kerkouane.nix (8123B)
1 { pkgs, lib, ... }: 2 3 with lib; 4 let 5 hostname = "kerkouane"; 6 7 secretPath = ../../secrets/machines.nix; 8 secretCondition = (builtins.pathExists secretPath); 9 10 isAuthorized = p: builtins.isAttrs p && p.authorized or false; 11 authorizedKeys = lists.optionals secretCondition ( 12 attrsets.mapAttrsToList 13 (name: value: value.key) 14 (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) 15 ); 16 17 wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 18 19 nginxExtraConfig = '' 20 expires 31d; 21 add_header Cache-Control "public, max-age=604800, immutable"; 22 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 23 add_header X-Content-Type-Options "nosniff"; 24 add_header X-Frame-Options "SAMEORIGIN"; 25 add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr"; 26 add_header X-XSS-Protection "1; mode=block"; 27 ''; 28 29 nginx = pkgs.nginxMainline.override (old: { 30 modules = with pkgs.nginxModules; [ 31 fancyindex 32 ]; 33 }); 34 35 filesWWW = { 36 enableACME = true; 37 forceSSL = true; 38 root = "/var/www/dl.sbr.pm"; 39 locations."/" = { 40 index = "index.html"; 41 extraConfig = '' 42 fancyindex on; 43 fancyindex_localtime on; 44 fancyindex_exact_size off; 45 fancyindex_header "/.fancyindex/header.html"; 46 fancyindex_footer "/.fancyindex/footer.html"; 47 # fancyindex_ignore "examplefile.html"; 48 fancyindex_ignore "README.md"; 49 fancyindex_ignore "HEADER.md"; 50 fancyindex_ignore ".fancyindex"; 51 fancyindex_name_length 255; 52 ''; 53 }; 54 locations."/private" = { 55 extraConfig = '' 56 auth_basic "Restricted"; 57 auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd; 58 ''; 59 }; 60 extraConfig = nginxExtraConfig; 61 }; 62 63 sources = import ../../nix/sources.nix; 64 in 65 { 66 imports = [ 67 (import ../../users/vincent) 68 (import ../../users/root) 69 ]; 70 71 networking.hostName = hostname; 72 73 ## From qemu-quest.nix 74 boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; 75 boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; 76 77 boot.initrd.postDeviceCommands = 78 '' 79 # Set the system time from the hardware clock to work around a 80 # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised 81 # to the *boot time* of the host). 82 hwclock -s 83 ''; 84 85 # START OF DigitalOcean specifics 86 # FIXME: move this into a secret ? 87 # This file was populated at runtime with the networking 88 # details gathered from the active system. 89 networking = { 90 nameservers = [ 91 "67.207.67.2" 92 "67.207.67.3" 93 ]; 94 defaultGateway = "188.166.64.1"; 95 defaultGateway6 = ""; 96 dhcpcd.enable = false; 97 usePredictableInterfaceNames = lib.mkForce true; 98 interfaces = { 99 eth0 = { 100 ipv4.addresses = [ 101 { address = "188.166.102.243"; prefixLength = 18; } 102 { address = "10.18.0.5"; prefixLength = 16; } 103 ]; 104 ipv6.addresses = [ 105 { address = "fe80::8035:3aff:fe72:1036"; prefixLength = 64; } 106 ]; 107 }; 108 109 }; 110 }; 111 services.udev.extraRules = '' 112 ATTR{address}=="82:35:3a:72:10:36", NAME="eth0" 113 114 ''; 115 # END OF DigitalOcean specifics 116 117 boot.loader.grub.device = "/dev/vda"; 118 boot.loader.grub.enable = lib.mkForce true; 119 boot.loader.systemd-boot.enable = lib.mkForce false; 120 fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; 121 swapDevices = [{ device = "/swapfile"; size = 1024; }]; 122 123 core.nix = { 124 # FIXME move this away 125 localCaches = [ ]; 126 buildCores = 1; 127 }; 128 129 modules.services = { 130 wireguard.server.enable = true; 131 ssh = { 132 enable = true; 133 extraConfig = '' 134 Match User nginx 135 ChrootDirectory /var/www 136 ForceCommand interfal-sftp 137 AllowTcpForwarding no 138 PermitTunnel no 139 X11Forwarding no 140 ''; 141 }; 142 }; 143 144 networking.firewall.allowPing = true; 145 networking.firewall.allowedTCPPorts = [ 80 443 ]; 146 security = { 147 acme = { 148 acceptTerms = true; 149 email = "vincent@sbr.pm"; 150 }; 151 #acme.certs = { 152 # "sbr.pm".email = "vincent@sbr.pm"; 153 #}; 154 }; 155 security.pam.enableSSHAgentAuth = true; 156 #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; 157 services = { 158 gosmee = { 159 enable = true; 160 public-url = "https://webhook.sbr.pm"; 161 }; 162 govanityurl = { 163 enable = true; 164 user = "nginx"; 165 host = "go.sbr.pm"; 166 config = '' 167 paths: 168 /lord: 169 repo: https://github.com/vdemeester/lord 170 /ape: 171 repo: https://git.sr.ht/~vdemeester/ape 172 /nr: 173 repo: https://git.sr.ht/~vdemeester/nr 174 /ram: 175 repo: https://git.sr.ht/~vdemeester/ram 176 /sec: 177 repo: https://git.sr.ht/~vdemeester/sec 178 ''; 179 }; 180 nginx = { 181 enable = true; 182 package = nginx; 183 recommendedGzipSettings = true; 184 recommendedTlsSettings = true; 185 recommendedOptimisation = true; 186 virtualHosts."dl.sbr.pm" = filesWWW; 187 virtualHosts."files.sbr.pm" = filesWWW; 188 virtualHosts."paste.sbr.pm" = { 189 enableACME = true; 190 forceSSL = true; 191 root = "/var/www/paste.sbr.pm"; 192 locations."/" = { 193 index = "index.html"; 194 }; 195 extraConfig = nginxExtraConfig; 196 }; 197 virtualHosts."go.sbr.pm" = { 198 enableACME = true; 199 forceSSL = true; 200 locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; 201 extraConfig = nginxExtraConfig; 202 }; 203 virtualHosts."whoami.sbr.pm" = { 204 enableACME = true; 205 forceSSL = true; 206 locations."/" = { 207 proxyPass = "http://10.100.0.8:80"; 208 extraConfig = '' 209 proxy_set_header Host $host; 210 proxy_set_header X-Forwarded-For $remote_addr; 211 ''; 212 }; 213 }; 214 virtualHosts."webhook.sbr.pm" = { 215 enableACME = true; 216 forceSSL = true; 217 locations."/" = { 218 proxyPass = "http://127.0.0.1:3333"; 219 extraConfig = '' 220 proxy_buffering off; 221 proxy_cache off; 222 proxy_set_header Host $host; 223 proxy_set_header X-Forwarded-For $remote_addr; 224 proxy_set_header Connection ""; 225 proxy_http_version 1.1; 226 chunked_transfer_encoding off; 227 ''; 228 }; 229 }; 230 virtualHosts."sbr.pm" = { 231 enableACME = true; 232 forceSSL = true; 233 root = "/var/www/sbr.pm"; 234 locations."/" = { 235 index = "index.html"; 236 }; 237 extraConfig = nginxExtraConfig; 238 }; 239 virtualHosts."sbr.systems" = { 240 enableACME = true; 241 forceSSL = true; 242 root = "/var/www/sbr.systems"; 243 locations."/" = { 244 index = "index.html"; 245 }; 246 extraConfig = nginxExtraConfig; 247 }; 248 virtualHosts."vincent.demeester.fr" = { 249 enableACME = true; 250 forceSSL = true; 251 root = "/var/www/vincent.demeester.fr"; 252 locations."/" = { 253 index = "index.html"; 254 extraConfig = '' 255 default_type text/html; 256 try_files $uri $uri.html $uri/ = 404; 257 fancyindex on; 258 fancyindex_localtime on; 259 fancyindex_exact_size off; 260 fancyindex_header "/assets/.fancyindex/header.html"; 261 fancyindex_footer "/assets/.fancyindex/footer.html"; 262 # fancyindex_ignore "examplefile.html"; 263 fancyindex_ignore "README.md"; 264 fancyindex_ignore "HEADER.md"; 265 fancyindex_ignore ".fancyindex"; 266 fancyindex_name_length 255; 267 ''; 268 }; 269 extraConfig = nginxExtraConfig; 270 }; 271 }; 272 openssh = { 273 listenAddresses = [ 274 { addr = wireguardIp; port = 22; } 275 ]; 276 openFirewall = false; 277 passwordAuthentication = false; 278 permitRootLogin = "without-password"; 279 }; 280 }; 281 } 282