flakes/private/system/flake.nix

   1 {
   2   inputs.environment.url = "path:../environment";
   3   inputs.secrets-public.url = "path:../../secrets";
   4   inputs.mypackages.url = "path:../../mypackages";
   5   inputs.myuids.url = "path:../../myuids";
   6   inputs.backports.url = "path:../../backports";
   7   outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
   8     nixosModule = self.nixosModules.system;
   9     nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
  10       {
  11         imports = [
  12           secrets.nixosModules.users-config-common
  13           environment.nixosModule
  14           secrets-public.nixosModule
  15         ];
  16         config = {
  17           myEnv = import secrets.environment-file;
  18           networking.hostName = name;
  19           deployment.keys."vars.yml" = {
  20             keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
  21             user = "root";
  22             group = "root";
  23             permissions = "0400";
  24           };
  25
  26           networking.extraHosts = builtins.concatStringsSep "\n"
  27             (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
  28
  29           users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
  30           secrets.deleteSecretsVars = true;
  31           secrets.gpgKeys = [
  32             ./public_keys/Immae.pub
  33           ];
  34           secrets.secretsVars = "/run/keys/vars.yml";
  35
  36           services.openssh.enable = true;
  37
  38           nixpkgs.overlays =
  39             builtins.attrValues mypackages.overlays ++
  40             builtins.attrValues backports.overlays ++
  41             [
  42               (self: super: {
  43                 postgresql = self.postgresql_pam;
  44                 mariadb = self.mariadb_106.overrideAttrs(old: {
  45                   passthru = old.passthru // { mysqlVersion = "5.7"; };
  46                 });
  47               }) # don’t put them as generic overlay because of home-manager
  48             ];
  49
  50           services.journald.extraConfig = ''
  51             #Should be "warning" but disabled for now, it prevents anything from being stored
  52             MaxLevelStore=info
  53             MaxRetentionSec=1year
  54             '';
  55
  56           users.groups.acme.gid = myuids.lib.gids.acme;
  57           users.users.acme.uid = myuids.lib.uids.acme;
  58           environment.systemPackages = [
  59             pkgs.inetutils
  60             pkgs.htop
  61             pkgs.iftop
  62             pkgs.bind.dnsutils
  63             pkgs.httpie
  64             pkgs.iotop
  65             pkgs.whois
  66             pkgs.ngrep
  67             pkgs.tcpdump
  68             pkgs.wireshark-cli
  69             pkgs.tcpflow
  70             pkgs.mitmproxy
  71             pkgs.nmap
  72             pkgs.p0f
  73             pkgs.socat
  74             pkgs.lsof
  75             pkgs.psmisc
  76             pkgs.openssl
  77             pkgs.wget
  78
  79             pkgs.pv
  80             pkgs.smartmontools
  81
  82             pkgs.git
  83             pkgs.vim
  84             pkgs.rsync
  85             pkgs.strace
  86             pkgs.sqlite
  87
  88             pkgs.jq
  89             pkgs.yq
  90           ];
  91
  92           users.mutableUsers = lib.mkDefault false;
  93
  94           systemd.services."vars.yml-key".enable = lib.mkForce false;
  95           systemd.targets.maintenance = {
  96             description = "Maintenance target with only sshd";
  97             after = [ "network-online.target" "sshd.service" ];
  98             requires = [ "network-online.target" "sshd.service" ];
  99             unitConfig.AllowIsolate = "yes";
 100           };
 101
 102           security.acme.acceptTerms = true;
 103           security.acme.preliminarySelfsigned = true;
 104
 105           security.acme.certs = {
 106             "${name}" = {
 107               domain = config.hostEnv.fqdn;
 108             };
 109           };
 110           security.acme.defaults = {
 111             email = "ismael@bouya.org";
 112             webroot = "/var/lib/acme/acme-challenges";
 113             postRun = builtins.concatStringsSep "\n" [
 114               (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
 115             ];
 116             extraLegoRenewFlags = [ "--reuse-key" ];
 117             keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
 118             #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
 119             #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
 120           };
 121
 122           services.nginx = {
 123             recommendedTlsSettings = true;
 124             virtualHosts = {
 125               "${config.hostEnv.fqdn}" = {
 126                 acmeRoot = config.security.acme.defaults.webroot;
 127                 useACMEHost = name;
 128                 forceSSL = true;
 129               };
 130             };
 131           };
 132
 133           services.fail2ban.jails.DEFAULT = {
 134             settings.bantime = "12h";
 135             settings.findtime = "12h";
 136           };
 137           services.fail2ban = {
 138             enable = true;
 139             #findtime = "12h";
 140             #bantime = "12h";
 141             bantime-increment = {
 142               enable = true; # Enable increment of bantime after each violation
 143               formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
 144               #multipliers = "1 2 4 8 16 32 64";
 145               maxtime = "168h"; # Do not ban for more than 1 week
 146               overalljails = true; # Calculate the bantime based on all the violations
 147             };
 148             maxretry = 10;
 149             ignoreIP = let
 150               ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
 151               ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));
 152             in
 153               ip4s ++ ip6s;
 154           };
 155         };
 156       };
 157   };
 158 }