{ config, pkgs, lib, ... }: { imports = [ ../modules/server ../modules/server/dns ../modules/server/irc ../modules/server/nginx ../modules/server/tor ../modules/users ]; boot.initrd.availableKernelModules = [ "xen_blkfront" ]; fileSystems."/" = { device = "/dev/disk/by-uuid/abbb92f4-ea6e-4283-8a86-012516cc1a44"; fsType = "ext4"; }; swapDevices = [ { device = "/dev/disk/by-uuid/49f18b74-5f6e-4e61-b569-f7cc9dc5c600"; } ]; nix.maxJobs = 2; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/xvda"; networking.hostName = "atuin"; networking.domain = "qyliss.net"; networking.interfaces.eth0 = { ipv4.addresses = [ { address = "85.119.82.108"; prefixLength = 21; } ]; ipv6.addresses = [ { address = "2001:ba8:1f1:f0bc::2"; prefixLength = 64; } ]; }; networking.defaultGateway = "85.119.80.1"; networking.defaultGateway6 = { address = "2001:ba8:1f1:f0bc::1"; }; networking.dhcpcd.enable = false; networking.firewall.allowedTCPPorts = [ 80 443 6697 ]; networking.firewall.extraCommands = '' iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE ''; boot.kernelPackages = pkgs.linuxPackages; networking.nat.enable = true; networking.nat.externalInterface = "eth0"; networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall.allowedUDPPorts = with config; [ networking.wireguard.interfaces.wg0.listenPort ]; networking.wireguard.interfaces = { wg0 = { ips = [ "10.172.171.1" ]; listenPort = 51820; privateKeyFile = "/var/lib/wireguard/wg0/private"; peers = [ { publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8="; allowedIPs = [ "10.172.171.2/32" ]; } { publicKey = "lu4ZxYq7qpkmIt8z0Q/wb5Y0Wc3fa0ui9wOWn/+xYxI="; allowedIPs = [ "10.172.171.3/32" ]; } { publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ="; allowedIPs = [ "10.13.12.0/24" ]; } ]; }; }; security.acme.acceptTerms = true; security.acme.email = "hi@alyssa.is"; security.acme.certs = with lib; let coalesce = maybe: default: if maybe == null then default else maybe; toAttrs = val: if isList val then genAttrs val (_: null) else val; vhostDomains = mapAttrsToList (name: { serverName, ... }: coalesce serverName name) config.services.nginx.virtualHosts; domains = { "spectrum-os.org" = { extraDomains = [ "spectrumos.org" ]; }; "qyliss.net" = {}; }; in mapAttrs ( domain: { postRun ? "systemctl reload nginx.service" , webroot ? "/var/lib/acme/acme-challenge" , extraDomains ? {} , ... } @ value: let extraDomainsFromVhosts = toAttrs (filter (hasSuffix ".${domain}") vhostDomains); in value // { inherit postRun webroot; extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains); } ) domains; services.nginx.virtualHosts = let vhosts = { "znc.qyliss.net".locations."/".proxyPass = "http://127.0.0.1:6667/"; "spectrumos.org".locations."/".return = "https://spectrum-os.org/"; "spectrum-os.org".locations."/".root = "/var/www/spectrum-os.org"; default = { serverName = null; default = true; enableACME = false; useACMEHost = "qyliss.net"; locations."/".return = "https://alyssa.is/"; locations."/dns-query".proxyPass = "http://[::1]:4448/"; }; "git.qyliss.net" = { root = "${pkgs.cgit}/cgit"; locations."@cgit".extraConfig = '' fastcgi_param CGIT_CONFIG ${cgitConfig}; fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; fastcgi_pass unix:/run/fcgiwrap.sock; ''; extraConfig = '' try_files $uri @cgit; ''; }; }; cgitConfig = pkgs.writeText "cgit.conf" '' root-desc=Alyssa Ross's personal Git repositories root-title=git.qyliss.net virtual-root=/ ''; in lib.mapAttrs ( _: { forceSSL ? true, enableACME ? true, ... } @ args: args // { inherit forceSSL enableACME; } ) vhosts; services.nginx.appendConfig = '' stream { server { listen 6697 ssl; ssl_certificate /var/lib/acme/qyliss.net/fullchain.pem; ssl_certificate_key /var/lib/acme/qyliss.net/key.pem; proxy_pass 127.0.0.1:6667; } } ''; services.tor.relay.accountingMax = "20 GBytes"; services.tor.relay.accountingStart = "day 12:00"; system.stateVersion = "18.03"; }