From 9ad228444485b075adff89b6e40652036a717edd Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Sat, 18 Dec 2021 09:58:36 +0100 Subject: [PATCH] Unify user configuration, update to nixos-21.11 --- config/common/services/nginx.nix | 4 +++- config/common/users.nix | 19 +++++++++++++++++++ config/hosts/grondahl/configuration.nix | 9 +-------- config/hosts/mail/configuration.nix | 9 +-------- config/hosts/rudiger/configuration.nix | 9 ++------- config/hosts/wind/configuration.nix | 8 +------- config/sources/nix/sources.json | 20 ++++++++++---------- 7 files changed, 37 insertions(+), 41 deletions(-) create mode 100644 config/common/users.nix diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index ed902f3..6c375a6 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -9,6 +9,8 @@ recommendedProxySettings = true; recommendedTlsSettings = true; + clientMaxBodySize = "100M"; + # Only allow PFS-enabled ciphers with AES256 sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; @@ -24,7 +26,7 @@ #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header 'Referrer-Policy' 'same-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; diff --git a/config/common/users.nix b/config/common/users.nix new file mode 100644 index 0000000..f7aaac4 --- /dev/null +++ b/config/common/users.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + users.users = { + emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + amanda = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519" + ]; + }; + }; +} diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index c7a1ea9..2c929e1 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -6,6 +6,7 @@ ./hardware-configuration.nix ./data/secrets/secrets.nix ../../common/services/ssh.nix + ../../common/users.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix @@ -55,14 +56,6 @@ - users.users.emelie = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; - users.groups.acme.members = [ "nginx" "turnserver" ]; users.groups.backup.members = [ "matrix-synapse" "postgres" ]; diff --git a/config/hosts/mail/configuration.nix b/config/hosts/mail/configuration.nix index 44fa832..9192dc6 100644 --- a/config/hosts/mail/configuration.nix +++ b/config/hosts/mail/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ../../common/services/ssh.nix + ../../common/users.nix #./services/restic.nix ./services/mail.nix ./services/acme.nix @@ -25,14 +26,6 @@ networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ]; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - users.users.emelie = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; - security.sudo.wheelNeedsPassword = false; environment.systemPackages = with pkgs; [ diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index e666c49..f8b5aaa 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -6,6 +6,7 @@ ./hardware-configuration.nix ./data/secrets/secrets.nix ../../common/services/ssh.nix + ../../common/users.nix ./services/acme.nix ./services/nextcloud.nix ./services/nginx.nix @@ -56,13 +57,7 @@ "@wheel" ]; }; - users.users.emelie = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; + environment.systemPackages = with pkgs; [ vim wget diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index 5444365..b3b8735 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ../../common/services/ssh.nix + ../../common/users.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix @@ -33,13 +34,6 @@ networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ]; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - users.users.emelie = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; users.users.deploy = { isNormalUser = true; diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 3098061..4de4eeb 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -17,22 +17,22 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591", - "sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x", + "rev": "2a7063461c3751d83869a2a0a8ebc59e34bec5b2", + "sha256": "173ms858wni43l2p7vqjarm2bnjdhpii0zgn46750nyfff1f2184", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-21.05", + "branch": "nixos-21.11", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", - "sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg", + "rev": "573095944e7c1d58d30fc679c81af63668b54056", + "sha256": "07s5cwhskqvy82b4rld9b14ljc0013pig23i3jx3l3f957rk95pg", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/573095944e7c1d58d30fc679c81af63668b54056.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57", - "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb", + "rev": "2cfe8fbaefe27062814e39d073e10e894e4d9b34", + "sha256": "1blpr4sichhra64jxn7gql705q76qds6py4x4wigk02ady3fmj9z", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/2cfe8fbaefe27062814e39d073e10e894e4d9b34.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }