diff options
Diffstat (limited to 'flakes/private/system/flake.nix')
-rw-r--r-- | flakes/private/system/flake.nix | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix new file mode 100644 index 0000000..04ebbc7 --- /dev/null +++ b/flakes/private/system/flake.nix | |||
@@ -0,0 +1,168 @@ | |||
1 | { | ||
2 | inputs.environment.url = "path:../environment"; | ||
3 | inputs.secrets-public.url = "path:../../secrets"; | ||
4 | inputs.mypackages.url = "path:../../mypackages"; | ||
5 | inputs.myuids.url = "path:../../myuids"; | ||
6 | inputs.backports.url = "path:../../backports"; | ||
7 | outputs = { self, secrets-public, mypackages, backports, environment, myuids }: { | ||
8 | nixosModule = self.nixosModules.system; | ||
9 | nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }: | ||
10 | { | ||
11 | imports = [ | ||
12 | secrets.nixosModules.users-config-common | ||
13 | environment.nixosModule | ||
14 | secrets-public.nixosModule | ||
15 | ]; | ||
16 | config = { | ||
17 | myEnv = import secrets.environment-file; | ||
18 | networking.hostName = name; | ||
19 | deployment.keys."vars.yml" = { | ||
20 | keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ]; | ||
21 | user = "root"; | ||
22 | group = "root"; | ||
23 | permissions = "0400"; | ||
24 | }; | ||
25 | |||
26 | networking.extraHosts = builtins.concatStringsSep "\n" | ||
27 | (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); | ||
28 | |||
29 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; | ||
30 | secrets.deleteSecretsVars = true; | ||
31 | secrets.gpgKeys = [ | ||
32 | ./public_keys/Immae.pub | ||
33 | ]; | ||
34 | secrets.secretsVars = "/run/keys/vars.yml"; | ||
35 | |||
36 | services.openssh.enable = true; | ||
37 | |||
38 | nixpkgs.overlays = | ||
39 | builtins.attrValues mypackages.overlays ++ | ||
40 | builtins.attrValues backports.overlays ++ | ||
41 | [ | ||
42 | (self: super: { | ||
43 | postgresql = self.postgresql_pam; | ||
44 | mariadb = self.mariadb_106.overrideAttrs(old: { | ||
45 | passthru = old.passthru // { mysqlVersion = "5.7"; }; | ||
46 | }); | ||
47 | }) # don’t put them as generic overlay because of home-manager | ||
48 | ]; | ||
49 | |||
50 | services.journald.extraConfig = '' | ||
51 | #Should be "warning" but disabled for now, it prevents anything from being stored | ||
52 | MaxLevelStore=info | ||
53 | MaxRetentionSec=1year | ||
54 | ''; | ||
55 | |||
56 | users.groups.acme.gid = myuids.lib.gids.acme; | ||
57 | users.users = | ||
58 | builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ | ||
59 | isNormalUser = true; | ||
60 | home = "/home/${x.name}"; | ||
61 | createHome = true; | ||
62 | linger = true; | ||
63 | # Enable in latest unstable homeMode = "755"; | ||
64 | } // x)) (config.hostEnv.users pkgs)) | ||
65 | // { | ||
66 | acme.uid = myuids.lib.uids.acme; | ||
67 | }; | ||
68 | environment.systemPackages = [ | ||
69 | pkgs.inetutils | ||
70 | pkgs.htop | ||
71 | pkgs.iftop | ||
72 | pkgs.bind.dnsutils | ||
73 | pkgs.httpie | ||
74 | pkgs.iotop | ||
75 | pkgs.whois | ||
76 | pkgs.ngrep | ||
77 | pkgs.tcpdump | ||
78 | pkgs.wireshark-cli | ||
79 | pkgs.tcpflow | ||
80 | pkgs.mitmproxy | ||
81 | pkgs.nmap | ||
82 | pkgs.p0f | ||
83 | pkgs.socat | ||
84 | pkgs.lsof | ||
85 | pkgs.psmisc | ||
86 | pkgs.openssl | ||
87 | pkgs.wget | ||
88 | |||
89 | pkgs.pv | ||
90 | pkgs.smartmontools | ||
91 | |||
92 | pkgs.git | ||
93 | pkgs.vim | ||
94 | pkgs.rsync | ||
95 | pkgs.strace | ||
96 | pkgs.sqlite | ||
97 | |||
98 | pkgs.jq | ||
99 | pkgs.yq | ||
100 | ]; | ||
101 | |||
102 | users.mutableUsers = lib.mkDefault false; | ||
103 | |||
104 | systemd.services."vars.yml-key".enable = lib.mkForce false; | ||
105 | systemd.targets.maintenance = { | ||
106 | description = "Maintenance target with only sshd"; | ||
107 | after = [ "network-online.target" "sshd.service" ]; | ||
108 | requires = [ "network-online.target" "sshd.service" ]; | ||
109 | unitConfig.AllowIsolate = "yes"; | ||
110 | }; | ||
111 | |||
112 | security.acme.acceptTerms = true; | ||
113 | security.acme.preliminarySelfsigned = true; | ||
114 | |||
115 | security.acme.certs = { | ||
116 | "${name}" = { | ||
117 | domain = config.hostEnv.fqdn; | ||
118 | }; | ||
119 | }; | ||
120 | security.acme.defaults = { | ||
121 | email = "ismael@bouya.org"; | ||
122 | webroot = "/var/lib/acme/acme-challenges"; | ||
123 | postRun = builtins.concatStringsSep "\n" [ | ||
124 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | ||
125 | ]; | ||
126 | extraLegoRenewFlags = [ "--reuse-key" ]; | ||
127 | keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121 | ||
128 | #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"]; | ||
129 | #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"]; | ||
130 | }; | ||
131 | |||
132 | services.nginx = { | ||
133 | recommendedTlsSettings = true; | ||
134 | virtualHosts = { | ||
135 | "${config.hostEnv.fqdn}" = { | ||
136 | acmeRoot = config.security.acme.defaults.webroot; | ||
137 | useACMEHost = name; | ||
138 | forceSSL = true; | ||
139 | }; | ||
140 | }; | ||
141 | }; | ||
142 | |||
143 | services.fail2ban.jails.DEFAULT = { | ||
144 | settings.bantime = "12h"; | ||
145 | settings.findtime = "12h"; | ||
146 | }; | ||
147 | services.fail2ban = { | ||
148 | enable = true; | ||
149 | #findtime = "12h"; | ||
150 | #bantime = "12h"; | ||
151 | bantime-increment = { | ||
152 | enable = true; # Enable increment of bantime after each violation | ||
153 | formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; | ||
154 | #multipliers = "1 2 4 8 16 32 64"; | ||
155 | maxtime = "168h"; # Do not ban for more than 1 week | ||
156 | overalljails = true; # Calculate the bantime based on all the violations | ||
157 | }; | ||
158 | maxretry = 10; | ||
159 | ignoreIP = let | ||
160 | ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers)); | ||
161 | ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers)); | ||
162 | in | ||
163 | ip4s ++ ip6s; | ||
164 | }; | ||
165 | }; | ||
166 | }; | ||
167 | }; | ||
168 | } | ||