53 lines
1.5 KiB
Nix
53 lines
1.5 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
imports =
|
|
[
|
|
../../base.nix
|
|
../../common/metrics-exporters.nix
|
|
../../common/auto-upgrade.nix
|
|
./hardware-configuration.nix
|
|
|
|
./services/mysql.nix
|
|
./services/nginx.nix
|
|
./services/postgresql.nix
|
|
|
|
./services/wiki-wackattack-eu.nix
|
|
./services/www-feal-no
|
|
./services/www-kinealbrigtsen-no.nix
|
|
];
|
|
|
|
boot.loader.systemd-boot.enable = lib.mkForce false;
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.device = "/dev/sda";
|
|
|
|
|
|
networking = {
|
|
hostName = "leonard";
|
|
defaultGateway = "192.168.10.1";
|
|
interfaces.ens18.ipv4 = {
|
|
addresses = [
|
|
{ address = "192.168.10.207"; prefixLength = 24; }
|
|
];
|
|
};
|
|
hostId = "b99c12d1";
|
|
|
|
# Prepend the following output rules to disallow talking to other devices on LAN
|
|
firewall.extraCommands = lib.strings.concatLines ([
|
|
"iptables -F OUTPUT"
|
|
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
|
|
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
|
|
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
|
|
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
|
|
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
|
|
]);
|
|
};
|
|
|
|
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
|
|
|
|
environment.variables = { EDITOR = "vim"; };
|
|
|
|
system.stateVersion = "25.05";
|
|
}
|
|
|