]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - flakes/private/system/flake.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Squash changes containing private information
[perso/Immae/Config/Nix.git] / flakes / private / system / flake.nix
1 {
2 inputs.environment.url = "path:../environment";
3 inputs.secrets-public.url = "path:../../secrets";
4 inputs.mypackages.url = "path:../../mypackages";
5 inputs.myuids.url = "path:../../myuids";
6 inputs.backports.url = "path:../../backports";
7 outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
8 nixosModule = self.nixosModules.system;
9 nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
10 {
11 imports = [
12 secrets.nixosModules.users-config-common
13 environment.nixosModule
14 secrets-public.nixosModule
15 ];
16 config = {
17 myEnv = import secrets.environment-file;
18 networking.hostName = name;
19 deployment.keys."vars.yml" = {
20 keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
21 user = "root";
22 group = "root";
23 permissions = "0400";
24 };
25
26 networking.extraHosts = builtins.concatStringsSep "\n"
27 (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
28
29 users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
30 secrets.deleteSecretsVars = true;
31 secrets.gpgKeys = [
32 ./public_keys/Immae.pub
33 ];
34 secrets.secretsVars = "/run/keys/vars.yml";
35
36 services.openssh.enable = true;
37
38 nixpkgs.overlays =
39 builtins.attrValues mypackages.overlays ++
40 builtins.attrValues backports.overlays ++
41 [
42 (self: super: {
43 postgresql = self.postgresql_pam;
44 mariadb = self.mariadb_106.overrideAttrs(old: {
45 passthru = old.passthru // { mysqlVersion = "5.7"; };
46 });
47 }) # don’t put them as generic overlay because of home-manager
48 ];
49
50 services.journald.extraConfig = ''
51 #Should be "warning" but disabled for now, it prevents anything from being stored
52 MaxLevelStore=info
53 MaxRetentionSec=1year
54 '';
55
56 users.groups.acme.gid = myuids.lib.gids.acme;
57 users.users =
58 builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
59 isNormalUser = true;
60 home = "/home/${x.name}";
61 createHome = true;
62 linger = true;
63 # Enable in latest unstable homeMode = "755";
64 } // x)) (config.hostEnv.users pkgs))
65 // {
66 acme.uid = myuids.lib.uids.acme;
67 };
68 environment.systemPackages = [
69 pkgs.inetutils
70 pkgs.htop
71 pkgs.iftop
72 pkgs.bind.dnsutils
73 pkgs.httpie
74 pkgs.iotop
75 pkgs.whois
76 pkgs.ngrep
77 pkgs.tcpdump
78 pkgs.wireshark-cli
79 pkgs.tcpflow
80 pkgs.mitmproxy
81 pkgs.nmap
82 pkgs.p0f
83 pkgs.socat
84 pkgs.lsof
85 pkgs.psmisc
86 pkgs.openssl
87 pkgs.wget
88
89 pkgs.pv
90 pkgs.smartmontools
91
92 pkgs.git
93 pkgs.vim
94 pkgs.rsync
95 pkgs.strace
96 pkgs.sqlite
97
98 pkgs.jq
99 pkgs.yq
100 ];
101
102 users.mutableUsers = lib.mkDefault false;
103
104 systemd.services."vars.yml-key".enable = lib.mkForce false;
105 systemd.targets.maintenance = {
106 description = "Maintenance target with only sshd";
107 after = [ "network-online.target" "sshd.service" ];
108 requires = [ "network-online.target" "sshd.service" ];
109 unitConfig.AllowIsolate = "yes";
110 };
111
112 security.acme.acceptTerms = true;
113 security.acme.preliminarySelfsigned = true;
114
115 security.acme.certs = {
116 "${name}" = {
117 domain = config.hostEnv.fqdn;
118 };
119 };
120 security.acme.defaults = {
121 email = "ismael@bouya.org";
122 webroot = "/var/lib/acme/acme-challenges";
123 postRun = builtins.concatStringsSep "\n" [
124 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
125 ];
126 extraLegoRenewFlags = [ "--reuse-key" ];
127 keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
128 #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
129 #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
130 };
131
132 services.nginx = {
133 recommendedTlsSettings = true;
134 virtualHosts = {
135 "${config.hostEnv.fqdn}" = {
136 acmeRoot = config.security.acme.defaults.webroot;
137 useACMEHost = name;
138 forceSSL = true;
139 };
140 };
141 };
142
143 services.fail2ban.jails.DEFAULT = {
144 settings.bantime = "12h";
145 settings.findtime = "12h";
146 };
147 services.fail2ban = {
148 enable = true;
149 #findtime = "12h";
150 #bantime = "12h";
151 bantime-increment = {
152 enable = true; # Enable increment of bantime after each violation
153 formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
154 #multipliers = "1 2 4 8 16 32 64";
155 maxtime = "168h"; # Do not ban for more than 1 week
156 overalljails = true; # Calculate the bantime based on all the violations
157 };
158 maxretry = 10;
159 ignoreIP = let
160 ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
161 ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
162 in
163 ip4s ++ ip6s;
164 };
165 };
166 };
167 };
168 }
My infrastructure configuration