emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Unify user configuration, update to nixos-21.11

Browse source
This commit is contained in:
Emelie Graven 2021-12-18 09:58:36 +01:00
parent bb394d63a6
commit 9ad2284444
Signed by: emelie
GPG key ID: C11123726DBB55A1
7 changed files with 37 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
config/common/services/nginx.nix
View file

@ -9,6 +9,8 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
clientMaxBodySize = "100M";
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
@ -24,7 +26,7 @@
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header 'Referrer-Policy' 'same-origin';
# Disable embedding as a frame # Disable embedding as a frame
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;

19
config/common/users.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
users.users = {
emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
amanda = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwmREgBmckocQerEfO4XhB+dbKDsZopok37ePWHwCEj id_ed25519"
];
};
};
}

9
config/hosts/grondahl/configuration.nix
View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/coturn.nix ./services/coturn.nix
./services/nginx.nix ./services/nginx.nix
@ -55,14 +56,6 @@
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
users.groups.acme.members = [ "nginx" "turnserver" ]; users.groups.acme.members = [ "nginx" "turnserver" ];
users.groups.backup.members = [ "matrix-synapse" "postgres" ]; users.groups.backup.members = [ "matrix-synapse" "postgres" ];

9
config/hosts/mail/configuration.nix
View file

@ -4,6 +4,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/users.nix
#./services/restic.nix #./services/restic.nix
./services/mail.nix ./services/mail.nix
./services/acme.nix ./services/acme.nix
@ -25,14 +26,6 @@
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ]; networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

9
config/hosts/rudiger/configuration.nix
View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/nextcloud.nix ./services/nextcloud.nix
./services/nginx.nix ./services/nginx.nix
@ -56,13 +57,7 @@
"@wheel" "@wheel"
]; ];
}; };
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
wget wget

8
config/hosts/wind/configuration.nix
View file

@ -4,6 +4,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/coturn.nix ./services/coturn.nix
./services/nginx.nix ./services/nginx.nix
@ -33,13 +34,6 @@
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ]; networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
users.users.deploy = { users.users.deploy = {
isNormalUser = true; isNormalUser = true;

20
config/sources/nix/sources.json
View file

@ -17,22 +17,22 @@
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591", "rev": "2a7063461c3751d83869a2a0a8ebc59e34bec5b2",
"sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x", "sha256": "173ms858wni43l2p7vqjarm2bnjdhpii0zgn46750nyfff1f2184",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz", "url": "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixpkgs": { "nixpkgs": {
"branch": "nixos-21.05", "branch": "nixos-21.11",
"description": "Nix Packages collection", "description": "Nix Packages collection",
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", "rev": "573095944e7c1d58d30fc679c81af63668b54056",
"sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg", "sha256": "07s5cwhskqvy82b4rld9b14ljc0013pig23i3jx3l3f957rk95pg",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz", "url": "https://github.com/NixOS/nixpkgs/archive/573095944e7c1d58d30fc679c81af63668b54056.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixus": { "nixus": {
@ -41,10 +41,10 @@
"homepage": "", "homepage": "",
"owner": "Infinisil", "owner": "Infinisil",
"repo": "nixus", "repo": "nixus",
"rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57", "rev": "2cfe8fbaefe27062814e39d073e10e894e4d9b34",
"sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb", "sha256": "1blpr4sichhra64jxn7gql705q76qds6py4x4wigk02ady3fmj9z",
"type": "tarball", "type": "tarball",
"url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz", "url": "https://github.com/Infinisil/nixus/archive/2cfe8fbaefe27062814e39d073e10e894e4d9b34.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
} }
} }