Add testbench and rudiger
This commit is contained in:
parent
0969b36564
commit
6d318bddaa
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
|
43
config/common/services/nginx.nix
Normal file
43
config/common/services/nginx.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Use recommended settings
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
# Only allow PFS-enabled ciphers with AES256
|
||||||
|
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||||
|
|
||||||
|
commonHttpConfig = ''
|
||||||
|
# Add HSTS header with preloading to HTTPS requests.
|
||||||
|
# Adding this header to HTTP requests is discouraged
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
||||||
|
# Enable CSP for your services.
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
|
||||||
|
# Minimize information leaked to other domains
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
|
||||||
|
# Disable embedding as a frame
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
# Enable XSS protection of the browser.
|
||||||
|
# May be unnecessary when CSP is configured properly (see above)
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
|
||||||
|
# This might create errors
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -9,4 +9,16 @@
|
||||||
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
||||||
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
|
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
programs.ssh.knownHosts = {
|
||||||
|
despondos = {
|
||||||
|
hostNames = [ "despondos.nao.sh" ];
|
||||||
|
publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.sshguard = {
|
||||||
|
enable = true;
|
||||||
|
blocktime = 300;
|
||||||
|
};
|
||||||
}
|
}
|
|
@ -5,12 +5,11 @@
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
../../common/services/openssh.nix
|
../../common/services/ssh.nix
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/coturn.nix
|
./services/coturn.nix
|
||||||
./services/nginx.nix
|
./services/nginx.nix
|
||||||
./services/restic.nix
|
./services/restic.nix
|
||||||
./services/sshguard.nix
|
|
||||||
./services/synapse.nix
|
./services/synapse.nix
|
||||||
./services/postgres.nix
|
./services/postgres.nix
|
||||||
];
|
];
|
||||||
|
@ -18,7 +17,7 @@
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
boot.loader.grub.version = 2;
|
boot.loader.grub.version = 2;
|
||||||
boot.loader.grub.device = "/dev/vda";
|
boot.loader.grub.device = "/dev/vda";
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_5_10;
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "grondahl";
|
hostName = "grondahl";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
|
@ -65,8 +64,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.acme.members = [ "nginx" "turnserver" ];
|
users.groups.acme.members = [ "nginx" "turnserver" ];
|
||||||
users.groups.postgres.members = [ "restic" ];
|
users.groups.backup.members = [ "matrix-synapse" "postgres" ];
|
||||||
users.groups.matrix-synapse.members = [ "restic" ];
|
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
|
|
|
@ -1,64 +1,24 @@
|
||||||
{
|
{
|
||||||
services.nginx = {
|
imports = [ ../../../common/services/nginx.nix ];
|
||||||
enable = true;
|
services.nginx.virtualHosts = {
|
||||||
|
"anarkafem.dev" = {
|
||||||
# Use recommended settings
|
useACMEHost = "anarkafem.dev";
|
||||||
recommendedGzipSettings = true;
|
forceSSL = true;
|
||||||
recommendedOptimisation = true;
|
locations."/".root = "/var/www/anarkafem.dev/public";
|
||||||
recommendedProxySettings = true;
|
locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
|
||||||
recommendedTlsSettings = true;
|
locations."/_matrix/federation".return = "403";
|
||||||
|
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
|
||||||
# Only allow PFS-enabled ciphers with AES256
|
locations."/.well-known/matrix/" = {
|
||||||
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
root = "/var/www/matrix/public";
|
||||||
|
extraConfig = ''
|
||||||
commonHttpConfig = ''
|
default_type application/json;
|
||||||
# Add HSTS header with preloading to HTTPS requests.
|
add_header Access-Control-Allow-Origin "*";
|
||||||
# Adding this header to HTTP requests is discouraged
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
map $scheme $hsts_header {
|
add_header Referrer-Policy "origin-when-cross-origin";
|
||||||
https "max-age=31536000; includeSubdomains; preload";
|
add_header X-Frame-Options "DENY";
|
||||||
}
|
add_header X-Content-Type-Options "nosniff";
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
'';
|
||||||
# Enable CSP for your services.
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
|
|
||||||
# Minimize information leaked to other domains
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
|
|
||||||
# Disable embedding as a frame
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
|
|
||||||
# Prevent injection of code in other mime types (XSS Attacks)
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
|
|
||||||
# Enable XSS protection of the browser.
|
|
||||||
# May be unnecessary when CSP is configured properly (see above)
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
|
|
||||||
# This might create errors
|
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualHosts = {
|
|
||||||
"anarkafem.dev" = {
|
|
||||||
useACMEHost = "anarkafem.dev";
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/".root = "/var/www/anarkafem.dev/public";
|
|
||||||
locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
|
|
||||||
locations."/_matrix/federation".return = "403";
|
|
||||||
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
|
|
||||||
locations."/.well-known/matrix/" = {
|
|
||||||
root = "/var/www/matrix/public";
|
|
||||||
extraConfig = ''
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
add_header Referrer-Policy "origin-when-cross-origin";
|
|
||||||
add_header X-Frame-Options "DENY";
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
timerConfig = { "OnCalendar" = "03:15"; };
|
timerConfig = { "OnCalendar" = "03:15"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "postgres";
|
||||||
};
|
};
|
||||||
"synapse" = {
|
"synapse" = {
|
||||||
paths = [ "/var/lib/matrix-synapse" ];
|
paths = [ "/var/lib/matrix-synapse" ];
|
||||||
|
@ -18,6 +19,7 @@
|
||||||
timerConfig = { "OnCalendar" = "03:45"; };
|
timerConfig = { "OnCalendar" = "03:45"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "matrix-synapse";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
services.sshguard = {
|
|
||||||
enable = true;
|
|
||||||
blocktime = 300;
|
|
||||||
};
|
|
||||||
}
|
|
49
config/hosts/nixos-testbed/configuration.nix
Normal file
49
config/hosts/nixos-testbed/configuration.nix
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
../../common/services/ssh.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
networking.hostName = "nixos-testbed";
|
||||||
|
time.timeZone = "Europe/Copenhagen";
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.interfaces.ens3.useDHCP = true;
|
||||||
|
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
|
||||||
|
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
|
||||||
|
|
||||||
|
users.users.emelie = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
vim
|
||||||
|
htop
|
||||||
|
iotop
|
||||||
|
dig
|
||||||
|
];
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
autoOptimiseStore = true;
|
||||||
|
trustedUsers = [
|
||||||
|
"root"
|
||||||
|
"@wheel"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Use hetzner firewall instead
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
}
|
26
config/hosts/nixos-testbed/hardware-configuration.nix
Normal file
26
config/hosts/nixos-testbed/hardware-configuration.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
(modulesPath + "/profiles/minimal.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/b5f08f96-c7aa-4c02-86a2-15cfe4134f4d";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/f36e61f8-337f-4b77-bd63-9b1d0146d73d"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
}
|
9
config/hosts/nixos-testbed/services/nextcloud.nix
Normal file
9
config/hosts/nixos-testbed/services/nextcloud.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{ ... }: {
|
||||||
|
services.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
https = true;
|
||||||
|
webfinger = true;
|
||||||
|
hostname = "cloud-test.graven.dev";
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
81
config/hosts/rudiger/configuration.nix
Normal file
81
config/hosts/rudiger/configuration.nix
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./data/secrets/secrets.nix
|
||||||
|
../../common/services/ssh.nix
|
||||||
|
./services/nextcloud.nix
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/postgres.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
|
boot.supportedFilesystems = ["zfs"];
|
||||||
|
services.zfs.autoSnapshot.enable = true;
|
||||||
|
services.zfs.autoScrub.enable = true;
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Copenhagen";
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
hostName = "rudiger";
|
||||||
|
hostId = "8c7b66a4";
|
||||||
|
useDHCP = false;
|
||||||
|
tempAddresses = "disabled";
|
||||||
|
interfaces = {
|
||||||
|
"ens3" = {
|
||||||
|
ipv4.addresses = [ {
|
||||||
|
address = "202.61.202.170";
|
||||||
|
prefixLength = 22;
|
||||||
|
} ];
|
||||||
|
ipv6.addresses = [ {
|
||||||
|
address = "2a03:4000:5a:c61::1";
|
||||||
|
prefixLength = 64;
|
||||||
|
} ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
defaultGateway = "202.61.200.1";
|
||||||
|
defaultGateway6 = {
|
||||||
|
address = "fe80::1";
|
||||||
|
interface = "ens3";
|
||||||
|
};
|
||||||
|
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
autoOptimiseStore = true;
|
||||||
|
trustedUsers = [
|
||||||
|
"root"
|
||||||
|
"@wheel"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
users.users.emelie = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
htop
|
||||||
|
iotop
|
||||||
|
dig
|
||||||
|
];
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
systemd.services."nextcloud-setup" = {
|
||||||
|
requires = ["postgresql.service"];
|
||||||
|
after = ["postgresql.service"];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||||
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
}
|
42
config/hosts/rudiger/hardware-configuration.nix
Normal file
42
config/hosts/rudiger/hardware-configuration.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
(modulesPath + "/profiles/minimal.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "rpool/safe/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/F220-781F";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" =
|
||||||
|
{ device = "rpool/safe/home";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "rpool/local/nix";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/nextcloud" =
|
||||||
|
{ device = "rpool/safe/nextcloud";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/52f7db16-b51b-4b8c-bfea-46184bb3099e"; }
|
||||||
|
];
|
||||||
|
}
|
20
config/hosts/rudiger/services/nextcloud.nix
Normal file
20
config/hosts/rudiger/services/nextcloud.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
hostName = "cloud.graven.dev";
|
||||||
|
#https = true;
|
||||||
|
package = pkgs.nextcloud22;
|
||||||
|
autoUpdateApps.enable = true;
|
||||||
|
maxUploadSize = "10G";
|
||||||
|
webfinger = true;
|
||||||
|
config = {
|
||||||
|
dbtype = "pgsql";
|
||||||
|
dbuser = "nextcloud";
|
||||||
|
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||||
|
dbname = "nextcloud";
|
||||||
|
adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
|
||||||
|
adminuser = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
4
config/hosts/rudiger/services/nginx.nix
Normal file
4
config/hosts/rudiger/services/nginx.nix
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [ ../../../common/services/nginx.nix ];
|
||||||
|
}
|
12
config/hosts/rudiger/services/postgres.nix
Normal file
12
config/hosts/rudiger/services/postgres.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "nextcloud" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{ name = "nextcloud";
|
||||||
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -3,7 +3,7 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../common/services/openssh.nix
|
../../common/services/ssh.nix
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/coturn.nix
|
./services/coturn.nix
|
||||||
./services/nginx.nix
|
./services/nginx.nix
|
||||||
|
@ -12,7 +12,6 @@
|
||||||
./services/ttrss.nix
|
./services/ttrss.nix
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
./services/restic.nix
|
./services/restic.nix
|
||||||
./services/sshguard.nix
|
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
];
|
];
|
||||||
|
@ -20,6 +19,7 @@
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
boot.loader.grub.version = 2;
|
boot.loader.grub.version = 2;
|
||||||
boot.loader.grub.device = "/dev/sda";
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_5_10;
|
||||||
boot.supportedFilesystems = ["zfs"];
|
boot.supportedFilesystems = ["zfs"];
|
||||||
services.zfs.autoSnapshot.enable = true;
|
services.zfs.autoSnapshot.enable = true;
|
||||||
services.zfs.autoScrub.enable = true;
|
services.zfs.autoScrub.enable = true;
|
||||||
|
@ -65,10 +65,7 @@
|
||||||
# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
|
# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
|
||||||
|
|
||||||
users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
|
users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
|
||||||
users.groups.postgres.members = [ "restic" ];
|
users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
|
||||||
users.groups.gitea.members = [ "restic" ];
|
|
||||||
users.groups.matrix-synapse.members = [ "restic" ];
|
|
||||||
|
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
|
|
@ -1,89 +1,79 @@
|
||||||
{
|
{
|
||||||
services.nginx = {
|
imports = [ ../../../common/services/nginx.nix ];
|
||||||
enable = true;
|
services.nginx.virtualHosts = {
|
||||||
|
"graven.dev" = {
|
||||||
# Use recommended settings
|
useACMEHost = "graven.dev";
|
||||||
recommendedGzipSettings = true;
|
forceSSL = true;
|
||||||
recommendedOptimisation = true;
|
locations."/".root = "/var/www/graven.dev/public";
|
||||||
recommendedProxySettings = true;
|
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
|
||||||
recommendedTlsSettings = true;
|
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
|
||||||
|
locations."/.well-known/matrix/" = {
|
||||||
# Only allow PFS-enabled ciphers with AES256
|
root = "/var/www/matrix/public";
|
||||||
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
extraConfig = ''
|
||||||
|
default_type application/json;
|
||||||
commonHttpConfig = ''
|
add_header Access-Control-Allow-Origin "*";
|
||||||
# Add HSTS header with preloading to HTTPS requests.
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
# Adding this header to HTTP requests is discouraged
|
add_header Referrer-Policy "origin-when-cross-origin";
|
||||||
map $scheme $hsts_header {
|
add_header X-Frame-Options "DENY";
|
||||||
https "max-age=31536000; includeSubdomains; preload";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
}
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
'';
|
||||||
|
|
||||||
# Enable CSP for your services.
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
|
|
||||||
# Minimize information leaked to other domains
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
|
|
||||||
# Disable embedding as a frame
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
|
|
||||||
# Prevent injection of code in other mime types (XSS Attacks)
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
|
|
||||||
# Enable XSS protection of the browser.
|
|
||||||
# May be unnecessary when CSP is configured properly (see above)
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
|
|
||||||
# This might create errors
|
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualHosts = {
|
|
||||||
"graven.dev" = {
|
|
||||||
useACMEHost = "graven.dev";
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/".root = "/var/www/graven.dev/public";
|
|
||||||
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
|
|
||||||
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
|
|
||||||
locations."/.well-known/matrix/" = {
|
|
||||||
root = "/var/www/matrix/public";
|
|
||||||
extraConfig = ''
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
add_header Referrer-Policy "origin-when-cross-origin";
|
|
||||||
add_header X-Frame-Options "DENY";
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
"rss.graven.dev" = {
|
};
|
||||||
useACMEHost = "graven.dev";
|
"rss.graven.dev" = {
|
||||||
forceSSL = true;
|
useACMEHost = "graven.dev";
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
"git.graven.dev" = {
|
||||||
|
useACMEHost = "graven.dev";
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
|
||||||
|
};
|
||||||
|
"vault.graven.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "graven.dev";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:8812";
|
||||||
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
"git.graven.dev" = {
|
locations."/notifications/hub" = {
|
||||||
useACMEHost = "graven.dev";
|
proxyPass = "http://localhost:3012";
|
||||||
forceSSL = true;
|
proxyWebsockets = true;
|
||||||
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
|
|
||||||
};
|
};
|
||||||
"vault.graven.dev" = {
|
locations."/notifications/hub/negotiate" = {
|
||||||
forceSSL = true;
|
proxyPass = "http://localhost:8812";
|
||||||
useACMEHost = "graven.dev";
|
proxyWebsockets = true;
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:8812";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
locations."/notifications/hub" = {
|
|
||||||
proxyPass = "http://localhost:3012";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
locations."/notifications/hub/negotiate" = {
|
|
||||||
proxyPass = "http://localhost:8812";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
"mta-sts.graven.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.graven.se" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.nao.sh" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.amandag.net" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.queersin.space" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.anarkafem.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
timerConfig = { "OnCalendar" = "02:15"; };
|
timerConfig = { "OnCalendar" = "02:15"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "gitea";
|
||||||
};
|
};
|
||||||
"postgres" = {
|
"postgres" = {
|
||||||
paths = [ "/var/lib/postgresql/backup" ];
|
paths = [ "/var/lib/postgresql/backup" ];
|
||||||
|
@ -20,6 +21,7 @@
|
||||||
timerConfig = { "OnCalendar" = "03:00"; };
|
timerConfig = { "OnCalendar" = "03:00"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "postgres";
|
||||||
};
|
};
|
||||||
"synapse" = {
|
"synapse" = {
|
||||||
paths = [ "/var/lib/matrix-synapse" ];
|
paths = [ "/var/lib/matrix-synapse" ];
|
||||||
|
@ -29,15 +31,17 @@
|
||||||
timerConfig = { "OnCalendar" = "03:30"; };
|
timerConfig = { "OnCalendar" = "03:30"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "matrix-synapse";
|
||||||
};
|
};
|
||||||
"vaultwarden" = {
|
"vaultwarden" = {
|
||||||
paths = [ "/var/lib/vaultwarden" ];
|
paths = [ "/var/lib/bitwarden_rs" ];
|
||||||
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
|
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
|
||||||
initialize = true;
|
initialize = true;
|
||||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
|
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
|
||||||
timerConfig = { "OnCalendar" = "23:45"; };
|
timerConfig = { "OnCalendar" = "23:45"; };
|
||||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||||
|
user = "vaultwarden";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
services.sshguard = {
|
|
||||||
enable = true;
|
|
||||||
blocktime = 300;
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -17,10 +17,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "16fca9df230408608846940981b4037762420b1b",
|
"rev": "3cc8c47af31798040ea62499090540413279f832",
|
||||||
"sha256": "0nvak6dmlcgc4m5s6di82c06c95cmc4iys1ky14y5di27r7qnrma",
|
"sha256": "0l4pflis99q0095rrmxahp1w8jz38znq5pyni4x8n7cgcrv5gwq2",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixos-hardware/archive/16fca9df230408608846940981b4037762420b1b.tar.gz",
|
"url": "https://github.com/NixOS/nixos-hardware/archive/3cc8c47af31798040ea62499090540413279f832.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
|
@ -29,10 +29,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d6b683c0527a7f777b5f2b4db2555891cd5a85f5",
|
"rev": "d0220562772b787d58c48df3434f36da1f552bdc",
|
||||||
"sha256": "0mkinbg2s4mg1ngh773h7rqc898siyigwy2wfz8jaai8k9srpx1n",
|
"sha256": "1nhh4afidrq7crb82ax3f5gqn17scxi7rl6zlxnzcplnwr0waczq",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/d6b683c0527a7f777b5f2b4db2555891cd5a85f5.tar.gz",
|
"url": "https://github.com/NixOS/nixpkgs/archive/d0220562772b787d58c48df3434f36da1f552bdc.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixus": {
|
"nixus": {
|
||||||
|
|
|
@ -24,6 +24,12 @@ in import "${sources.nixus}" {} ({ config, ... }: {
|
||||||
switchTimeout = 300;
|
switchTimeout = 300;
|
||||||
successTimeout = 300;
|
successTimeout = 300;
|
||||||
};
|
};
|
||||||
|
rudiger = { lib, config, ... }: {
|
||||||
|
host = "emelie@cloud.graven.dev";
|
||||||
|
configuration = ../config/hosts/rudiger/configuration.nix;
|
||||||
|
switchTimeout = 300;
|
||||||
|
successTimeout = 300;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue