forked from the-distro/infra
meta01: init
Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
317400f19a
commit
e3f3c87c0d
11
common/admins.nix
Normal file
11
common/admins.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
# delroth
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV"
|
||||||
|
# raito
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
|
||||||
|
];
|
||||||
|
}
|
22
common/base-server.nix
Normal file
22
common/base-server.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{ lib, pkgs, ... }: {
|
||||||
|
nix.package = pkgs.lix;
|
||||||
|
services.openssh.enable = lib.mkForce true;
|
||||||
|
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
networking.firewall.logRefusedConnections = false;
|
||||||
|
networking.firewall.logReversePathDrops = true;
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
recommendedOptimisation = lib.mkDefault true;
|
||||||
|
recommendedTlsSettings = lib.mkDefault true;
|
||||||
|
recommendedProxySettings = lib.mkDefault true;
|
||||||
|
recommendedGzipSettings = lib.mkDefault true;
|
||||||
|
};
|
||||||
|
|
||||||
|
nix.gc = {
|
||||||
|
automatic = true;
|
||||||
|
persistent = true;
|
||||||
|
dates = "daily";
|
||||||
|
options = "--delete-older-than 30d";
|
||||||
|
};
|
||||||
|
}
|
9
common/default.nix
Normal file
9
common/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./admins.nix
|
||||||
|
./raito-vm.nix
|
||||||
|
./raito-proxy-aware-nginx.nix
|
||||||
|
./base-server.nix
|
||||||
|
./sysadmin
|
||||||
|
];
|
||||||
|
}
|
35
common/raito-proxy-aware-nginx.nix
Normal file
35
common/raito-proxy-aware-nginx.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mkEnableOption mkIf;
|
||||||
|
cfg = config.bagel.raito.v6-proxy-awareness;
|
||||||
|
allowedUpstream = "2001:bc8:38ee:99::1/128";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.nginx = {
|
||||||
|
# IPv6-only server
|
||||||
|
defaultListen = [
|
||||||
|
{ addr = "[::0]"; proxyProtocol = true; port = 444; ssl = true; }
|
||||||
|
{ addr = "[::0]"; port = 443; ssl = true; }
|
||||||
|
{ addr = "[::0]"; port = 80; ssl = false; }
|
||||||
|
# Private networking
|
||||||
|
{ addr = "127.0.0.1"; port = 80; ssl = false; }
|
||||||
|
{ addr = "[::1]"; port = 80; ssl = false; }
|
||||||
|
];
|
||||||
|
|
||||||
|
appendHttpConfig = ''
|
||||||
|
# Kurisu node
|
||||||
|
set_real_ip_from ${allowedUpstream};
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Move to nftables if firewall is enabled.
|
||||||
|
networking.nftables.enable = true;
|
||||||
|
networking.firewall.extraInputRules = ''
|
||||||
|
ip6 saddr ${allowedUpstream} tcp dport 444 accept
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
155
common/raito-vm.nix
Normal file
155
common/raito-vm.nix
Normal file
|
@ -0,0 +1,155 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.hardware.raito-vm;
|
||||||
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.hardware.raito-vm = {
|
||||||
|
enable = mkEnableOption "Raito's VM hardware defaults";
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "MAC address for the NAT-LAN interface, autoconfigured via DHCP";
|
||||||
|
};
|
||||||
|
|
||||||
|
wan = {
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "IPv6 prefix for WAN. Ask Raito when in doubt.";
|
||||||
|
};
|
||||||
|
mac = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "MAC address for the WAN interface.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.qemuGuest.enable = true;
|
||||||
|
systemd.network.enable = true;
|
||||||
|
security.acme.defaults.email = "bagel-acme@lahfa.xyz";
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
|
systemd.network.networks."10-nat-lan" = {
|
||||||
|
matchConfig.Name = "nat-lan";
|
||||||
|
linkConfig.RequiredForOnline = true;
|
||||||
|
DHCP = "yes";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.links."10-nat-lan" = {
|
||||||
|
matchConfig.MACAddress = cfg.networking.nat-lan-mac;
|
||||||
|
linkConfig.Name = "nat-lan";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.networks."10-wan" = {
|
||||||
|
matchConfig.Name = "wan";
|
||||||
|
linkConfig.RequiredForOnline = true;
|
||||||
|
networkConfig.Address = [ cfg.networking.wan.address ];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.links."10-wan" = {
|
||||||
|
matchConfig.MACAddress = cfg.networking.wan.mac;
|
||||||
|
linkConfig.Name = "wan";
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
|
boot.initrd.kernelModules = [
|
||||||
|
"virtio_balloon"
|
||||||
|
"virtio_console"
|
||||||
|
"virtio_rng"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [
|
||||||
|
"9p"
|
||||||
|
"9pnet_virtio"
|
||||||
|
"ata_piix"
|
||||||
|
"nvme"
|
||||||
|
"sr_mod"
|
||||||
|
"uhci_hcd"
|
||||||
|
"virtio_blk"
|
||||||
|
"virtio_mmio"
|
||||||
|
"virtio_net"
|
||||||
|
"virtio_pci"
|
||||||
|
"virtio_scsi"
|
||||||
|
"xhci_pci"
|
||||||
|
];
|
||||||
|
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-label/BOOT";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
|
||||||
|
|
||||||
|
boot.initrd.luks.devices.root = {
|
||||||
|
device = "/dev/disk/by-label/root";
|
||||||
|
|
||||||
|
# WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards.
|
||||||
|
# allowDiscards = true;
|
||||||
|
|
||||||
|
# Set your own key with:
|
||||||
|
# cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1
|
||||||
|
# You can then delete the rest of this block.
|
||||||
|
keyFile = "/dev/zero";
|
||||||
|
keyFileSize = 1;
|
||||||
|
|
||||||
|
fallbackToPassword = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/mapper/root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"subvol=root"
|
||||||
|
"compress=zstd"
|
||||||
|
"noatime"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" = {
|
||||||
|
device = "/dev/mapper/root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"subvol=home"
|
||||||
|
"compress=zstd"
|
||||||
|
"noatime"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" = {
|
||||||
|
device = "/dev/mapper/root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"subvol=nix"
|
||||||
|
"compress=zstd"
|
||||||
|
"noatime"
|
||||||
|
];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/etc" = {
|
||||||
|
device = "/dev/mapper/root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"subvol=etc"
|
||||||
|
"compress=zstd"
|
||||||
|
"noatime"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var" = {
|
||||||
|
device = "/dev/mapper/root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"subvol=var"
|
||||||
|
"compress=zstd"
|
||||||
|
"noatime"
|
||||||
|
];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,11 @@
|
||||||
{
|
{
|
||||||
machines.bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7jmkJ73tx9lsrz9UhqJIJdoqZGuhsHti55xny5/yp";
|
machines = {
|
||||||
|
bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7jmkJ73tx9lsrz9UhqJIJdoqZGuhsHti55xny5/yp";
|
||||||
|
meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5t9gYorOWgpCFDJgb24pyCKIabGpeI2H/UfdvXODcT";
|
||||||
|
};
|
||||||
|
|
||||||
users.delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
users = {
|
||||||
|
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
|
||||||
|
raito = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp" ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
24
common/sysadmin/default.nix
Normal file
24
common/sysadmin/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mkIf mkEnableOption;
|
||||||
|
cfg = config.bagel.sysadmin;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.sysadmin.enable = mkEnableOption "sysadmin tooling";
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
wget
|
||||||
|
vim
|
||||||
|
tmux
|
||||||
|
rsync
|
||||||
|
fd
|
||||||
|
ripgrep
|
||||||
|
pv
|
||||||
|
kitty.terminfo
|
||||||
|
config.boot.kernelPackages.perf
|
||||||
|
tcpdump
|
||||||
|
ncdu
|
||||||
|
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;
|
||||||
|
};
|
||||||
|
}
|
11
flake.nix
11
flake.nix
|
@ -37,6 +37,17 @@
|
||||||
./hosts/bagel-box
|
./hosts/bagel-box
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
meta01 = {
|
||||||
|
imports = [
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
inputs.hydra.nixosModules.hydra
|
||||||
|
|
||||||
|
./services
|
||||||
|
./common
|
||||||
|
./hosts/meta01.nixpkgs.lahfa.xyz
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,16 +45,6 @@
|
||||||
security.acme.defaults.email = "bagel@delroth.net";
|
security.acme.defaults.email = "bagel@delroth.net";
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
|
||||||
# delroth
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV"
|
|
||||||
# raito
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
|
|
||||||
|
|
||||||
];
|
|
||||||
|
|
||||||
deployment.targetHost = "bagel-box.delroth.net";
|
deployment.targetHost = "bagel-box.delroth.net";
|
||||||
}
|
}
|
||||||
|
|
29
hosts/meta01.nixpkgs.lahfa.xyz/default.nix
Executable file
29
hosts/meta01.nixpkgs.lahfa.xyz/default.nix
Executable file
|
@ -0,0 +1,29 @@
|
||||||
|
{
|
||||||
|
networking.hostName = "meta01";
|
||||||
|
networking.domain = "nixpkgs.lahfa.xyz";
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
|
bagel.sysadmin.enable = true;
|
||||||
|
# netbox is proxied.
|
||||||
|
bagel.raito.v6-proxy-awareness.enable = true;
|
||||||
|
bagel.hardware.raito-vm = {
|
||||||
|
enable = true;
|
||||||
|
networking = {
|
||||||
|
nat-lan-mac = "bc:24:11:b2:96:d8";
|
||||||
|
wan = {
|
||||||
|
address = "2001:bc8:38ee:100:1000::20/64";
|
||||||
|
mac = "bc:24:11:64:cd:88";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
bagel.services.netbox = {
|
||||||
|
enable = true;
|
||||||
|
domain = "netbox.nixpkgs.lahfa.xyz";
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n.defaultLocale = "fr_FR.UTF-8";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
deployment.targetHost = "meta01.nixpkgs.lahfa.xyz";
|
||||||
|
}
|
|
@ -6,6 +6,7 @@ let
|
||||||
secrets = with keys; {
|
secrets = with keys; {
|
||||||
hydra-s3-credentials = [ machines.bagel-box ];
|
hydra-s3-credentials = [ machines.bagel-box ];
|
||||||
hydra-ssh-key-priv = [ machines.bagel-box ];
|
hydra-ssh-key-priv = [ machines.bagel-box ];
|
||||||
|
netbox-environment = [ machines.netbox01 ];
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
builtins.listToAttrs (
|
builtins.listToAttrs (
|
||||||
|
|
BIN
secrets/netbox-environment.age
Normal file
BIN
secrets/netbox-environment.age
Normal file
Binary file not shown.
|
@ -2,5 +2,6 @@
|
||||||
imports = [
|
imports = [
|
||||||
./hydra
|
./hydra
|
||||||
./postgres
|
./postgres
|
||||||
|
./netbox
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
80
services/netbox/default.nix
Normal file
80
services/netbox/default.nix
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
EnvironmentFile = [ config.age.secrets.netbox-environment.path ];
|
||||||
|
cfg = config.bagel.services.netbox;
|
||||||
|
inherit (lib) mkEnableOption mkOption mkIf types;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options.bagel.services.netbox = {
|
||||||
|
enable = mkEnableOption "Netbox";
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
age.secrets.netbox-environment.file = ../../secrets/netbox-environment.age;
|
||||||
|
services = {
|
||||||
|
netbox = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.netbox_3_7;
|
||||||
|
secretKeyFile = "/dev/null";
|
||||||
|
listenAddress = "127.0.0.1";
|
||||||
|
settings = {
|
||||||
|
ALLOWED_HOSTS = [ cfg.domain ];
|
||||||
|
# REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = lib.mkForce ''
|
||||||
|
from os import environ as env
|
||||||
|
|
||||||
|
SECRET_KEY = env["SECRET_KEY"]
|
||||||
|
|
||||||
|
# SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
|
||||||
|
# SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
|
||||||
|
# SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${cfg.domain}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
|
||||||
|
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
netbox.serviceConfig = {
|
||||||
|
inherit EnvironmentFile;
|
||||||
|
|
||||||
|
TimeoutStartSec = 600;
|
||||||
|
};
|
||||||
|
|
||||||
|
netbox-housekeeping.serviceConfig = {
|
||||||
|
inherit EnvironmentFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
netbox-rq.serviceConfig = {
|
||||||
|
inherit EnvironmentFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nginx.extraGroups = [ "netbox" ];
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
443
|
||||||
|
80
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue