{ config, lib, pkgs, kat-path, ssh-keys, sources, self-meta, ... }: { deployment = { targetHost = "orchid.kat"; tags = [ "kat-vms" ]; }; imports = [ ./hardware-configuration.nix ./disks.nix ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernelParams = [ "console=ttyS0" ]; }; kat = { proxies = { ip = "192.168.122.6"; aliases = [ "simply-wise.fr" "www.simply-wise.fr" ]; open-tcp = [ { internal = 22; external = 22042; } ]; }; }; systemd.network.networks = { "10-enp1s0" = { name = "enp1s0"; address = [ "192.168.1.201/32" "192.168.122.6/24" "fe80::6/64" ]; routes = [ { Gateway = "192.168.122.1"; } { Gateway = "192.168.122.1"; Destination = "192.168.1.0/24"; Source = "192.122.1.2O1"; } { Gateway = "fe80::1"; } ]; dns = [ "8.8.8.8" "1.1.1.1" ]; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; nixpkgs.config.allowUnfree = true; security.acme = { acceptTerms = true; defaults.email = "root@katvayor.net"; certs."orchid.katvayor.net".extraDomainNames = [ "simply-wise.fr" "www.simply-wise.fr" ]; }; services = { openssh.enable = true; qemuGuest.enable = true; getty.autologinUser = "root"; nginx = { enable = true; virtualHosts = { "orchid.katvayor.net" = { enableACME = true; forceSSL = true; locations = { "/static/".alias = "/srv/orchid/"; "/" = { recommendedProxySettings = true; proxyPass = "https://192.168.123.2/"; }; }; }; "simply-wise.fr" = { useACMEHost = "orchid.katvayor.net"; forceSSL = true; serverAliases = [ "www.simply-wise.fr" ]; locations."/" = { root = pkgs.runCommand "building" { } '' mkdir -p $out ln -nsf ${./building.html} $out/building.html ''; extraConfig = '' internal; error_page 404 =503 /building.html; ''; }; }; }; }; samba = { enable = true; openFirewall = true; settings.orchid = { browseable = "yes"; writable = "yes"; path = "/home/orchid/content"; "create mask" = "0644"; "directory mask" = "0755"; }; }; }; containers.wordpress = let inherit (config.security.acme) certs; in { privateNetwork = true; bindMounts.certs = { hostPath = certs."orchid.katvayor.net".directory; mountPoint = certs."orchid.katvayor.net".directory; isReadOnly = true; }; hostAddress = "192.168.123.1"; localAddress = "192.168.123.2"; autoStart = true; specialArgs = { inherit kat-path ssh-keys sources self-meta ; }; config = { imports = [ kat-path ]; kat.addArgs = false; boot.kernel.enable = false; systemd.network.enable = lib.mkForce false; networking.firewall.allowedTCPPorts = [ 80 443 ]; services = { nginx = { enable = true; virtualHosts."orchid.katvayor.net" = { addSSL = true; sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem"; sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem"; sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem"; }; }; openssh.enable = true; wordpress = { webserver = "nginx"; sites."orchid.katvayor.net" = { themes = { inherit (pkgs.wordpressPackages.themes) twentytwentythree; }; }; }; }; environment.systemPackages = [ pkgs.wp-cli ]; system.stateVersion = "24.11"; }; }; fileSystems."/home/orchid/content/www" = { device = "/srv/orchid"; options = [ "bind" ]; }; systemd = { tmpfiles.settings."10-srv-orchid"."/srv/orchid" = { d = { group = "users"; user = "orchid"; }; Z = { group = "users"; user = "orchid"; mode = "0755"; }; }; timers.srv-tmpfiles = { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "*-*-* *:*:07..57/10"; }; services.srv-tmpfiles = { path = [ pkgs.systemd ]; script = '' systemd-tmpfiles --create --prefix=/srv ''; }; }; users.users.orchid.isNormalUser = true; home-manager.users.orchid = { }; system.stateVersion = "23.11"; }