config-perso/machines/kat-orchid/default.nix

{
  config,
  lib,
  pkgs,
  mods,
  kat-path,
  ssh-keys,
  sources,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./disks.nix
  ];

  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };

  kat.proxies = {
    ip = "192.168.122.6";
    aliases = [
      "simply-wise.fr"
      "www.simply-wise.fr"
    ];
    open-tcp = [
      {
        internal = 22;
        external = 22042;
      }
    ];
  };

  systemd.network.enable = lib.mkForce false;
  networking = {
    useNetworkd = lib.mkForce false;
    interfaces."enp1s0" = {
      useDHCP = false;
      ipv4.addresses = [
        {
          address = "192.168.122.6";
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
        {
          address = "fe80::6";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = "192.168.122.1";
    defaultGateway6 = {
      address = "fe80::1";
      interface = "enp1s0";
    };
    nameservers = [
      "192.168.122.1"
      "fe80::1%enp1s0"
    ];
  };

  nixpkgs.config.allowUnfree = true;

  services.openssh.enable = true;

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "root@katvayor.net";
    certs."orchid.katvayor.net".extraDomainNames = [
      "simply-wise.fr"
      "www.simply-wise.fr"
    ];
  };
  services.nginx = {
    enable = true;
    virtualHosts = {
      "orchid.katvayor.net" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/static/".alias = "/srv/orchid/";
          "/" = {
            recommendedProxySettings = true;
            proxyPass = "https://192.168.123.2/";
          };
        };
      };
      "simply-wise.fr" = {
        useACMEHost = "orchid.katvayor.net";
        forceSSL = true;
        serverAliases = [ "www.simply-wise.fr" ];
        locations."/" = {
          root = pkgs.runCommand "building" { } ''
            mkdir -p $out
            ln -nsf ${./building.html} $out/building.html
          '';
          extraConfig = ''
            internal;
            error_page 404 =503 /building.html;
          '';
        };
      };
    };
  };
  containers.wordpress =
    let
      inherit (config.security.acme) certs;
    in
    {
      privateNetwork = true;
      bindMounts.certs = {
        hostPath = certs."orchid.katvayor.net".directory;
        mountPoint = certs."orchid.katvayor.net".directory;
        isReadOnly = true;
      };
      hostAddress = "192.168.123.1";
      localAddress = "192.168.123.2";
      autoStart = true;
      specialArgs = {
        inherit kat-path ssh-keys sources;
      };
      config = {
        imports = [ kat-path ];
        kat.addArgs = false;
        boot.kernel.enable = false;
        systemd.network.enable = lib.mkForce false;
        networking.firewall.allowedTCPPorts = [
          80
          443
        ];
        services = {
          nginx = {
            enable = true;
            virtualHosts."orchid.katvayor.net" = {
              addSSL = true;
              sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem";
              sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem";
              sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem";
            };
          };
          openssh.enable = true;
          wordpress = {
            webserver = "nginx";
            sites."orchid.katvayor.net" = {
              themes = {
                inherit (pkgs.wordpressPackages.themes) twentytwentythree;
              };
            };
          };
        };
        environment.systemPackages = [ pkgs.wp-cli ];
        system.stateVersion = "24.11";
      };
    };
  fileSystems."/home/orchid/content/www" = {
    device = "/srv/orchid";
    options = [ "bind" ];
  };
  systemd = {
    tmpfiles.settings."10-srv-orchid"."/srv/orchid" = {
      d = {
        group = "users";
        user = "orchid";
      };
      Z = {
        group = "users";
        user = "orchid";
        mode = "0755";
      };
    };
    timers.srv-tmpfiles = {
      wantedBy = [ "timers.target" ];
      timerConfig.OnCalendar = "*-*-* *:*:07..57/10";
    };
    services.srv-tmpfiles = {
      path = [ pkgs.systemd ];
      script = ''
        systemd-tmpfiles --create --prefix=/srv
      '';
    };
  };

  users.users.orchid.isNormalUser = true;
  home-manager.users.orchid = { };

  system.stateVersion = "23.11";
}
orchid 2024-08-07 17:26:34 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`mods,`
feat(wordpress): container 2024-10-27 09:16:42 +01:00			`kat-path,`
			`ssh-keys,`
			`sources,`
orchid 2024-08-07 17:26:34 +02:00			`...`
			`}:`
			`{`
			`imports = [`
			`./hardware-configuration.nix`
			`./disks.nix`
			`];`

~ 2024-10-03 17:42:38 +02:00			`boot.loader = {`
			`systemd-boot.enable = true;`
			`efi.canTouchEfiVariables = true;`
			`};`
orchid 2024-08-07 17:26:34 +02:00
new proxies config logic 2024-10-20 18:52:05 +02:00			`kat.proxies = {`
			`ip = "192.168.122.6";`
			`aliases = [`
			`"simply-wise.fr"`
			`"www.simply-wise.fr"`
			`];`
			`open-tcp = [`
			`{`
			`internal = 22;`
			`external = 22042;`
			`}`
			`];`
			`};`

npins update 2024-10-20 15:11:00 +02:00			`systemd.network.enable = lib.mkForce false;`
orchid 2024-08-07 17:26:34 +02:00			`networking = {`
~ 2024-10-03 17:42:38 +02:00			`useNetworkd = lib.mkForce false;`
orchid 2024-08-07 17:26:34 +02:00			`interfaces."enp1s0" = {`
			`useDHCP = false;`
			`ipv4.addresses = [`
			`{`
			`address = "192.168.122.6";`
			`prefixLength = 24;`
			`}`
			`];`
			`ipv6.addresses = [`
			`{`
			`address = "fe80::6";`
			`prefixLength = 64;`
			`}`
			`];`
			`};`
			`defaultGateway = "192.168.122.1";`
			`defaultGateway6 = {`
			`address = "fe80::1";`
			`interface = "enp1s0";`
			`};`
			`nameservers = [`
			`"192.168.122.1"`
			`"fe80::1%enp1s0"`
			`];`
			`};`

			`nixpkgs.config.allowUnfree = true;`

			`services.openssh.enable = true;`

feat(wordpress): container 2024-10-27 09:16:42 +01:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
orchid 2024-08-07 17:26:34 +02:00
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "root@katvayor.net";`
got (www.)?simply-wise.fr 2024-08-21 19:50:37 +02:00			`certs."orchid.katvayor.net".extraDomainNames = [`
			`"simply-wise.fr"`
			`"www.simply-wise.fr"`
			`];`
orchid 2024-08-07 17:26:34 +02:00			`};`
			`services.nginx = {`
			`enable = true;`
			`virtualHosts = {`
			`"orchid.katvayor.net" = {`
			`enableACME = true;`
			`forceSSL = true;`
feat(wordpress): container 2024-10-27 09:16:42 +01:00			`locations = {`
			`"/static/".alias = "/srv/orchid/";`
			`"/" = {`
			`recommendedProxySettings = true;`
			`proxyPass = "https://192.168.123.2/";`
			`};`
orchid 2024-08-07 17:26:34 +02:00			`};`
			`};`
got (www.)?simply-wise.fr 2024-08-21 19:50:37 +02:00			`"simply-wise.fr" = {`
			`useACMEHost = "orchid.katvayor.net";`
			`forceSSL = true;`
			`serverAliases = [ "www.simply-wise.fr" ];`
			`locations."/" = {`
			`root = pkgs.runCommand "building" { } ''`
			`mkdir -p $out`
			`ln -nsf ${./building.html} $out/building.html`
			`'';`
			`extraConfig = ''`
			`internal;`
			`error_page 404 =503 /building.html;`
			`'';`
			`};`
			`};`
orchid 2024-08-07 17:26:34 +02:00			`};`
			`};`
feat(wordpress): container 2024-10-27 09:16:42 +01:00			`containers.wordpress =`
			`let`
			`inherit (config.security.acme) certs;`
			`in`
			`{`
			`privateNetwork = true;`
			`bindMounts.certs = {`
			`hostPath = certs."orchid.katvayor.net".directory;`
			`mountPoint = certs."orchid.katvayor.net".directory;`
			`isReadOnly = true;`
			`};`
			`hostAddress = "192.168.123.1";`
			`localAddress = "192.168.123.2";`
			`autoStart = true;`
			`specialArgs = {`
			`inherit kat-path ssh-keys sources;`
			`};`
			`config = {`
			`imports = [ kat-path ];`
			`kat.addArgs = false;`
			`boot.kernel.enable = false;`
			`systemd.network.enable = lib.mkForce false;`
			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`services = {`
			`nginx = {`
			`enable = true;`
			`virtualHosts."orchid.katvayor.net" = {`
			`addSSL = true;`
			`sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem";`
			`sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem";`
			`sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem";`
			`};`
			`};`
			`openssh.enable = true;`
			`wordpress = {`
			`webserver = "nginx";`
			`sites."orchid.katvayor.net" = {`
			`themes = {`
			`inherit (pkgs.wordpressPackages.themes) twentytwentythree;`
			`};`
			`};`
			`};`
			`};`
			`environment.systemPackages = [ pkgs.wp-cli ];`
			`system.stateVersion = "24.11";`
			`};`
npins update 2024-10-20 15:11:00 +02:00			`};`
orchid 2024-08-07 17:26:34 +02:00			`fileSystems."/home/orchid/content/www" = {`
			`device = "/srv/orchid";`
			`options = [ "bind" ];`
			`};`
got (www.)?simply-wise.fr 2024-08-21 19:50:37 +02:00			`systemd = {`
			`tmpfiles.settings."10-srv-orchid"."/srv/orchid" = {`
			`d = {`
			`group = "users";`
			`user = "orchid";`
			`};`
			`Z = {`
			`group = "users";`
			`user = "orchid";`
			`mode = "0755";`
			`};`
			`};`
			`timers.srv-tmpfiles = {`
			`wantedBy = [ "timers.target" ];`
			`timerConfig.OnCalendar = "--* ::07..57/10";`
			`};`
			`services.srv-tmpfiles = {`
			`path = [ pkgs.systemd ];`
			`script = ''`
			`systemd-tmpfiles --create --prefix=/srv`
			`'';`
			`};`
			`};`
orchid 2024-08-07 17:26:34 +02:00
small refactor of own modules 2024-09-26 11:51:04 +02:00			`users.users.orchid.isNormalUser = true;`
			`home-manager.users.orchid = { };`
orchid 2024-08-07 17:26:34 +02:00
			`system.stateVersion = "23.11";`
			`}`