nixos-wiki-infra/targets/nixos-wiki.nixos.org/configuration.nix
2024-04-01 18:08:27 +02:00

63 lines
1.9 KiB
Nix

{ self, lib, config, ... }:
let
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
{
imports = [
self.nixosModules.nixos-wiki
self.nixosModules.nixos-wiki-backup
self.nixosModules.hcloud
];
users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
system.stateVersion = "23.11";
security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
networking = {
hostName = "wiki";
domain = "nixos.org";
};
services.nixos-wiki = {
hostname = "wiki.nixos.org";
adminPasswordFile = config.sops.secrets.nixos-wiki.path;
githubClientId = "Iv1.fcbe65bcecdda275";
githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
emergencyContact = "wiki@nixos.org";
passwordSender = "wiki@wiki.nixos.org";
noReplyAddress = "wiki-no-reply@wiki.nixos.org";
};
services.cloud-init.enable = lib.mkForce false;
systemd.network.networks."10-wan" = {
# match the interface by name
matchConfig.MACAddress = "96:00:03:02:b6:04";
address = [
# configure addresses including subnet mask
"65.21.240.250/32"
# TODO: drop this ip and only keep ::1
"2a01:4f9:c012:8178::/64"
"2a01:4f9:c012:8178::1/64"
];
routes = [
# create default routes for both IPv6 and IPv4
{ routeConfig.Gateway = "fe80::1"; }
# or when the gateway is not on the same network
{
routeConfig = {
Gateway = "172.31.1.1";
GatewayOnLink = true;
};
}
];
# make the routes on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
sops.defaultSopsFile = ./secrets/secrets.yaml;
boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
}