]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - flakes/private/system/flake.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Squash changes containing private information
[perso/Immae/Config/Nix.git] / flakes / private / system / flake.nix
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix
new file mode 100644 (file)
index 0000000..04ebbc7
--- /dev/null
+++ b/flakes/private/system/flake.nix
@@ -0,0 +1,168 @@
+{
+  inputs.environment.url = "path:../environment";
+  inputs.secrets-public.url = "path:../../secrets";
+  inputs.mypackages.url = "path:../../mypackages";
+  inputs.myuids.url = "path:../../myuids";
+  inputs.backports.url = "path:../../backports";
+  outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
+    nixosModule = self.nixosModules.system;
+    nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
+      {
+        imports = [
+          secrets.nixosModules.users-config-common
+          environment.nixosModule
+          secrets-public.nixosModule
+        ];
+        config = {
+          myEnv = import secrets.environment-file;
+          networking.hostName = name;
+          deployment.keys."vars.yml" = {
+            keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
+            user = "root";
+            group = "root";
+            permissions = "0400";
+          };
+
+          networking.extraHosts = builtins.concatStringsSep "\n"
+            (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
+
+          users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
+          secrets.deleteSecretsVars = true;
+          secrets.gpgKeys = [
+            ./public_keys/Immae.pub
+          ];
+          secrets.secretsVars = "/run/keys/vars.yml";
+
+          services.openssh.enable = true;
+
+          nixpkgs.overlays =
+            builtins.attrValues mypackages.overlays ++
+            builtins.attrValues backports.overlays ++
+            [
+              (self: super: {
+                postgresql = self.postgresql_pam;
+                mariadb = self.mariadb_106.overrideAttrs(old: {
+                  passthru = old.passthru // { mysqlVersion = "5.7"; };
+                });
+              }) # don’t put them as generic overlay because of home-manager
+            ];
+
+          services.journald.extraConfig = ''
+            #Should be "warning" but disabled for now, it prevents anything from being stored
+            MaxLevelStore=info
+            MaxRetentionSec=1year
+            '';
+
+          users.groups.acme.gid = myuids.lib.gids.acme;
+          users.users =
+            builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
+              isNormalUser = true;
+              home = "/home/${x.name}";
+              createHome = true;
+              linger = true;
+              # Enable in latest unstable homeMode = "755";
+            } // x)) (config.hostEnv.users pkgs))
+            // {
+              acme.uid = myuids.lib.uids.acme;
+            };
+          environment.systemPackages = [
+            pkgs.inetutils
+            pkgs.htop
+            pkgs.iftop
+            pkgs.bind.dnsutils
+            pkgs.httpie
+            pkgs.iotop
+            pkgs.whois
+            pkgs.ngrep
+            pkgs.tcpdump
+            pkgs.wireshark-cli
+            pkgs.tcpflow
+            pkgs.mitmproxy
+            pkgs.nmap
+            pkgs.p0f
+            pkgs.socat
+            pkgs.lsof
+            pkgs.psmisc
+            pkgs.openssl
+            pkgs.wget
+
+            pkgs.pv
+            pkgs.smartmontools
+
+            pkgs.git
+            pkgs.vim
+            pkgs.rsync
+            pkgs.strace
+            pkgs.sqlite
+
+            pkgs.jq
+            pkgs.yq
+          ];
+
+          users.mutableUsers = lib.mkDefault false;
+
+          systemd.services."vars.yml-key".enable = lib.mkForce false;
+          systemd.targets.maintenance = {
+            description = "Maintenance target with only sshd";
+            after = [ "network-online.target" "sshd.service" ];
+            requires = [ "network-online.target" "sshd.service" ];
+            unitConfig.AllowIsolate = "yes";
+          };
+
+          security.acme.acceptTerms = true;
+          security.acme.preliminarySelfsigned = true;
+
+          security.acme.certs = {
+            "${name}" = {
+              domain = config.hostEnv.fqdn;
+            };
+          };
+          security.acme.defaults = {
+            email = "ismael@bouya.org";
+            webroot = "/var/lib/acme/acme-challenges";
+            postRun = builtins.concatStringsSep "\n" [
+              (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+            ];
+            extraLegoRenewFlags = [ "--reuse-key" ];
+            keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
+            #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
+            #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
+          };
+
+          services.nginx = {
+            recommendedTlsSettings = true;
+            virtualHosts = {
+              "${config.hostEnv.fqdn}" = {
+                acmeRoot = config.security.acme.defaults.webroot;
+                useACMEHost = name;
+                forceSSL = true;
+              };
+            };
+          };
+
+          services.fail2ban.jails.DEFAULT = {
+            settings.bantime = "12h";
+            settings.findtime = "12h";
+          };
+          services.fail2ban = {
+            enable = true;
+            #findtime = "12h";
+            #bantime = "12h";
+            bantime-increment = {
+              enable = true; # Enable increment of bantime after each violation
+              formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+              #multipliers = "1 2 4 8 16 32 64";
+              maxtime = "168h"; # Do not ban for more than 1 week
+              overalljails = true; # Calculate the bantime based on all the violations
+            };
+            maxretry = 10;
+            ignoreIP = let
+              ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
+              ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
+            in
+              ip4s ++ ip6s;
+          };
+        };
+      };
+  };
+}
My infrastructure configuration