# nix-channel --add https://nixos.org/channels/nixos-19.03 nixos # nix-channel --add https://nixos.org/channels/nixos-unstable unstable # nix-channel --update # { config, pkgs, lib, ... }: let unstable = import {}; secrets = import ./secrets.nix; hostname = "code.dumpstack.io"; in { disabledModules = [ "services/misc/gitea.nix" ]; imports = [ ./hardware-configuration.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; networking.hostName = "${hostname}"; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; }; users.extraUsers.root = { openssh.authorizedKeys.keys = [ secrets.pubkey ]; }; services.openssh.enable = true; environment.systemPackages = with pkgs; [ vim ]; services.gitea = { enable = true; appName = "${hostname}"; domain = "${hostname}"; rootUrl = "https://${hostname}"; extraConfig = '' [service] DISABLE_REGISTRATION = true [ui] DEFAULT_THEME = gitea ''; }; systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; services.nginx = { enable = true; virtualHosts."${hostname}" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:3000"; }; }; # force update all channels systemd.services.nixos-upgrade.serviceConfig.ExecStartPre = "${pkgs.nix}/bin/nix-channel --update"; systemd.services.nixos-upgrade.serviceConfig.ExecStartPost = pkgs.writeScript "post-upgrade-check" '' #!${pkgs.stdenv.shell} current=$(readlink -f /run/current-system/kernel) booted=$(readlink -f /run/booted-system/kernel) if [ "$current" != "$booted" ]; then echo "kernel changed, reboot" | systemd-cat --identifier "post-upgrade-check"; reboot else echo "same kernel, do not reboot" | systemd-cat --identifier "post-upgrade-check"; fi ''; system.stateVersion = "19.03"; system.autoUpgrade.enable = true; nix = { optimise.automatic = true; gc = { automatic = true; options = "--delete-older-than 7d"; }; }; }