X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=flakes%2Fprivate%2Fsystem%2Fflake.nix;h=04ebbc7dbfb375f7aa60cabb586ec74abcb39960;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix new file mode 100644 index 0000000..04ebbc7 --- /dev/null +++ b/flakes/private/system/flake.nix @@ -0,0 +1,168 @@ +{ + inputs.environment.url = "path:../environment"; + inputs.secrets-public.url = "path:../../secrets"; + inputs.mypackages.url = "path:../../mypackages"; + inputs.myuids.url = "path:../../myuids"; + inputs.backports.url = "path:../../backports"; + outputs = { self, secrets-public, mypackages, backports, environment, myuids }: { + nixosModule = self.nixosModules.system; + nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }: + { + imports = [ + secrets.nixosModules.users-config-common + environment.nixosModule + secrets-public.nixosModule + ]; + config = { + myEnv = import secrets.environment-file; + networking.hostName = name; + deployment.keys."vars.yml" = { + keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ]; + user = "root"; + group = "root"; + permissions = "0400"; + }; + + networking.extraHosts = builtins.concatStringsSep "\n" + (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); + + users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; + secrets.deleteSecretsVars = true; + secrets.gpgKeys = [ + ./public_keys/Immae.pub + ]; + secrets.secretsVars = "/run/keys/vars.yml"; + + services.openssh.enable = true; + + nixpkgs.overlays = + builtins.attrValues mypackages.overlays ++ + builtins.attrValues backports.overlays ++ + [ + (self: super: { + postgresql = self.postgresql_pam; + mariadb = self.mariadb_106.overrideAttrs(old: { + passthru = old.passthru // { mysqlVersion = "5.7"; }; + }); + }) # don’t put them as generic overlay because of home-manager + ]; + + services.journald.extraConfig = '' + #Should be "warning" but disabled for now, it prevents anything from being stored + MaxLevelStore=info + MaxRetentionSec=1year + ''; + + users.groups.acme.gid = myuids.lib.gids.acme; + users.users = + builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ + isNormalUser = true; + home = "/home/${x.name}"; + createHome = true; + linger = true; + # Enable in latest unstable homeMode = "755"; + } // x)) (config.hostEnv.users pkgs)) + // { + acme.uid = myuids.lib.uids.acme; + }; + environment.systemPackages = [ + pkgs.inetutils + pkgs.htop + pkgs.iftop + pkgs.bind.dnsutils + pkgs.httpie + pkgs.iotop + pkgs.whois + pkgs.ngrep + pkgs.tcpdump + pkgs.wireshark-cli + pkgs.tcpflow + pkgs.mitmproxy + pkgs.nmap + pkgs.p0f + pkgs.socat + pkgs.lsof + pkgs.psmisc + pkgs.openssl + pkgs.wget + + pkgs.pv + pkgs.smartmontools + + pkgs.git + pkgs.vim + pkgs.rsync + pkgs.strace + pkgs.sqlite + + pkgs.jq + pkgs.yq + ]; + + users.mutableUsers = lib.mkDefault false; + + systemd.services."vars.yml-key".enable = lib.mkForce false; + systemd.targets.maintenance = { + description = "Maintenance target with only sshd"; + after = [ "network-online.target" "sshd.service" ]; + requires = [ "network-online.target" "sshd.service" ]; + unitConfig.AllowIsolate = "yes"; + }; + + security.acme.acceptTerms = true; + security.acme.preliminarySelfsigned = true; + + security.acme.certs = { + "${name}" = { + domain = config.hostEnv.fqdn; + }; + }; + security.acme.defaults = { + email = "ismael@bouya.org"; + webroot = "/var/lib/acme/acme-challenges"; + postRun = builtins.concatStringsSep "\n" [ + (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") + ]; + extraLegoRenewFlags = [ "--reuse-key" ]; + keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121 + #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"]; + #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"]; + }; + + services.nginx = { + recommendedTlsSettings = true; + virtualHosts = { + "${config.hostEnv.fqdn}" = { + acmeRoot = config.security.acme.defaults.webroot; + useACMEHost = name; + forceSSL = true; + }; + }; + }; + + services.fail2ban.jails.DEFAULT = { + settings.bantime = "12h"; + settings.findtime = "12h"; + }; + services.fail2ban = { + enable = true; + #findtime = "12h"; + #bantime = "12h"; + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + #multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + maxretry = 10; + ignoreIP = let + ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers)); + ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers)); + in + ip4s ++ ip6s; + }; + }; + }; + }; +}