home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

kerkouane.nix (8123B)


      1 { pkgs, lib, ... }:
      2 
      3 with lib;
      4 let
      5   hostname = "kerkouane";
      6 
      7   secretPath = ../../secrets/machines.nix;
      8   secretCondition = (builtins.pathExists secretPath);
      9 
     10   isAuthorized = p: builtins.isAttrs p && p.authorized or false;
     11   authorizedKeys = lists.optionals secretCondition (
     12     attrsets.mapAttrsToList
     13       (name: value: value.key)
     14       (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
     15   );
     16 
     17   wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
     18 
     19   nginxExtraConfig = ''
     20     expires 31d;
     21     add_header Cache-Control "public, max-age=604800, immutable";
     22     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
     23     add_header X-Content-Type-Options "nosniff";
     24     add_header X-Frame-Options "SAMEORIGIN";
     25     add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr";
     26     add_header X-XSS-Protection "1; mode=block";
     27   '';
     28 
     29   nginx = pkgs.nginxMainline.override (old: {
     30     modules = with pkgs.nginxModules; [
     31       fancyindex
     32     ];
     33   });
     34 
     35   filesWWW = {
     36     enableACME = true;
     37     forceSSL = true;
     38     root = "/var/www/dl.sbr.pm";
     39     locations."/" = {
     40       index = "index.html";
     41       extraConfig = ''
     42         fancyindex on;
     43         fancyindex_localtime on;
     44         fancyindex_exact_size off;
     45         fancyindex_header "/.fancyindex/header.html";
     46         fancyindex_footer "/.fancyindex/footer.html";
     47         # fancyindex_ignore "examplefile.html";
     48         fancyindex_ignore "README.md";
     49         fancyindex_ignore "HEADER.md";
     50         fancyindex_ignore ".fancyindex";
     51         fancyindex_name_length 255;
     52       '';
     53     };
     54     locations."/private" = {
     55       extraConfig = ''
     56         auth_basic "Restricted";
     57         auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd;
     58       '';
     59     };
     60     extraConfig = nginxExtraConfig;
     61   };
     62 
     63   sources = import ../../nix/sources.nix;
     64 in
     65 {
     66   imports = [
     67     (import ../../users/vincent)
     68     (import ../../users/root)
     69   ];
     70 
     71   networking.hostName = hostname;
     72 
     73   ## From qemu-quest.nix
     74   boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
     75   boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
     76 
     77   boot.initrd.postDeviceCommands =
     78     ''
     79       # Set the system time from the hardware clock to work around a
     80       # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
     81       # to the *boot time* of the host).
     82       hwclock -s
     83     '';
     84 
     85   # START OF DigitalOcean specifics
     86   # FIXME: move this into a secret ?
     87   # This file was populated at runtime with the networking
     88   # details gathered from the active system.
     89   networking = {
     90     nameservers = [
     91       "67.207.67.2"
     92       "67.207.67.3"
     93     ];
     94     defaultGateway = "188.166.64.1";
     95     defaultGateway6 = "";
     96     dhcpcd.enable = false;
     97     usePredictableInterfaceNames = lib.mkForce true;
     98     interfaces = {
     99       eth0 = {
    100         ipv4.addresses = [
    101           { address = "188.166.102.243"; prefixLength = 18; }
    102           { address = "10.18.0.5"; prefixLength = 16; }
    103         ];
    104         ipv6.addresses = [
    105           { address = "fe80::8035:3aff:fe72:1036"; prefixLength = 64; }
    106         ];
    107       };
    108 
    109     };
    110   };
    111   services.udev.extraRules = ''
    112     ATTR{address}=="82:35:3a:72:10:36", NAME="eth0"
    113 
    114   '';
    115   # END OF DigitalOcean specifics
    116 
    117   boot.loader.grub.device = "/dev/vda";
    118   boot.loader.grub.enable = lib.mkForce true;
    119   boot.loader.systemd-boot.enable = lib.mkForce false;
    120   fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
    121   swapDevices = [{ device = "/swapfile"; size = 1024; }];
    122 
    123   core.nix = {
    124     # FIXME move this away
    125     localCaches = [ ];
    126     buildCores = 1;
    127   };
    128 
    129   modules.services = {
    130     wireguard.server.enable = true;
    131     ssh = {
    132       enable = true;
    133       extraConfig = ''
    134 	Match User nginx
    135         ChrootDirectory /var/www
    136         ForceCommand interfal-sftp
    137         AllowTcpForwarding no
    138         PermitTunnel no
    139         X11Forwarding no
    140       '';
    141     };
    142   };
    143 
    144   networking.firewall.allowPing = true;
    145   networking.firewall.allowedTCPPorts = [ 80 443 ];
    146   security = {
    147     acme = {
    148       acceptTerms = true;
    149       email = "vincent@sbr.pm";
    150     };
    151     #acme.certs = {
    152     #  "sbr.pm".email = "vincent@sbr.pm";
    153     #};
    154   };
    155   security.pam.enableSSHAgentAuth = true;
    156   #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
    157   services = {
    158     gosmee = {
    159       enable = true;
    160       public-url = "https://webhook.sbr.pm";
    161     };
    162     govanityurl = {
    163       enable = true;
    164       user = "nginx";
    165       host = "go.sbr.pm";
    166       config = ''
    167         paths:
    168           /lord:
    169             repo: https://github.com/vdemeester/lord
    170           /ape:
    171             repo: https://git.sr.ht/~vdemeester/ape
    172           /nr:
    173             repo: https://git.sr.ht/~vdemeester/nr
    174           /ram:
    175             repo: https://git.sr.ht/~vdemeester/ram
    176           /sec:
    177             repo: https://git.sr.ht/~vdemeester/sec
    178       '';
    179     };
    180     nginx = {
    181       enable = true;
    182       package = nginx;
    183       recommendedGzipSettings = true;
    184       recommendedTlsSettings = true;
    185       recommendedOptimisation = true;
    186       virtualHosts."dl.sbr.pm" = filesWWW;
    187       virtualHosts."files.sbr.pm" = filesWWW;
    188       virtualHosts."paste.sbr.pm" = {
    189         enableACME = true;
    190         forceSSL = true;
    191         root = "/var/www/paste.sbr.pm";
    192         locations."/" = {
    193           index = "index.html";
    194         };
    195         extraConfig = nginxExtraConfig;
    196       };
    197       virtualHosts."go.sbr.pm" = {
    198         enableACME = true;
    199         forceSSL = true;
    200         locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
    201         extraConfig = nginxExtraConfig;
    202       };
    203       virtualHosts."whoami.sbr.pm" = {
    204         enableACME = true;
    205         forceSSL = true;
    206         locations."/" = {
    207           proxyPass = "http://10.100.0.8:80";
    208           extraConfig = ''
    209             proxy_set_header Host            $host;
    210             proxy_set_header X-Forwarded-For $remote_addr;
    211           '';
    212         };
    213       };
    214       virtualHosts."webhook.sbr.pm" = {
    215         enableACME = true;
    216         forceSSL = true;
    217         locations."/" = {
    218           proxyPass = "http://127.0.0.1:3333";
    219           extraConfig = ''
    220             proxy_buffering off;
    221             proxy_cache off;
    222             proxy_set_header Host            $host;
    223             proxy_set_header X-Forwarded-For $remote_addr;
    224             proxy_set_header Connection "";
    225             proxy_http_version 1.1;
    226             chunked_transfer_encoding off;
    227           '';
    228         };
    229       };
    230       virtualHosts."sbr.pm" = {
    231         enableACME = true;
    232         forceSSL = true;
    233         root = "/var/www/sbr.pm";
    234         locations."/" = {
    235           index = "index.html";
    236         };
    237         extraConfig = nginxExtraConfig;
    238       };
    239       virtualHosts."sbr.systems" = {
    240         enableACME = true;
    241         forceSSL = true;
    242         root = "/var/www/sbr.systems";
    243         locations."/" = {
    244           index = "index.html";
    245         };
    246         extraConfig = nginxExtraConfig;
    247       };
    248       virtualHosts."vincent.demeester.fr" = {
    249         enableACME = true;
    250         forceSSL = true;
    251         root = "/var/www/vincent.demeester.fr";
    252         locations."/" = {
    253           index = "index.html";
    254           extraConfig = ''
    255             default_type text/html;
    256             try_files $uri $uri.html $uri/ = 404;
    257             fancyindex on;
    258             fancyindex_localtime on;
    259             fancyindex_exact_size off;
    260             fancyindex_header "/assets/.fancyindex/header.html";
    261             fancyindex_footer "/assets/.fancyindex/footer.html";
    262             # fancyindex_ignore "examplefile.html";
    263             fancyindex_ignore "README.md";
    264             fancyindex_ignore "HEADER.md";
    265             fancyindex_ignore ".fancyindex";
    266             fancyindex_name_length 255;
    267           '';
    268         };
    269         extraConfig = nginxExtraConfig;
    270       };
    271     };
    272     openssh = {
    273       listenAddresses = [
    274         { addr = wireguardIp; port = 22; }
    275       ];
    276       openFirewall = false;
    277       passwordAuthentication = false;
    278       permitRootLogin = "without-password";
    279     };
    280   };
    281 }
    282