entropic/webring
1
0
Fork 0
forked from epesooj/webring
Code Pull requests Activity

Configure host to use SSH certs on the host and client side.

Browse source
This commit is contained in:
DS 2025-03-31 21:30:46 -07:00
parent a872e6f395
commit 55eb37bb47
10 changed files with 129 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

166
host_config/default.nix Normal file
View file

@ -0,0 +1,166 @@
{ self, moduleWithSystem, ... }: {
flake.nixosModules.code-server = moduleWithSystem (
{ ... }: # Note: only explicit parameters are passed to this.
{ pkgs, modulesPath, lib, ... }: {
imports = [
self.inputs.disko.nixosModules.disko
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/headless.nix")
(modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./code_server_disk.nix
];
system.stateVersion = "24.11";
boot.kernelParams = [ "zfs.zfs_arc_max=536870912" ];
boot.zfs.extraPools = [ "zroot" ];
boot.initrd.postMountCommands = lib.mkAfter ''
zfs rollback -r zroot/root@blank
'';
services.zfs.autoScrub.enable = true;
boot.loader.grub = {
enable = true;
# No need to set devices, disko will add all devices that have an EF02 partition to the list already.
# devices = [];
efiSupport = true;
efiInstallAsRemovable = true;
};
fileSystems = {
"/var/lib/systemd" = {
device = "/persisted/var/lib/systemd";
options = [ "bind" ];
};
"/var/lib/forgejo" = {
device = "/persisted/var/lib/forgejo";
options = [ "bind" ];
};
};
networking.hostId = "9f1dfd86"; # Required by ZFS.
networking.useNetworkd = true;
networking.firewall.logRefusedConnections = false;
nix.gc.automatic = true;
nix.gc.dates = "02:15";
services.cloud-init = {
enable = true;
network.enable = true;
settings = {
datasource_list = [ "Hetzner" ];
# The NixOS cloud-init settings declares the entire `system_info` with `lib.mkDefault`, so we need to copy the defaults from it here and make the changes we want to make.
system_info = {
paths = {
cloud_dir = "/persisted/var/lib/cloud";
};
distro = "nixos";
network = {
renderers = [ "networkd" ];
activators = [ "networkd" ];
};
};
cloud_init_modules = [
"migrator"
"seed_random"
"bootcmd"
];
cloud_config_modules = [
"ssh-import-id"
"timezone"
"runcmd"
"ssh"
];
cloud_final_modules = [
"keys-to-console"
"final-message"
"power-state-change"
];
};
};
services.openssh = {
enable = true;
hostKeys = [
{
path = "/persisted/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
settings = {
PasswordAuthentication = false;
};
extraConfig = ''
HostCertificate /persisted/etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /persisted/etc/ssh/user_cas.pub
'';
};
users.users.root = {
home = lib.mkForce "/persisted/root";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# UDP allowed for HTTP/3.
networking.firewall.allowedUDPPorts = [ 80 443 ];
services.caddy = {
enable = true;
globalConfig = ''
# Comment this if building the prod image. The following is only useful for testing.
# local_certs
skip_install_trust
'';
virtualHosts."code.akols.com".extraConfig = ''
encode zstd gzip
reverse_proxy http://127.0.0.1:3000
'';
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
lfs.enable = true;
settings = {
service = {
DISABLE_REGISTRATION = true;
};
database = {
SQLITE_JOURNAL_MODE = "WAL";
};
cache = {
ADAPTER = "twoqueue";
HOST = "{\"size\":100,\"recent_ratio\":0.25,\"ghost_ratio\":0.5}";
};
server = {
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
DOMAIN = "code.akols.com";
ROOT_URL = "https://code.akols.com";
};
session = {
COOKIE_SECURE = true;
};
security = {
LOGIN_REMEMBER_DAYS = 365;
};
};
};
}
);
}