xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/configuration.nix
Ricardo (XenGi) Band 04efe82c0a
foo
2025-12-02 19:36:46 +01:00

146 lines
3.8 KiB
Nix
Raw Blame History

{
config,
modulesPath,
pkgs,
lib,
...
}:
{
imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
nix = {
optimise = {
automatic = true;
dates = [ "11:00" ];
};
settings = {
auto-optimise-store = true;
sandbox = false;
# Allow remote updates
trusted-users = [
"root"
"@wheel"
];
experimental-features = [
"nix-command"
"flakes"
];
};
gc = {
automatic = true;
options = "--delete-older-then 14d";
};
};
nixpkgs.hostPlatform = "x86_64-linux";
environment.systemPackages = with pkgs; [
vim
git
];
proxmoxLXC = {
manageNetwork = false;
manageHostName = false;
privileged = true;
};
users.users.root = {
packages = with pkgs; [
kitty # for terminfo
neofetch # for shits and giggles
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwYcSxbP6Hon//kZFIZJSHdqvsJ6AyCwH4JP9/t4q46 xengi@yuka_2020-12-16"
];
};
networking = {
useNetworkd = true;
nftables.enable = true;
dhcpcd.enable = false;
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP/1
443 # HTTP/2
8448 # Matrix federation
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
console.font = "Lat2-Terminus16";
services = {
fstrim.enable = false; # Let Proxmox host handle fstrim
openssh = {
enable = true;
openFirewall = true;
settings = {
PermitEmptyPasswords = "no";
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
banner = ''
__ __
/\ \__ __ /\ \
___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____
/' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> </ /\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
'';
};
# Cache DNS lookups to improve performance
resolved = {
enable = true;
fallbackDns = [
"1.1.1.1#one.one.one.one"
"9.9.9.9#dns.quad9.net"
];
dnssec = "allow-downgrade";
dnsovertls = "true";
extraConfig = ''
Cache=true
CacheFromLocalhost=true
'';
};
};
programs = {
vim = {
enable = true;
defaultEditor = true;
};
ssh.startAgent = true;
};
security = {
acme = {
acceptTerms = true;
defaults = {
validMinDays = 14;
renewInterval = "daily";
email = "acme@xengi.de";
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
};
};
};
system.stateVersion = "25.05";
}
Reference in a new issue View git blame Copy permalink