[perso/Immae/Config/Nix.git] / modules / private / system / dilion.nix

{ config, pkgs, name, lib, flakes, ... }:
{
  deployment = {
    targetUser = "root";
    targetHost = lib.head config.hostEnv.ips.main.ip4;
  };
  # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
  secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
  nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
  boot = {
    loader = {
      grub = {
        version = 2;
        devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
      };
      timeout = 1;
    };
    blacklistedKernelModules = [ "nvidiafb" ];
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    kernelModules = [ "kvm-intel" ];
    initrd.availableKernelModules = [ "ahci" "sd_mod" ];
    initrd.secrets = {
      "/boot/pass.key" = "/boot/pass.key";
    };
    kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
    # available in nixos-20.09
    #zfs.requestEncryptionCredentials = [ "zpool/root" ];
  };
  powerManagement.cpuFreqGovernor = "powersave";
  hardware.enableRedistributableFirmware = true;

  myEnv = import ../../../nixops/secrets/environment.nix;

  swapDevices = [ { label = "swap"; } ];
  fileSystems = {
    "/"           = { fsType = "zfs"; device = "zpool/root"; };
    "/boot"       = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
    "/etc"        = { fsType = "zfs"; device = "zpool/root/etc"; };
    "/home"       = { fsType = "zfs"; device = "zpool/root/home"; };
    "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
    "/tmp"        = { fsType = "zfs"; device = "zpool/root/tmp"; };
    "/var"        = { fsType = "zfs"; device = "zpool/root/var"; };
    "/data"       = { fsType = "ext4"; label = "data"; };
    "/nix"        = { fsType = "ext4"; label = "nix"; };
  };

  services.udev.extraRules = ''
    ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
  '';

  networking = {
    hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
    firewall.enable = false;
    interfaces."eth0".ipv4.addresses =
      [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
      ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
        (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
    interfaces."eth0".ipv6.addresses =
      [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
      ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
        (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
        config.hostEnv.ips);
    defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
    defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
    nameservers = [
      "213.133.98.98"
      "213.133.99.99"
      "213.133.100.100"
      "2a01:4f8:0:a0a1::add:1010"
      "2a01:4f8:0:a102::add:9999"
      "2a01:4f8:0:a111::add:9898"
    ];
  };

  myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
  imports = builtins.attrValues (import ../.. flakes) ++ [ ./dilion/vms.nix ];

  system.nssModules = [ pkgs.libvirt ];
  system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
  programs.zsh.enable = true;

  users.users.libvirt = {
    hashedPassword = "!";
    shell = pkgs.bashInteractive;
    isSystemUser = true;
    group = "libvirtd";
    packages = [ pkgs.libressl.nc ];
    openssh.authorizedKeys.keys = [
      config.myEnv.buildbot.ssh_key.public
      config.myEnv.sshd.rootKeys.ismael_flony
    ];
  };

  users.groups.backup = {};
  users.users.backup = {
    hashedPassword = "!";
    isSystemUser = true;
    extraGroups = [ "keys" ];
    group = "backup";
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = let
      zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
    in
      ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
  };
  security.sudo.extraRules = pkgs.lib.mkAfter [
    {
      commands = [
        { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
      ];
      users = [ "immae" ];
      runAs = "root";
    }
  ];

  system.activationScripts.libvirtd_exports = ''
    install -m 0755 -o root -g root -d /var/lib/caldance
  '';
  virtualisation.docker.enable = true;
  virtualisation.docker.storageDriver = "zfs";
  virtualisation.libvirtd.enable = true;
  systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
  users.groups.immae = {};
  users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
  systemd.services.libvirtd.postStart = ''
    install -m 0770 -g libvirtd -d /var/lib/libvirt/images
  '';
  systemd.services.socat-caldance = {
    description = "Forward ssh port to caldance";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];

    serviceConfig = {
      ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
    };
  };

  time.timeZone = "Europe/Paris";
  nix = {
    settings = {
      sandbox = "relaxed";
      max-jobs = 8;
      substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
      trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
    };
    extraOptions = ''
      keep-outputs = true
      keep-derivations = true
      allow-unsafe-native-code-during-evaluation = true
      experimental-features = nix-command flakes
      #Assumed in NUR
      allow-import-from-derivation = true
    '';
  };

  security.pki.certificateFiles = [
    (pkgs.fetchurl {
      url = "http://downloads.e.eriomem.net/eriomemca.pem";
      sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
    })
  ];

  # This is equivalent to setting environment.sessionVariables.NIX_PATH
  nix.nixPath = [
    "home-manager=${pkgs.sources.home-manager.url}"
    "nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
  ];

  myServices.monitoring.enable = true;
  myServices.certificates.enable = true;
  security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
    group = "immae";
    domain = "dilion.immae.eu";
  };
  security.acme.certs."${name}" = {
    group = config.services.nginx.group;
    extraDomainNames = [
      "dilion.immae.dev"
      "caldance.cs.immae.dev"
      "zulip.carpentier.earth"
      "zulip.tof.carpentier.earth"
      "zulip.dine.carpentier.earth"
      "zulip.quentin.carpentier.earth"
      "zulip.agnes.carpentier.earth"

      "ofn.nc.immae.dev"

      "bookstack.cc.immae.dev"
    ];
  };
  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    upstreams = {
      caldance.servers."caldance:3031" = {};
    };
    virtualHosts = {
      "dilion.immae.dev" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".root = "/home/immae/www";
      };
      "caldance.cs.immae.dev" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".extraConfig = ''
          uwsgi_pass caldance;
        '';
        locations."/static/".alias = "/var/lib/caldance/caldance/app/www/static/";
        locations."/media/".alias = "/var/lib/caldance/caldance/media/";
        extraConfig = ''
          auth_basic           "Authentification requise";
          auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password};
        '';
      };
      "bookstack.cc.immae.dev" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4003";
      };
      "ofn.nc.immae.dev" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:3000";
      };
      "zulip.carpentier.earth" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4002";
      };
      "zulip.tof.carpentier.earth" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4002";
      };
      "zulip.dine.carpentier.earth" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4002";
      };
      "zulip.quentin.carpentier.earth" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4002";
      };
      "zulip.agnes.carpentier.earth" = {
        acmeRoot = config.myServices.certificates.webroot;
        useACMEHost = name;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:4002";
      };
    };
  };

  systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
  systemd.services.zrepl.serviceConfig.User = "backup";
  # pour eldiron:
  # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
  # pour flony:
  # zfs allow backup hold,release,bookmark,snapshot,send zpool
  immaeServices.zrepl = {
    enable = true;
    config = ''
      global:
        control:
          sockpath: /run/zrepl/control
        serve:
          stdinserver:
            sockdir: /run/zrepl/stdinserver
      jobs:
        - type: sink
          # must not change
          name: "backup-from-eldiron"
          root_fs: "zpool/backup"
          serve:
            type: tls
            listen: :19000
            ca: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
            cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
            key: ${config.secrets.fullPaths."zrepl/dilion.key"}
            client_cns:
              - eldiron
        - type: source
          # must not change
          name: "backup-to-wd-zpool"
          # not encrypted!
          serve:
            type: tls
            listen: :19001
            ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
            cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
            key: ${config.secrets.fullPaths."zrepl/dilion.key"}
            client_cns:
              - flony
          filesystems:
            "zpool/libvirt<": true
            "zpool/root<": true
          snapshotting:
            type: manual
        - type: source
          # must not change
          name: "backup-to-wd-zpool-docker"
          # not encrypted!
          serve:
            type: tls
            listen: :19002
            ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
            cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
            key: ${config.secrets.fullPaths."zrepl/dilion.key"}
            client_cns:
              - flony
          filesystems:
            "zpool/docker<": true
          snapshotting:
            type: manual
    '';
  };
  # This value determines the NixOS release with which your system is
  # to be compatible, in order to avoid breaking some software such as
  # database servers. You should change this only after NixOS release
  # notes say you should.
  # https://nixos.org/nixos/manual/release-notes.html
  system.stateVersion = "20.03"; # Did you read the comment?
}
Commit	Line	Data
776aa360	1	{ config, pkgs, name, lib, flakes, ... }:
8a304ef4	2	{
34abd6af IB	3	deployment = {
34abd6af IB	4	targetUser = "root";
05becbbb	5	targetHost = lib.head config.hostEnv.ips.main.ip4;
34abd6af	6	};
282c67a1 IB	7	# ssh-keyscan dilion \| nix-shell -p ssh-to-age --run ssh-to-age
282c67a1 IB	8	secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
34abd6af IB	9	nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
	10	boot = {
	11	loader = {
	12	grub = {
	13	version = 2;
	14	devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
	15	};
	16	timeout = 1;
	17	};
	18	blacklistedKernelModules = [ "nvidiafb" ];
	19	supportedFilesystems = [ "zfs" ];
e34b3079	20	kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
34abd6af IB	21	kernelModules = [ "kvm-intel" ];
	22	initrd.availableKernelModules = [ "ahci" "sd_mod" ];
	23	initrd.secrets = {
	24	"/boot/pass.key" = "/boot/pass.key";
	25	};
	26	kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
6ee77836 IB	27	# available in nixos-20.09
6ee77836 IB	28	#zfs.requestEncryptionCredentials = [ "zpool/root" ];
34abd6af	29	};
34abd6af IB	30	powerManagement.cpuFreqGovernor = "powersave";
	31	hardware.enableRedistributableFirmware = true;
	32
282c67a1	33	myEnv = import ../../../nixops/secrets/environment.nix;
8a304ef4	34
34abd6af	35	swapDevices = [ { label = "swap"; } ];
740a6506	36	fileSystems = {
34abd6af	37	"/" = { fsType = "zfs"; device = "zpool/root"; };
740a6506 IB	38	"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
	39	"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
	40	"/home" = { fsType = "zfs"; device = "zpool/root/home"; };
	41	"/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
	42	"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
	43	"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
34abd6af IB	44	"/data" = { fsType = "ext4"; label = "data"; };
34abd6af IB	45	"/nix" = { fsType = "ext4"; label = "nix"; };
740a6506	46	};
34abd6af IB	47
	48	services.udev.extraRules = ''
	49	ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
	50	'';
740a6506	51
8a304ef4	52	networking = {
31e11cdf	53	hostId = "27c3048d"; # generated with head -c4 /dev/urandom \| od -A none -t x4
8a304ef4	54	firewall.enable = false;
34abd6af	55	interfaces."eth0".ipv4.addresses =
05becbbb IB	56	[ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
	57	++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	58	(n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
	59	(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
34abd6af IB	60	interfaces."eth0".ipv6.addresses =
	61	[ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
	62	++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	63	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
	64	config.hostEnv.ips);
	65	defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
	66	defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
	67	nameservers = [
	68	"213.133.98.98"
	69	"213.133.99.99"
	70	"213.133.100.100"
	71	"2a01:4f8:0:a0a1::add:1010"
	72	"2a01:4f8:0:a102::add:9999"
	73	"2a01:4f8:0:a111::add:9898"
	74	];
8a304ef4 IB	75	};
	76
	77	myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
776aa360	78	imports = builtins.attrValues (import ../.. flakes) ++ [ ./dilion/vms.nix ];
8a304ef4	79
6c95e93c	80	system.nssModules = [ pkgs.libvirt ];
2053ddac	81	system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
8a304ef4 IB	82	programs.zsh.enable = true;
8a304ef4 IB	83
200690c9 IB	84	users.users.libvirt = {
	85	hashedPassword = "!";
	86	shell = pkgs.bashInteractive;
	87	isSystemUser = true;
	88	group = "libvirtd";
e34b3079	89	packages = [ pkgs.libressl.nc ];
282c67a1 IB	90	openssh.authorizedKeys.keys = [
	91	config.myEnv.buildbot.ssh_key.public
	92	config.myEnv.sshd.rootKeys.ismael_flony
200690c9	93	];
200690c9 IB	94	};
200690c9 IB	95
e34b3079	96	users.groups.backup = {};
8bf83d7a	97	users.users.backup = {
8bf83d7a IB	98	hashedPassword = "!";
8bf83d7a IB	99	isSystemUser = true;
5dda316b	100	extraGroups = [ "keys" ];
e34b3079	101	group = "backup";
8bf83d7a IB	102	shell = pkgs.bashInteractive;
8bf83d7a IB	103	openssh.authorizedKeys.keys = let
5dda316b	104	zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
8bf83d7a	105	in
5dda316b	106	["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
8bf83d7a	107	};
50c100ba	108	security.sudo.extraRules = pkgs.lib.mkAfter [
50c100ba IB	109	{
	110	commands = [
	111	{ command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
	112	];
	113	users = [ "immae" ];
	114	runAs = "root";
	115	}
8bf83d7a IB	116	];
8bf83d7a IB	117
6c95e93c IB	118	system.activationScripts.libvirtd_exports = ''
	119	install -m 0755 -o root -g root -d /var/lib/caldance
	120	'';
f2bc9fcc	121	virtualisation.docker.enable = true;
740a6506	122	virtualisation.docker.storageDriver = "zfs";
7067c25c	123	virtualisation.libvirtd.enable = true;
e34b3079 IB	124	systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
	125	users.groups.immae = {};
	126	users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
7067c25c IB	127	systemd.services.libvirtd.postStart = ''
	128	install -m 0770 -g libvirtd -d /var/lib/libvirt/images
	129	'';
6c95e93c IB	130	systemd.services.socat-caldance = {
	131	description = "Forward ssh port to caldance";
	132	wantedBy = [ "multi-user.target" ];
	133	after = [ "network.target" ];
	134
	135	serviceConfig = {
200690c9	136	ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
6c95e93c IB	137	};
6c95e93c IB	138	};
7067c25c	139
8a304ef4 IB	140	time.timeZone = "Europe/Paris";
8a304ef4 IB	141	nix = {
e34b3079 IB	142	settings = {
	143	sandbox = "relaxed";
	144	max-jobs = 8;
	145	substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
	146	trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
	147	};
8a304ef4 IB	148	extraOptions = ''
	149	keep-outputs = true
	150	keep-derivations = true
969d8daf	151	allow-unsafe-native-code-during-evaluation = true
bb9bc238	152	experimental-features = nix-command flakes
8a304ef4 IB	153	#Assumed in NUR
	154	allow-import-from-derivation = true
	155	'';
	156	};
	157
50c100ba IB	158	security.pki.certificateFiles = [
	159	(pkgs.fetchurl {
	160	url = "http://downloads.e.eriomem.net/eriomemca.pem";
	161	sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
	162	})
	163	];
	164
8a304ef4 IB	165	# This is equivalent to setting environment.sessionVariables.NIX_PATH
8a304ef4 IB	166	nix.nixPath = [
38ac9a57 IB	167	"home-manager=${pkgs.sources.home-manager.url}"
38ac9a57 IB	168	"nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
8a304ef4 IB	169	];
8a304ef4 IB	170
6ee77836	171	myServices.monitoring.enable = true;
ba941296	172	myServices.certificates.enable = true;
83e79a89	173	security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
e34b3079	174	group = "immae";
83e79a89 IB	175	domain = "dilion.immae.eu";
83e79a89 IB	176	};
ba941296	177	security.acme.certs."${name}" = {
ba941296	178	group = config.services.nginx.group;
e34b3079 IB	179	extraDomainNames = [
	180	"dilion.immae.dev"
	181	"caldance.cs.immae.dev"
	182	"zulip.carpentier.earth"
	183	"zulip.tof.carpentier.earth"
	184	"zulip.dine.carpentier.earth"
	185	"zulip.quentin.carpentier.earth"
	186	"zulip.agnes.carpentier.earth"
27da4e10	187
e34b3079	188	"ofn.nc.immae.dev"
cca9aa2e	189
e34b3079 IB	190	"bookstack.cc.immae.dev"
e34b3079 IB	191	];
ba941296	192	};
5db88013	193	systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
ba941296 IB	194	services.nginx = {
	195	enable = true;
	196	recommendedOptimisation = true;
	197	recommendedGzipSettings = true;
	198	recommendedProxySettings = true;
6c95e93c	199	upstreams = {
200690c9	200	caldance.servers."caldance:3031" = {};
6c95e93c	201	};
ba941296	202	virtualHosts = {
7c5e6fe8	203	"dilion.immae.dev" = {
63500b22 IB	204	acmeRoot = config.myServices.certificates.webroot;
	205	useACMEHost = name;
	206	forceSSL = true;
5db88013	207	locations."/".root = "/home/immae/www";
63500b22	208	};
7c5e6fe8	209	"caldance.cs.immae.dev" = {
6c95e93c IB	210	acmeRoot = config.myServices.certificates.webroot;
	211	useACMEHost = name;
	212	forceSSL = true;
	213	locations."/".extraConfig = ''
	214	uwsgi_pass caldance;
	215	'';
	216	locations."/static/".alias = "/var/lib/caldance/caldance/app/www/static/";
	217	locations."/media/".alias = "/var/lib/caldance/caldance/media/";
	218	extraConfig = ''
	219	auth_basic "Authentification requise";
	220	auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password};
	221	'';
	222	};
cca9aa2e IB	223	"bookstack.cc.immae.dev" = {
	224	acmeRoot = config.myServices.certificates.webroot;
	225	useACMEHost = name;
	226	forceSSL = true;
	227	locations."/".proxyPass = "http://localhost:4003";
	228	};
27da4e10 IB	229	"ofn.nc.immae.dev" = {
	230	acmeRoot = config.myServices.certificates.webroot;
	231	useACMEHost = name;
	232	forceSSL = true;
	233	locations."/".proxyPass = "http://localhost:3000";
	234	};
55b6d76b IB	235	"zulip.carpentier.earth" = {
	236	acmeRoot = config.myServices.certificates.webroot;
	237	useACMEHost = name;
	238	forceSSL = true;
	239	locations."/".proxyPass = "http://localhost:4002";
	240	};
	241	"zulip.tof.carpentier.earth" = {
	242	acmeRoot = config.myServices.certificates.webroot;
	243	useACMEHost = name;
	244	forceSSL = true;
	245	locations."/".proxyPass = "http://localhost:4002";
	246	};
	247	"zulip.dine.carpentier.earth" = {
	248	acmeRoot = config.myServices.certificates.webroot;
	249	useACMEHost = name;
	250	forceSSL = true;
	251	locations."/".proxyPass = "http://localhost:4002";
	252	};
	253	"zulip.quentin.carpentier.earth" = {
	254	acmeRoot = config.myServices.certificates.webroot;
	255	useACMEHost = name;
	256	forceSSL = true;
	257	locations."/".proxyPass = "http://localhost:4002";
	258	};
	259	"zulip.agnes.carpentier.earth" = {
	260	acmeRoot = config.myServices.certificates.webroot;
	261	useACMEHost = name;
	262	forceSSL = true;
	263	locations."/".proxyPass = "http://localhost:4002";
	264	};
ba941296 IB	265	};
	266	};
	267
5dda316b IB	268	systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
5dda316b IB	269	systemd.services.zrepl.serviceConfig.User = "backup";
17069bb6	270	# pour eldiron:
5dda316b	271	# zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
17069bb6 IB	272	# pour flony:
17069bb6 IB	273	# zfs allow backup hold,release,bookmark,snapshot,send zpool
e34b3079	274	immaeServices.zrepl = {
5dda316b IB	275	enable = true;
	276	config = ''
	277	global:
	278	control:
	279	sockpath: /run/zrepl/control
	280	serve:
	281	stdinserver:
	282	sockdir: /run/zrepl/stdinserver
	283	jobs:
	284	- type: sink
	285	# must not change
	286	name: "backup-from-eldiron"
	287	root_fs: "zpool/backup"
	288	serve:
17069bb6 IB	289	type: tls
	290	listen: :19000
	291	ca: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
	292	cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
	293	key: ${config.secrets.fullPaths."zrepl/dilion.key"}
	294	client_cns:
5dda316b	295	- eldiron
17069bb6 IB	296	- type: source
	297	# must not change
	298	name: "backup-to-wd-zpool"
	299	# not encrypted!
	300	serve:
	301	type: tls
	302	listen: :19001
	303	ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
	304	cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
	305	key: ${config.secrets.fullPaths."zrepl/dilion.key"}
	306	client_cns:
	307	- flony
	308	filesystems:
17069bb6 IB	309	"zpool/libvirt<": true
	310	"zpool/root<": true
	311	snapshotting:
	312	type: manual
e34b3079 IB	313	- type: source
	314	# must not change
	315	name: "backup-to-wd-zpool-docker"
	316	# not encrypted!
	317	serve:
	318	type: tls
	319	listen: :19002
	320	ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
	321	cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
	322	key: ${config.secrets.fullPaths."zrepl/dilion.key"}
	323	client_cns:
	324	- flony
	325	filesystems:
	326	"zpool/docker<": true
	327	snapshotting:
	328	type: manual
5dda316b IB	329	'';
5dda316b IB	330	};
8a304ef4 IB	331	# This value determines the NixOS release with which your system is
	332	# to be compatible, in order to avoid breaking some software such as
	333	# database servers. You should change this only after NixOS release
	334	# notes say you should.
	335	# https://nixos.org/nixos/manual/release-notes.html
d43e0c61	336	system.stateVersion = "20.03"; # Did you read the comment?
8a304ef4 IB	337	}
8a304ef4 IB	338