[perso/Immae/Config/Nix.git] / flakes / private / system / flake.nix

{
  inputs.environment.url = "path:../environment";
  inputs.secrets-public.url = "path:../../secrets";
  inputs.mypackages.url = "path:../../mypackages";
  inputs.myuids.url = "path:../../myuids";
  inputs.backports.url = "path:../../backports";
  outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
    nixosModule = self.nixosModules.system;
    nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
      {
        imports = [
          secrets.nixosModules.users-config-common
          environment.nixosModule
          secrets-public.nixosModule
        ];
        config = {
          myEnv = import secrets.environment-file;
          networking.hostName = name;
          deployment.keys."vars.yml" = {
            keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
            user = "root";
            group = "root";
            permissions = "0400";
          };

          networking.extraHosts = builtins.concatStringsSep "\n"
            (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);

          users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";

          services.openssh.enable = true;

          nixpkgs.overlays =
            builtins.attrValues mypackages.overlays ++
            builtins.attrValues backports.overlays ++
            [
              (self: super: {
                postgresql = self.postgresql_pam;
                mariadb = self.mariadb_1011.overrideAttrs(old: {
                  passthru = old.passthru // { mysqlVersion = "5.7"; };
                });
              }) # don’t put them as generic overlay because of home-manager
            ];

          services.journald.extraConfig = ''
            #Should be "warning" but disabled for now, it prevents anything from being stored
            MaxLevelStore=info
            MaxRetentionSec=1year
            '';

          users.groups.acme.gid = myuids.lib.gids.acme;
          users.users.acme.uid = myuids.lib.uids.acme;
          environment.systemPackages = [
            pkgs.inetutils
            pkgs.htop
            pkgs.iftop
            pkgs.bind.dnsutils
            pkgs.httpie
            pkgs.iptables
            pkgs.iotop
            pkgs.whois
            pkgs.ngrep
            pkgs.tcpdump
            pkgs.wireshark-cli
            pkgs.tcpflow
            pkgs.mitmproxy
            pkgs.nmap
            pkgs.p0f
            pkgs.socat
            pkgs.lsof
            pkgs.psmisc
            pkgs.openssl
            pkgs.wget

            pkgs.pv
            pkgs.smartmontools

            pkgs.git
            pkgs.vim
            pkgs.rsync
            pkgs.strace
            pkgs.sqlite
            pkgs.unzip

            pkgs.jq
            pkgs.yq
          ];

          users.mutableUsers = lib.mkDefault false;

          systemd.services."vars.yml-key".enable = lib.mkForce false;
          systemd.targets.maintenance = {
            description = "Maintenance target with only sshd";
            after = [ "network-online.target" "sshd.service" ];
            requires = [ "network-online.target" "sshd.service" ];
            unitConfig.AllowIsolate = "yes";
          };

          security.acme.acceptTerms = true;
          security.acme.preliminarySelfsigned = true;

          security.acme.certs = {
            "${name}" = {
              domain = config.hostEnv.fqdn;
            };
          };
          security.acme.defaults = {
            email = "ismael@bouya.org";
            webroot = "/var/lib/acme/acme-challenges";
            postRun = builtins.concatStringsSep "\n" [
              (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
            ];
            extraLegoRenewFlags = [ "--reuse-key" ];
            keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
            #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
            #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
          };

          services.nginx = {
            recommendedTlsSettings = true;
            virtualHosts = {
              "${config.hostEnv.fqdn}" = {
                acmeRoot = config.security.acme.defaults.webroot;
                useACMEHost = name;
                forceSSL = true;
              };
            };
          };

          services.fail2ban.jails.DEFAULT = {
            settings.bantime = "12h";
            settings.findtime = "12h";
          };
          services.fail2ban = {
            enable = true;
            #findtime = "12h";
            #bantime = "12h";
            bantime-increment = {
              enable = true; # Enable increment of bantime after each violation
              formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
              #multipliers = "1 2 4 8 16 32 64";
              maxtime = "168h"; # Do not ban for more than 1 week
              overalljails = true; # Calculate the bantime based on all the violations
            };
            maxretry = 10;
            ignoreIP = let
              ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
              ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
            in
              ip4s ++ ip6s;
          };
        };
      };
  };
}
Commit	Line	Data
1a64deeb IB	1	{
	2	inputs.environment.url = "path:../environment";
	3	inputs.secrets-public.url = "path:../../secrets";
	4	inputs.mypackages.url = "path:../../mypackages";
	5	inputs.myuids.url = "path:../../myuids";
	6	inputs.backports.url = "path:../../backports";
	7	outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
	8	nixosModule = self.nixosModules.system;
	9	nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
	10	{
	11	imports = [
	12	secrets.nixosModules.users-config-common
	13	environment.nixosModule
	14	secrets-public.nixosModule
	15	];
	16	config = {
	17	myEnv = import secrets.environment-file;
	18	networking.hostName = name;
	19	deployment.keys."vars.yml" = {
	20	keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
	21	user = "root";
	22	group = "root";
	23	permissions = "0400";
	24	};
	25
	26	networking.extraHosts = builtins.concatStringsSep "\n"
	27	(lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
	28
	29	users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
	30	secrets.deleteSecretsVars = true;
1a64deeb IB	31	secrets.secretsVars = "/run/keys/vars.yml";
	32
	33	services.openssh.enable = true;
	34
	35	nixpkgs.overlays =
	36	builtins.attrValues mypackages.overlays ++
	37	builtins.attrValues backports.overlays ++
	38	[
	39	(self: super: {
	40	postgresql = self.postgresql_pam;
670d287e	41	mariadb = self.mariadb_1011.overrideAttrs(old: {
1a64deeb IB	42	passthru = old.passthru // { mysqlVersion = "5.7"; };
	43	});
	44	}) # don’t put them as generic overlay because of home-manager
	45	];
	46
	47	services.journald.extraConfig = ''
	48	#Should be "warning" but disabled for now, it prevents anything from being stored
	49	MaxLevelStore=info
	50	MaxRetentionSec=1year
	51	'';
	52
	53	users.groups.acme.gid = myuids.lib.gids.acme;
ccae7987	54	users.users.acme.uid = myuids.lib.uids.acme;
1a64deeb IB	55	environment.systemPackages = [
	56	pkgs.inetutils
	57	pkgs.htop
	58	pkgs.iftop
	59	pkgs.bind.dnsutils
	60	pkgs.httpie
c9898979	61	pkgs.iptables
1a64deeb IB	62	pkgs.iotop
	63	pkgs.whois
	64	pkgs.ngrep
	65	pkgs.tcpdump
	66	pkgs.wireshark-cli
	67	pkgs.tcpflow
	68	pkgs.mitmproxy
	69	pkgs.nmap
	70	pkgs.p0f
	71	pkgs.socat
	72	pkgs.lsof
	73	pkgs.psmisc
	74	pkgs.openssl
	75	pkgs.wget
	76
	77	pkgs.pv
	78	pkgs.smartmontools
	79
	80	pkgs.git
	81	pkgs.vim
	82	pkgs.rsync
	83	pkgs.strace
	84	pkgs.sqlite
f07e6124	85	pkgs.unzip
1a64deeb IB	86
	87	pkgs.jq
	88	pkgs.yq
	89	];
	90
	91	users.mutableUsers = lib.mkDefault false;
	92
	93	systemd.services."vars.yml-key".enable = lib.mkForce false;
	94	systemd.targets.maintenance = {
	95	description = "Maintenance target with only sshd";
	96	after = [ "network-online.target" "sshd.service" ];
	97	requires = [ "network-online.target" "sshd.service" ];
	98	unitConfig.AllowIsolate = "yes";
	99	};
	100
	101	security.acme.acceptTerms = true;
	102	security.acme.preliminarySelfsigned = true;
	103
	104	security.acme.certs = {
	105	"${name}" = {
	106	domain = config.hostEnv.fqdn;
	107	};
	108	};
	109	security.acme.defaults = {
	110	email = "ismael@bouya.org";
	111	webroot = "/var/lib/acme/acme-challenges";
	112	postRun = builtins.concatStringsSep "\n" [
	113	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	114	];
	115	extraLegoRenewFlags = [ "--reuse-key" ];
	116	keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
	117	#extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
	118	#extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
	119	};
	120
	121	services.nginx = {
	122	recommendedTlsSettings = true;
	123	virtualHosts = {
	124	"${config.hostEnv.fqdn}" = {
	125	acmeRoot = config.security.acme.defaults.webroot;
	126	useACMEHost = name;
	127	forceSSL = true;
	128	};
	129	};
	130	};
	131
	132	services.fail2ban.jails.DEFAULT = {
	133	settings.bantime = "12h";
	134	settings.findtime = "12h";
	135	};
	136	services.fail2ban = {
	137	enable = true;
	138	#findtime = "12h";
	139	#bantime = "12h";
	140	bantime-increment = {
	141	enable = true; # Enable increment of bantime after each violation
	142	formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";
	143	#multipliers = "1 2 4 8 16 32 64";
	144	maxtime = "168h"; # Do not ban for more than 1 week
	145	overalljails = true; # Calculate the bantime based on all the violations
	146	};
	147	maxretry = 10;
	148	ignoreIP = let
	149	ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
150	ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
151	in
152	ip4s ++ ip6s;
153	};
154	};
155	};
156	};
157	}