
||||||
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
||||||
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
||||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
{ modulesPath, ... }:
|
||||||
|
{
|
||||||
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
fileSystems = {
|
||||||
|
"/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
||||||
|
"/var" = { device = "/dev/sdb"; fsType = "ext4"; };
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue