[perso/Immae/Config/Nix.git] / flakes / private / system / flake.nix

{
  inputs.environment.url = "path:../environment";
  inputs.secrets-public.url = "path:../../secrets";
  inputs.mypackages.url = "path:../../mypackages";
  inputs.myuids.url = "path:../../myuids";
  inputs.backports.url = "path:../../backports";
  outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
    nixosModule = self.nixosModules.system;
    nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
      {
        imports = [
          secrets.nixosModules.users-config-common
          environment.nixosModule
          secrets-public.nixosModule
        ];
        config = {
          myEnv = import secrets.environment-file;
          networking.hostName = name;
          deployment.keys."vars.yml" = {
            keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
            user = "root";
            group = "root";
            permissions = "0400";
          };

          networking.extraHosts = builtins.concatStringsSep "\n"
            (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);

          users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";

          services.openssh.enable = true;

          nixpkgs.overlays =
            builtins.attrValues mypackages.overlays ++
            builtins.attrValues backports.overlays ++
            [
              (self: super: {
                postgresql = self.postgresql_pam;
                mariadb = self.mariadb_1011.overrideAttrs(old: {
                  passthru = old.passthru // { mysqlVersion = "5.7"; };
                });
              }) # don’t put them as generic overlay because of home-manager
            ];

          services.journald.extraConfig = ''
            #Should be "warning" but disabled for now, it prevents anything from being stored
            MaxLevelStore=info
            MaxRetentionSec=1year
            '';

          users.groups.acme.gid = myuids.lib.gids.acme;
          users.users.acme.uid = myuids.lib.uids.acme;
          environment.systemPackages = [
            pkgs.inetutils
            pkgs.htop
            pkgs.iftop
            pkgs.bind.dnsutils
            pkgs.httpie
            pkgs.iotop
            pkgs.whois
            pkgs.ngrep
            pkgs.tcpdump
            pkgs.wireshark-cli
            pkgs.tcpflow
            pkgs.mitmproxy
            pkgs.nmap
            pkgs.p0f
            pkgs.socat
            pkgs.lsof
            pkgs.psmisc
            pkgs.openssl
            pkgs.wget

            pkgs.pv
            pkgs.smartmontools

            pkgs.git
            pkgs.vim
            pkgs.rsync
            pkgs.strace
            pkgs.sqlite
            pkgs.unzip

            pkgs.jq
            pkgs.yq
          ];

          users.mutableUsers = lib.mkDefault false;

          systemd.services."vars.yml-key".enable = lib.mkForce false;
          systemd.targets.maintenance = {
            description = "Maintenance target with only sshd";
            after = [ "network-online.target" "sshd.service" ];
            requires = [ "network-online.target" "sshd.service" ];
            unitConfig.AllowIsolate = "yes";
          };

          security.acme.acceptTerms = true;
          security.acme.preliminarySelfsigned = true;

          security.acme.certs = {
            "${name}" = {
              domain = config.hostEnv.fqdn;
            };
          };
          security.acme.defaults = {
            email = "ismael@bouya.org";
            webroot = "/var/lib/acme/acme-challenges";
            postRun = builtins.concatStringsSep "\n" [
              (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
            ];
            extraLegoRenewFlags = [ "--reuse-key" ];
            keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
            #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
            #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
          };

          services.nginx = {
            recommendedTlsSettings = true;
            virtualHosts = {
              "${config.hostEnv.fqdn}" = {
                acmeRoot = config.security.acme.defaults.webroot;
                useACMEHost = name;
                forceSSL = true;
              };
            };
          };

          services.fail2ban.jails.DEFAULT = {
            settings.bantime = "12h";
            settings.findtime = "12h";
          };
          services.fail2ban = {
            enable = true;
            #findtime = "12h";
            #bantime = "12h";
            bantime-increment = {
              enable = true; # Enable increment of bantime after each violation
              formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
              #multipliers = "1 2 4 8 16 32 64";
              maxtime = "168h"; # Do not ban for more than 1 week
              overalljails = true; # Calculate the bantime based on all the violations
            };
            maxretry = 10;
            ignoreIP = let
              ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
              ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
            in
              ip4s ++ ip6s;
          };
        };
      };
  };
}
Commit	Line	Data
1a64deeb IB	1	{
	2	inputs.environment.url = "path:../environment";
	3	inputs.secrets-public.url = "path:../../secrets";
	4	inputs.mypackages.url = "path:../../mypackages";
	5	inputs.myuids.url = "path:../../myuids";
	6	inputs.backports.url = "path:../../backports";
	7	outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
	8	nixosModule = self.nixosModules.system;
	9	nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
	10	{
	11	imports = [
	12	secrets.nixosModules.users-config-common
	13	environment.nixosModule
	14	secrets-public.nixosModule
	15	];
	16	config = {
	17	myEnv = import secrets.environment-file;
	18	networking.hostName = name;
	19	deployment.keys."vars.yml" = {
	20	keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
	21	user = "root";
	22	group = "root";
	23	permissions = "0400";
	24	};
	25
	26	networking.extraHosts = builtins.concatStringsSep "\n"
	27	(lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
	28
	29	users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
	30	secrets.deleteSecretsVars = true;
1a64deeb IB	31	secrets.secretsVars = "/run/keys/vars.yml";
	32
	33	services.openssh.enable = true;
	34
	35	nixpkgs.overlays =
	36	builtins.attrValues mypackages.overlays ++
	37	builtins.attrValues backports.overlays ++
	38	[
	39	(self: super: {
	40	postgresql = self.postgresql_pam;
670d287e	41	mariadb = self.mariadb_1011.overrideAttrs(old: {
1a64deeb IB	42	passthru = old.passthru // { mysqlVersion = "5.7"; };
	43	});
	44	}) # don’t put them as generic overlay because of home-manager
	45	];
	46
	47	services.journald.extraConfig = ''
	48	#Should be "warning" but disabled for now, it prevents anything from being stored
	49	MaxLevelStore=info
	50	MaxRetentionSec=1year
	51	'';
	52
	53	users.groups.acme.gid = myuids.lib.gids.acme;
ccae7987	54	users.users.acme.uid = myuids.lib.uids.acme;
1a64deeb IB	55	environment.systemPackages = [
	56	pkgs.inetutils
	57	pkgs.htop
	58	pkgs.iftop
	59	pkgs.bind.dnsutils
	60	pkgs.httpie
	61	pkgs.iotop
	62	pkgs.whois
	63	pkgs.ngrep
	64	pkgs.tcpdump
	65	pkgs.wireshark-cli
	66	pkgs.tcpflow
	67	pkgs.mitmproxy
	68	pkgs.nmap
	69	pkgs.p0f
	70	pkgs.socat
	71	pkgs.lsof
	72	pkgs.psmisc
	73	pkgs.openssl
	74	pkgs.wget
	75
	76	pkgs.pv
	77	pkgs.smartmontools
	78
	79	pkgs.git
	80	pkgs.vim
	81	pkgs.rsync
	82	pkgs.strace
	83	pkgs.sqlite
f07e6124	84	pkgs.unzip
1a64deeb IB	85
	86	pkgs.jq
	87	pkgs.yq
	88	];
	89
	90	users.mutableUsers = lib.mkDefault false;
	91
	92	systemd.services."vars.yml-key".enable = lib.mkForce false;
	93	systemd.targets.maintenance = {
	94	description = "Maintenance target with only sshd";
	95	after = [ "network-online.target" "sshd.service" ];
	96	requires = [ "network-online.target" "sshd.service" ];
	97	unitConfig.AllowIsolate = "yes";
	98	};
	99
	100	security.acme.acceptTerms = true;
	101	security.acme.preliminarySelfsigned = true;
	102
	103	security.acme.certs = {
	104	"${name}" = {
	105	domain = config.hostEnv.fqdn;
	106	};
	107	};
	108	security.acme.defaults = {
	109	email = "ismael@bouya.org";
	110	webroot = "/var/lib/acme/acme-challenges";
	111	postRun = builtins.concatStringsSep "\n" [
	112	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	113	];
	114	extraLegoRenewFlags = [ "--reuse-key" ];
	115	keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
	116	#extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
	117	#extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
	118	};
	119
	120	services.nginx = {
	121	recommendedTlsSettings = true;
	122	virtualHosts = {
	123	"${config.hostEnv.fqdn}" = {
	124	acmeRoot = config.security.acme.defaults.webroot;
	125	useACMEHost = name;
	126	forceSSL = true;
	127	};
	128	};
	129	};
	130
	131	services.fail2ban.jails.DEFAULT = {
	132	settings.bantime = "12h";
	133	settings.findtime = "12h";
	134	};
	135	services.fail2ban = {
	136	enable = true;
	137	#findtime = "12h";
	138	#bantime = "12h";
	139	bantime-increment = {
	140	enable = true; # Enable increment of bantime after each violation
	141	formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";
	142	#multipliers = "1 2 4 8 16 32 64";
	143	maxtime = "168h"; # Do not ban for more than 1 week
	144	overalljails = true; # Calculate the bantime based on all the violations
	145	};
	146	maxretry = 10;
	147	ignoreIP = let
	148	ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
149	ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
150	in
151	ip4s ++ ip6s;
152	};
153	};
154	};
155	};
156	}