path: root/nix/machines/vm-hetzner/default.nix

{ pkgs, lib, ... }: {
  imports = [ ./hardware/vm-hetzner.nix ./vm-shared.nix ];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;

  networking.hostName = "vm-hetzner";
  networking.domain = "net";

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
  ];

  # This file was populated at runtime with the networking
  # details gathered from the active system.
  networking = {
    nameservers =
      [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.1" ];
    defaultGateway = "172.31.1.1";
    defaultGateway6 = {
      address = "fe80::1";
      interface = "eth0";
    };
    dhcpcd.enable = false;
    usePredictableInterfaceNames = lib.mkForce false;
    interfaces = {
      eth0 = {
        ipv4.addresses = [{
          address = "5.78.87.68";
          prefixLength = 32;
        }];
        ipv6.addresses = [
          {
            address = "2a01:4ff:1f0:d1a3::1";
            prefixLength = 64;
          }
          {
            address = "fe80::9400:3ff:fe98:d6dc";
            prefixLength = 64;
          }
        ];
        ipv4.routes = [{
          address = "172.31.1.1";
          prefixLength = 32;
        }];
        ipv6.routes = [{
          address = "fe80::1";
          prefixLength = 128;
        }];
      };

    };
    firewall.allowedTCPPorts = [
      22 # ssh
      80 # nginx
      443 # nginx
    ];
  };
  services.udev.extraRules = ''
    ATTR{address}=="96:00:03:98:d6:dc", NAME="eth0"

  '';

  security.acme = {
    defaults.email = "acme@fcuny.net";
    acceptTerms = true;
  };

  # FIXME: I also ran the following as the git user:
  # git config --global init.defaultBranch main
  # to ensure that new repositories are created with the default
  # branch set to `main'.
  # TODO(fcuny): I could create the configuration file to set the default branch
  services.gitolite = {
    enable = true;
    adminPubkey =
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
    user = "git";
    group = "git";
    extraGitoliteRc = ''
      # Make dirs/files group readable, needed for webserver/cgit. (Default
      # setting is 0077.)
      $RC{UMASK} = 0027;
      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
      push( @{$RC{ENABLE}}, 'symbolic-ref' );
    '';
  };

  services.cgit.main = {
    enable = true;
    package = pkgs.cgit-pink;
    user = "git";
    group = "git";
    nginx.virtualHost = "git.fcuny.net";
    scanPath = "/var/lib/gitolite/repositories";
    settings = {
      css = "/cgit.css";
      logo = "/cgit.png";
      favicon = "/favicon.ico";
      robots = "noindex, nofollow";
      readme = ":README.md";
      project-list = "/var/lib/gitolite/projects.list";
      about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
      source-filter =
        "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
      clone-url =
        (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]);
      enable-log-filecount = 1;
      enable-log-linecount = 1;
      enable-git-config = 1;
      enable-blame = 1;
      enable-commit-graph = 1;
      enable-follow-links = 1;
      enable-index-links = 1;
      enable-remote-branches = 1;
      enable-subject-links = 1;
      enable-tree-linenumbers = 1;
      max-atom-items = 108;
      max-commit-count = 250;
      max-repo-count = 500;
      repository-sort = "age";
      snapshots = "tar.gz";
      root-title = "¯\\_(ツ)_/¯";
      root-desc = "source code of my various projects";
    };
  };

  virtualisation.oci-containers.containers.excalidraw = {
    autoStart = true;
    image = "excalidraw/excalidraw:latest";
    environment = { TZ = "America/Los_Angeles"; };
    ports = [ "127.0.0.1:3030:80" ];
    extraOptions = [ "--pull=always" ];
  };

  services.nginx = {
    enable = true;

    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "fcuny.net" = {
        # make it the default site: if a request goes through nginx
        # without a host header, this will be the default site we serve
        # for that request.
        default = true;
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = { root = "/srv/www/fcuny.net"; };
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
      "git.fcuny.net" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
      "draw.fcuny.net" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/".proxyPass = "http://127.0.0.1:3030";
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenges";
          };
        };
      };
    };
  };

  services.restic.backups.git = {
    user = "fcuny";
    passwordFile = "/etc/restic.pw";
    repository = "/srv/backups/git";
    initialize = true;
    paths = [ "/var/lib/gitolite" ];
    exclude = [
      "/var/lib/gitolite/.bash_history"
      "/var/lib/gitolite/.ssh"
      "/var/lib/gitolite/.viminfo"
    ];
    extraBackupArgs = [ "--exclude-caches" "--compression=max" ];
    timerConfig = { OnCalendar = "*:0/30"; };
    pruneOpts = [
      "--keep-hourly 36"
      "--keep-daily 7"
      "--keep-weekly 4"
      "--keep-monthly 3"
    ];
  };
}