From 5b4cc25a87d4136f4455f9999e5da098bd450093 Mon Sep 17 00:00:00 2001 From: Noa Aarts Date: Wed, 5 Jun 2024 21:06:03 +0200 Subject: [PATCH] let's hope this works --- hosts/default/configuration.nix | 384 +++++++++++++++----------------- modules/websites/default.nix | 125 +++++++++++ 2 files changed, 300 insertions(+), 209 deletions(-) create mode 100644 modules/websites/default.nix diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix index ff57f6f..6e01be2 100644 --- a/hosts/default/configuration.nix +++ b/hosts/default/configuration.nix @@ -9,6 +9,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ../../modules/games/steam.nix + ../../modules/websites inputs.nix-minecraft.nixosModules.minecraft-servers ]; @@ -45,9 +46,6 @@ networking = { hostName = "lambdaOS"; # Define your hostname. - hosts = { - "127.0.0.1" = [ "images.noa.voorwaarts.nl" "sods.noa.voorwaarts.nl" "noa.voorwaarts.nl" "testing.noa.voorwaarts.nl" ]; - }; }; # networking.wireless.enable = true;# Enables wireless support via wpa_supplicant. @@ -163,225 +161,193 @@ ]; }; - modules.games.steam.enable = false; - - users.defaultUserShell = pkgs.zsh; - - security.rtkit.enable = true; - - services = { - pipewire = { + modules = { + games.steam.enable = false; + modules.websites = { enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - fail2ban = { - enable = true; - maxretry = 5; - bantime = "1s"; - bantime-increment = { - enable = true; - formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - maxtime = "1h"; - overalljails = true; - }; - jails = { - go-login.settings = { - enabled = true; - filter = "go-login"; - action = ''iptables-multiport[name=HTTP, port="http,https,2000"]''; - logpath = "/home/noa/Documents/programming/SODS/login.log"; - backend = "systemd"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - }; - }; - greetd = { - enable = true; - settings = rec { - initial_session = { - command = "${pkgs.hyprland}/bin/Hyprland"; - user = "noa"; - }; - default_session = initial_session; - }; - }; - minecraft-servers = { - enable = false; - eula = true; - openFirewall = true; - servers = { - "no-flicker" = { + certMail = "acme@voorwaarts.nl"; + mainDomains = { + "noa.voorwaarts.nl" = { enable = true; - package = pkgs.minecraftServers.paper-1_20_4; - }; - }; - }; - nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - virtualHosts = - let - extra = '' - client_max_body_size 50000M; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s;''; - proxy = port: { - forceSSL = true; - useACMEHost = "noa.voorwaarts.nl"; - extraConfig = extra; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}/"; + proxy = "http://127.0.0.1:3000/"; + extra_sites = { + "images.noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:2283/"; + }; + "testing.noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:8000/"; + }; + "sods.noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:2000/"; }; }; - in - { - "noa.voorwaarts.nl" = { - default = true; - forceSSL = true; - enableACME = true; - }; - "images.noa.voorwaarts.nl" = proxy 2283; - "testing.noa.voorwaarts.nl" = proxy 8000; - "sods.noa.voorwaarts.nl" = proxy 2000; }; - }; - openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - }; - syncthing = { - enable = true; - user = "noa"; - dataDir = "/home/noa/Sync"; - configDir = "/home/noa/Sync/.config/syncthing"; - }; - xserver = { - enable = true; - xkb = { - layout = "us"; - variant = "intl"; }; - videoDrivers = [ "nvidia" ]; }; - flatpak.enable = true; - }; - systemd.timers."update-flake" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; + users.defaultUserShell = pkgs.zsh; + + security.rtkit.enable = true; + + services = { + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + fail2ban = { + enable = true; + maxretry = 5; + bantime = "1s"; + bantime-increment = { + enable = true; + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + maxtime = "1h"; + overalljails = true; + }; + jails = { + go-login.settings = { + enabled = true; + filter = "go-login"; + action = ''iptables-multiport[name=HTTP, port="http,https,2000"]''; + logpath = "/home/noa/Documents/programming/SODS/login.log"; + backend = "systemd"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + greetd = { + enable = true; + settings = rec { + initial_session = { + command = "${pkgs.hyprland}/bin/Hyprland"; + user = "noa"; + }; + default_session = initial_session; + }; + }; + minecraft-servers = { + enable = false; + eula = true; + openFirewall = true; + servers = { + "no-flicker" = { + enable = true; + package = pkgs.minecraftServers.paper-1_20_4; + }; + }; + }; + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + syncthing = { + enable = true; + user = "noa"; + dataDir = "/home/noa/Sync"; + configDir = "/home/noa/Sync/.config/syncthing"; + }; + xserver = { + enable = true; + xkb = { + layout = "us"; + variant = "intl"; + }; + videoDrivers = [ "nvidia" ]; + }; + flatpak.enable = true; }; - }; - systemd.services."update-flake" = { - path = with pkgs; [ - git - openssh - nix - nixos-rebuild - ]; - script = '' - [[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf - cd /root/nixconf - git pull - nix flake update --commit-lock-file /root/nixconf - nixos-rebuild switch --flake . - git push - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + systemd.timers."update-flake" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; }; - wants = [ - "network-online.target" - ]; - after = [ - "network-online.target" - ]; - }; - environment.etc = { - "fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex=^time= level=WARN msg=".*?" ip= status=4\d\d$ - ''); - }; - - virtualisation.docker = { - enable = true; - rootless = { - enable = true; - setSocketVariable = true; - }; - }; - - boot.kernelModules = [ - "v4l2loopback" - "nct6775" - "k10temp" - ]; - - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 - ''; - security = { - acme = { - acceptTerms = true; - defaults.email = "acme@voorwaarts.nl"; - certs."noa.voorwaarts.nl".extraDomainNames = [ - "images.noa.voorwaarts.nl" - "sods.noa.voorwaarts.nl" - "testing.noa.voorwaarts.nl" + systemd.services."update-flake" = { + path = with pkgs; [ + git + openssh + nix + nixos-rebuild + ]; + script = '' + [[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf + cd /root/nixconf + git pull + nix flake update --commit-lock-file /root/nixconf + nixos-rebuild switch --flake . + git push + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + wants = [ + "network-online.target" + ]; + after = [ + "network-online.target" ]; }; - polkit.enable = true; - }; - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 80 # http - 443 # https - 53317 # Localsend - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - 53317 - ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; + environment.etc = { + "fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex=^time= level=WARN msg=".*?" ip= status=4\d\d$ + ''); + }; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? -} + virtualisation.docker = { + enable = true; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + + boot.kernelModules = [ + "v4l2loopback" + "nct6775" + "k10temp" + ]; + + boot.extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 + ''; + security = { + polkit.enable = true; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ + 80 # http + 443 # https + 53317 # Localsend + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + 53317 + ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + } diff --git a/modules/websites/default.nix b/modules/websites/default.nix new file mode 100644 index 0000000..c1f2852 --- /dev/null +++ b/modules/websites/default.nix @@ -0,0 +1,125 @@ +{ config, options, lib, ... }: +let + cfg = config.modules.websites; +in +{ + options.modules.nginx = + { + enable = lib.mkEnableOption "enable web hosting"; + cert_mail = lib.mkOption { + type = lib.types.str; + description = "the email address the certificate will be requested to"; + }; + mainDomains = lib.mkOption { + description = "nginx domains for which a certificate is needed"; + type = with lib.types; attrsOf (submodule { + options = + let + proxyOption = lib.mkOption { type = int; description = "what url to proxy the requests to"; }; + in + { + enable = lib.mkEnableOption "enable this website"; + extra_sites = attrsOf + (submodule { + options = { + enable = lib.mkEnableOption "enable this website"; + proxy = proxyOption; + }; + }); + proxy = proxyOption; + }; + }); + }; + }; + config = lib.mkIf cfg.enable ( + let + hostnames = lib.lists.flatten ( + lib.attrsets.mapAttrsToList + ( + name: config: + lib.mkIf config.enable ( + [ name ] ++ lib.attrsets.mapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites + ) + ) + cfg.mainDomains + ); + certs = lib.attrsets.MapAttrs + ( + name: config: + lib.mkIf config.enable { + extraDomainNames = lib.attrsets.MapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites; + } + ) + cfg.mainDomains; + hosts = lib.attrsets.MapAtrrs + ( + name: config: + let + extra = '' + client_max_body_size 50000M; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s;''; + proxy = url: { + forceSSL = true; + useACMEHost = name; + extraConfig = extra; + locations."/" = { + proxyPass = url; + }; + }; + in + lib.mkIf config.enable ( + lib.mkMerge ( + { + forceSSL = true; + enableACME = true; + extraConfig = extra; + locations."/" = { + proxyPass = config.proxy; + }; + } + ++ (lib.attrsets.MapAttrsToList + (n: c: lib.mkIf c.enable (proxy c.proxy)) + config.extra_sites) + ) + ) + ) + cfg.mainDomains; + in + { + networking.hosts = { + # NOTE: this is needed because I don't have hairpin nat. :( + "127.0.0.1" = hostnames; + }; + security.acme = { + acceptTerms = true; + defaults.email = cfg.cert_mail; + certs = certs; + }; + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = hosts; + }; + } + ); +}