[perso/Immae/Config/Nix.git] / flakes / private / system / flake.nix

{
  inputs.environment.url = "path:../environment";
  inputs.secrets-public.url = "path:../../secrets";
  inputs.mypackages.url = "path:../../mypackages";
  inputs.myuids.url = "path:../../myuids";
  inputs.backports.url = "path:../../backports";
  outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
    nixosModule = self.nixosModules.system;
    nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
      {
        imports = [
          secrets.nixosModules.users-config-common
          environment.nixosModule
          secrets-public.nixosModule
        ];
        config = {
          myEnv = import secrets.environment-file;
          networking.hostName = name;
          deployment.keys."vars.yml" = {
            keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
            user = "root";
            group = "root";
            permissions = "0400";
          };

          networking.extraHosts = builtins.concatStringsSep "\n"
            (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);

          users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";

          services.openssh.enable = true;

          nixpkgs.overlays =
            builtins.attrValues mypackages.overlays ++
            builtins.attrValues backports.overlays ++
            [
              (self: super: {
                postgresql = self.postgresql_pam;
                mariadb = self.mariadb_1011.overrideAttrs(old: {
                  passthru = old.passthru // { mysqlVersion = "5.7"; };
                });
              }) # don’t put them as generic overlay because of home-manager
            ];

          services.journald.extraConfig = ''
            #Should be "warning" but disabled for now, it prevents anything from being stored
            MaxLevelStore=info
            MaxRetentionSec=1year
            '';

          users.groups.acme.gid = myuids.lib.gids.acme;
          users.users.acme.uid = myuids.lib.uids.acme;
          environment.systemPackages = [
            pkgs.inetutils
            pkgs.htop
            pkgs.iftop
            pkgs.bind.dnsutils
            pkgs.httpie
            pkgs.iotop
            pkgs.whois
            pkgs.ngrep
            pkgs.tcpdump
            pkgs.wireshark-cli
            pkgs.tcpflow
            pkgs.mitmproxy
            pkgs.nmap
            pkgs.p0f
            pkgs.socat
            pkgs.lsof
            pkgs.psmisc
            pkgs.openssl
            pkgs.wget

            pkgs.pv
            pkgs.smartmontools

            pkgs.git
            pkgs.vim
            pkgs.rsync
            pkgs.strace
            pkgs.sqlite

            pkgs.jq
            pkgs.yq
          ];

          users.mutableUsers = lib.mkDefault false;

          systemd.services."vars.yml-key".enable = lib.mkForce false;
          systemd.targets.maintenance = {
            description = "Maintenance target with only sshd";
            after = [ "network-online.target" "sshd.service" ];
            requires = [ "network-online.target" "sshd.service" ];
            unitConfig.AllowIsolate = "yes";
          };

          security.acme.acceptTerms = true;
          security.acme.preliminarySelfsigned = true;

          security.acme.certs = {
            "${name}" = {
              domain = config.hostEnv.fqdn;
            };
          };
          security.acme.defaults = {
            email = "ismael@bouya.org";
            webroot = "/var/lib/acme/acme-challenges";
            postRun = builtins.concatStringsSep "\n" [
              (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
            ];
            extraLegoRenewFlags = [ "--reuse-key" ];
            keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
            #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
            #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
          };

          services.nginx = {
            recommendedTlsSettings = true;
            virtualHosts = {
              "${config.hostEnv.fqdn}" = {
                acmeRoot = config.security.acme.defaults.webroot;
                useACMEHost = name;
                forceSSL = true;
              };
            };
          };

          services.fail2ban.jails.DEFAULT = {
            settings.bantime = "12h";
            settings.findtime = "12h";
          };
          services.fail2ban = {
            enable = true;
            #findtime = "12h";
            #bantime = "12h";
            bantime-increment = {
              enable = true; # Enable increment of bantime after each violation
              formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
              #multipliers = "1 2 4 8 16 32 64";
              maxtime = "168h"; # Do not ban for more than 1 week
              overalljails = true; # Calculate the bantime based on all the violations
            };
            maxretry = 10;
            ignoreIP = let
              ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
              ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
            in
              ip4s ++ ip6s;
          };
        };
      };
  };
}
Commit	Line	Data
1a64deeb IB	1	{
	2	inputs.environment.url = "path:../environment";
	3	inputs.secrets-public.url = "path:../../secrets";
	4	inputs.mypackages.url = "path:../../mypackages";
	5	inputs.myuids.url = "path:../../myuids";
	6	inputs.backports.url = "path:../../backports";
	7	outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
	8	nixosModule = self.nixosModules.system;
	9	nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
	10	{
	11	imports = [
	12	secrets.nixosModules.users-config-common
	13	environment.nixosModule
	14	secrets-public.nixosModule
	15	];
	16	config = {
	17	myEnv = import secrets.environment-file;
	18	networking.hostName = name;
	19	deployment.keys."vars.yml" = {
	20	keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
	21	user = "root";
	22	group = "root";
	23	permissions = "0400";
	24	};
	25
	26	networking.extraHosts = builtins.concatStringsSep "\n"
	27	(lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
	28
	29	users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
	30	secrets.deleteSecretsVars = true;
1a64deeb IB	31	secrets.secretsVars = "/run/keys/vars.yml";
	32
	33	services.openssh.enable = true;
	34
	35	nixpkgs.overlays =
	36	builtins.attrValues mypackages.overlays ++
	37	builtins.attrValues backports.overlays ++
	38	[
	39	(self: super: {
	40	postgresql = self.postgresql_pam;
670d287e	41	mariadb = self.mariadb_1011.overrideAttrs(old: {
1a64deeb IB	42	passthru = old.passthru // { mysqlVersion = "5.7"; };
	43	});
	44	}) # don’t put them as generic overlay because of home-manager
	45	];
	46
	47	services.journald.extraConfig = ''
	48	#Should be "warning" but disabled for now, it prevents anything from being stored
	49	MaxLevelStore=info
	50	MaxRetentionSec=1year
	51	'';
	52
	53	users.groups.acme.gid = myuids.lib.gids.acme;
ccae7987	54	users.users.acme.uid = myuids.lib.uids.acme;
1a64deeb IB	55	environment.systemPackages = [
	56	pkgs.inetutils
	57	pkgs.htop
	58	pkgs.iftop
	59	pkgs.bind.dnsutils
	60	pkgs.httpie
	61	pkgs.iotop
	62	pkgs.whois
	63	pkgs.ngrep
	64	pkgs.tcpdump
	65	pkgs.wireshark-cli
	66	pkgs.tcpflow
	67	pkgs.mitmproxy
	68	pkgs.nmap
	69	pkgs.p0f
	70	pkgs.socat
	71	pkgs.lsof
	72	pkgs.psmisc
	73	pkgs.openssl
	74	pkgs.wget
	75
	76	pkgs.pv
	77	pkgs.smartmontools
	78
	79	pkgs.git
	80	pkgs.vim
	81	pkgs.rsync
	82	pkgs.strace
	83	pkgs.sqlite
	84
	85	pkgs.jq
	86	pkgs.yq
	87	];
	88
	89	users.mutableUsers = lib.mkDefault false;
	90
	91	systemd.services."vars.yml-key".enable = lib.mkForce false;
	92	systemd.targets.maintenance = {
	93	description = "Maintenance target with only sshd";
	94	after = [ "network-online.target" "sshd.service" ];
	95	requires = [ "network-online.target" "sshd.service" ];
	96	unitConfig.AllowIsolate = "yes";
	97	};
	98
	99	security.acme.acceptTerms = true;
	100	security.acme.preliminarySelfsigned = true;
	101
	102	security.acme.certs = {
	103	"${name}" = {
	104	domain = config.hostEnv.fqdn;
	105	};
	106	};
	107	security.acme.defaults = {
	108	email = "ismael@bouya.org";
	109	webroot = "/var/lib/acme/acme-challenges";
	110	postRun = builtins.concatStringsSep "\n" [
	111	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	112	];
	113	extraLegoRenewFlags = [ "--reuse-key" ];
	114	keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
	115	#extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
	116	#extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
	117	};
	118
119	services.nginx = {
120	recommendedTlsSettings = true;
121	virtualHosts = {
122	"${config.hostEnv.fqdn}" = {
123	acmeRoot = config.security.acme.defaults.webroot;
124	useACMEHost = name;
125	forceSSL = true;
126	};
127	};
128	};
129
130	services.fail2ban.jails.DEFAULT = {
131	settings.bantime = "12h";
132	settings.findtime = "12h";
133	};
134	services.fail2ban = {
135	enable = true;
136	#findtime = "12h";
137	#bantime = "12h";
138	bantime-increment = {
139	enable = true; # Enable increment of bantime after each violation
140	formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";
141	#multipliers = "1 2 4 8 16 32 64";
142	maxtime = "168h"; # Do not ban for more than 1 week
143	overalljails = true; # Calculate the bantime based on all the violations
144	};
145	maxretry = 10;
146	ignoreIP = let
147	ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
148	ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
149	in
150	ip4s ++ ip6s;
151	};
152	};
153	};
154	};
155	}