]>
Commit | Line | Data |
---|---|---|
1 | { | |
2 | inputs.environment.url = "path:../environment"; | |
3 | inputs.secrets-public.url = "path:../../secrets"; | |
4 | inputs.mypackages.url = "path:../../mypackages"; | |
5 | inputs.myuids.url = "path:../../myuids"; | |
6 | inputs.backports.url = "path:../../backports"; | |
7 | outputs = { self, secrets-public, mypackages, backports, environment, myuids }: { | |
8 | nixosModule = self.nixosModules.system; | |
9 | nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }: | |
10 | { | |
11 | imports = [ | |
12 | secrets.nixosModules.users-config-common | |
13 | environment.nixosModule | |
14 | secrets-public.nixosModule | |
15 | ]; | |
16 | config = { | |
17 | myEnv = import secrets.environment-file; | |
18 | networking.hostName = name; | |
19 | deployment.keys."vars.yml" = { | |
20 | keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ]; | |
21 | user = "root"; | |
22 | group = "root"; | |
23 | permissions = "0400"; | |
24 | }; | |
25 | ||
26 | networking.extraHosts = builtins.concatStringsSep "\n" | |
27 | (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); | |
28 | ||
29 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; | |
30 | secrets.deleteSecretsVars = true; | |
31 | secrets.secretsVars = "/run/keys/vars.yml"; | |
32 | ||
33 | services.openssh.enable = true; | |
34 | ||
35 | nixpkgs.overlays = | |
36 | builtins.attrValues mypackages.overlays ++ | |
37 | builtins.attrValues backports.overlays ++ | |
38 | [ | |
39 | (self: super: { | |
40 | postgresql = self.postgresql_pam; | |
41 | mariadb = self.mariadb_1011.overrideAttrs(old: { | |
42 | passthru = old.passthru // { mysqlVersion = "5.7"; }; | |
43 | }); | |
44 | }) # don’t put them as generic overlay because of home-manager | |
45 | ]; | |
46 | ||
47 | services.journald.extraConfig = '' | |
48 | #Should be "warning" but disabled for now, it prevents anything from being stored | |
49 | MaxLevelStore=info | |
50 | MaxRetentionSec=1year | |
51 | ''; | |
52 | ||
53 | users.groups.acme.gid = myuids.lib.gids.acme; | |
54 | users.users.acme.uid = myuids.lib.uids.acme; | |
55 | environment.systemPackages = [ | |
56 | pkgs.inetutils | |
57 | pkgs.htop | |
58 | pkgs.iftop | |
59 | pkgs.bind.dnsutils | |
60 | pkgs.httpie | |
61 | pkgs.iotop | |
62 | pkgs.whois | |
63 | pkgs.ngrep | |
64 | pkgs.tcpdump | |
65 | pkgs.wireshark-cli | |
66 | pkgs.tcpflow | |
67 | pkgs.mitmproxy | |
68 | pkgs.nmap | |
69 | pkgs.p0f | |
70 | pkgs.socat | |
71 | pkgs.lsof | |
72 | pkgs.psmisc | |
73 | pkgs.openssl | |
74 | pkgs.wget | |
75 | ||
76 | pkgs.pv | |
77 | pkgs.smartmontools | |
78 | ||
79 | pkgs.git | |
80 | pkgs.vim | |
81 | pkgs.rsync | |
82 | pkgs.strace | |
83 | pkgs.sqlite | |
84 | pkgs.unzip | |
85 | ||
86 | pkgs.jq | |
87 | pkgs.yq | |
88 | ]; | |
89 | ||
90 | users.mutableUsers = lib.mkDefault false; | |
91 | ||
92 | systemd.services."vars.yml-key".enable = lib.mkForce false; | |
93 | systemd.targets.maintenance = { | |
94 | description = "Maintenance target with only sshd"; | |
95 | after = [ "network-online.target" "sshd.service" ]; | |
96 | requires = [ "network-online.target" "sshd.service" ]; | |
97 | unitConfig.AllowIsolate = "yes"; | |
98 | }; | |
99 | ||
100 | security.acme.acceptTerms = true; | |
101 | security.acme.preliminarySelfsigned = true; | |
102 | ||
103 | security.acme.certs = { | |
104 | "${name}" = { | |
105 | domain = config.hostEnv.fqdn; | |
106 | }; | |
107 | }; | |
108 | security.acme.defaults = { | |
109 | email = "ismael@bouya.org"; | |
110 | webroot = "/var/lib/acme/acme-challenges"; | |
111 | postRun = builtins.concatStringsSep "\n" [ | |
112 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
113 | ]; | |
114 | extraLegoRenewFlags = [ "--reuse-key" ]; | |
115 | keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121 | |
116 | #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"]; | |
117 | #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"]; | |
118 | }; | |
119 | ||
120 | services.nginx = { | |
121 | recommendedTlsSettings = true; | |
122 | virtualHosts = { | |
123 | "${config.hostEnv.fqdn}" = { | |
124 | acmeRoot = config.security.acme.defaults.webroot; | |
125 | useACMEHost = name; | |
126 | forceSSL = true; | |
127 | }; | |
128 | }; | |
129 | }; | |
130 | ||
131 | services.fail2ban.jails.DEFAULT = { | |
132 | settings.bantime = "12h"; | |
133 | settings.findtime = "12h"; | |
134 | }; | |
135 | services.fail2ban = { | |
136 | enable = true; | |
137 | #findtime = "12h"; | |
138 | #bantime = "12h"; | |
139 | bantime-increment = { | |
140 | enable = true; # Enable increment of bantime after each violation | |
141 | formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; | |
142 | #multipliers = "1 2 4 8 16 32 64"; | |
143 | maxtime = "168h"; # Do not ban for more than 1 week | |
144 | overalljails = true; # Calculate the bantime based on all the violations | |
145 | }; | |
146 | maxretry = 10; | |
147 | ignoreIP = let | |
148 | ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers)); | |
149 | ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers)); | |
150 | in | |
151 | ip4s ++ ip6s; | |
152 | }; | |
153 | }; | |
154 | }; | |
155 | }; | |
156 | } |