noa/nixconf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

let's hope this works

Browse source
This commit is contained in:
Noa Aarts 2024-06-05 21:06:03 +02:00
parent 4b580a4f29
commit 5b4cc25a87
2 changed files with 300 additions and 209 deletions
Download patch file Download diff file Expand all files Collapse all files

384
hosts/default/configuration.nix
View file

@ -9,6 +9,7 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/games/steam.nix ../../modules/games/steam.nix
../../modules/websites
inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-minecraft.nixosModules.minecraft-servers
]; ];
@ -45,9 +46,6 @@
networking = { networking = {
hostName = "lambdaOS"; # Define your hostname. hostName = "lambdaOS"; # Define your hostname.
hosts = {
"127.0.0.1" = [ "images.noa.voorwaarts.nl" "sods.noa.voorwaarts.nl" "noa.voorwaarts.nl" "testing.noa.voorwaarts.nl" ];
};
}; };
# networking.wireless.enable = true;# Enables wireless support via wpa_supplicant. # networking.wireless.enable = true;# Enables wireless support via wpa_supplicant.
@ -163,225 +161,193 @@
]; ];
}; };
modules.games.steam.enable = false; modules = {
games.steam.enable = false;
users.defaultUserShell = pkgs.zsh; modules.websites = {
security.rtkit.enable = true;
services = {
pipewire = {
enable = true; enable = true;
alsa.enable = true; certMail = "acme@voorwaarts.nl";
alsa.support32Bit = true; mainDomains = {
pulse.enable = true; "noa.voorwaarts.nl" = {
jack.enable = true;
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1s";
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
maxtime = "1h";
overalljails = true;
};
jails = {
go-login.settings = {
enabled = true;
filter = "go-login";
action = ''iptables-multiport[name=HTTP, port="http,https,2000"]'';
logpath = "/home/noa/Documents/programming/SODS/login.log";
backend = "systemd";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
greetd = {
enable = true;
settings = rec {
initial_session = {
command = "${pkgs.hyprland}/bin/Hyprland";
user = "noa";
};
default_session = initial_session;
};
};
minecraft-servers = {
enable = false;
eula = true;
openFirewall = true;
servers = {
"no-flicker" = {
enable = true; enable = true;
package = pkgs.minecraftServers.paper-1_20_4; proxy = "http://127.0.0.1:3000/";
}; extra_sites = {
}; "images.noa.voorwaarts.nl" = {
}; enable = true;
nginx = { proxy = "http://127.0.0.1:2283/";
enable = true; };
"testing.noa.voorwaarts.nl" = {
recommendedGzipSettings = true; enable = true;
recommendedOptimisation = true; proxy = "http://127.0.0.1:8000/";
recommendedProxySettings = true; };
recommendedTlsSettings = true; "sods.noa.voorwaarts.nl" = {
enable = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; proxy = "http://127.0.0.1:2000/";
virtualHosts =
let
extra = ''
client_max_body_size 50000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;'';
proxy = port: {
forceSSL = true;
useACMEHost = "noa.voorwaarts.nl";
extraConfig = extra;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}; };
}; };
in
{
"noa.voorwaarts.nl" = {
default = true;
forceSSL = true;
enableACME = true;
};
"images.noa.voorwaarts.nl" = proxy 2283;
"testing.noa.voorwaarts.nl" = proxy 8000;
"sods.noa.voorwaarts.nl" = proxy 2000;
}; };
};
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
syncthing = {
enable = true;
user = "noa";
dataDir = "/home/noa/Sync";
configDir = "/home/noa/Sync/.config/syncthing";
};
xserver = {
enable = true;
xkb = {
layout = "us";
variant = "intl";
}; };
videoDrivers = [ "nvidia" ];
}; };
flatpak.enable = true;
};
systemd.timers."update-flake" = { users.defaultUserShell = pkgs.zsh;
wantedBy = [ "timers.target" ];
timerConfig = { security.rtkit.enable = true;
OnCalendar = "daily";
Persistent = true; services = {
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1s";
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
maxtime = "1h";
overalljails = true;
};
jails = {
go-login.settings = {
enabled = true;
filter = "go-login";
action = ''iptables-multiport[name=HTTP, port="http,https,2000"]'';
logpath = "/home/noa/Documents/programming/SODS/login.log";
backend = "systemd";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
greetd = {
enable = true;
settings = rec {
initial_session = {
command = "${pkgs.hyprland}/bin/Hyprland";
user = "noa";
};
default_session = initial_session;
};
};
minecraft-servers = {
enable = false;
eula = true;
openFirewall = true;
servers = {
"no-flicker" = {
enable = true;
package = pkgs.minecraftServers.paper-1_20_4;
};
};
};
openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
syncthing = {
enable = true;
user = "noa";
dataDir = "/home/noa/Sync";
configDir = "/home/noa/Sync/.config/syncthing";
};
xserver = {
enable = true;
xkb = {
layout = "us";
variant = "intl";
};
videoDrivers = [ "nvidia" ];
};
flatpak.enable = true;
}; };
};
systemd.services."update-flake" = { systemd.timers."update-flake" = {
path = with pkgs; [ wantedBy = [ "timers.target" ];
git timerConfig = {
openssh OnCalendar = "daily";
nix Persistent = true;
nixos-rebuild };
];
script = ''
[[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf
cd /root/nixconf
git pull
nix flake update --commit-lock-file /root/nixconf
nixos-rebuild switch --flake .
git push
'';
serviceConfig = {
Type = "oneshot";
User = "root";
}; };
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
};
environment.etc = { systemd.services."update-flake" = {
"fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' path = with pkgs; [
[Definition] git
failregex=^time= level=WARN msg=".*?" ip=<ADDR> status=4\d\d$ openssh
''); nix
}; nixos-rebuild
];
virtualisation.docker = { script = ''
enable = true; [[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf
rootless = { cd /root/nixconf
enable = true; git pull
setSocketVariable = true; nix flake update --commit-lock-file /root/nixconf
}; nixos-rebuild switch --flake .
}; git push
'';
boot.kernelModules = [ serviceConfig = {
"v4l2loopback" Type = "oneshot";
"nct6775" User = "root";
"k10temp" };
]; wants = [
"network-online.target"
boot.extraModprobeConfig = '' ];
options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 after = [
''; "network-online.target"
security = {
acme = {
acceptTerms = true;
defaults.email = "acme@voorwaarts.nl";
certs."noa.voorwaarts.nl".extraDomainNames = [
"images.noa.voorwaarts.nl"
"sods.noa.voorwaarts.nl"
"testing.noa.voorwaarts.nl"
]; ];
}; };
polkit.enable = true;
};
# Open ports in the firewall. environment.etc = {
networking.firewall.allowedTCPPorts = [ "fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
80 # http [Definition]
443 # https failregex=^time= level=WARN msg=".*?" ip=<ADDR> status=4\d\d$
53317 # Localsend '');
]; };
networking.firewall.allowedUDPPorts = [
80
443
53317
];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default virtualisation.docker = {
# settings for stateful data, like file locations and database versions enable = true;
# on your system were taken. Its perfectly fine and recommended to leave rootless = {
# this value at the release version of the first install of this system. enable = true;
# Before changing this value read the documentation for this option setSocketVariable = true;
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). };
system.stateVersion = "23.11"; # Did you read the comment? };
}
boot.kernelModules = [
"v4l2loopback"
"nct6775"
"k10temp"
];
boot.extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
'';
security = {
polkit.enable = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
80 # http
443 # https
53317 # Localsend
];
networking.firewall.allowedUDPPorts = [
80
443
53317
];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

125
modules/websites/default.nix Normal file
View file

@ -0,0 +1,125 @@
{ config, options, lib, ... }:
let
cfg = config.modules.websites;
in
{
options.modules.nginx =
{
enable = lib.mkEnableOption "enable web hosting";
cert_mail = lib.mkOption {
type = lib.types.str;
description = "the email address the certificate will be requested to";
};
mainDomains = lib.mkOption {
description = "nginx domains for which a certificate is needed";
type = with lib.types; attrsOf (submodule {
options =
let
proxyOption = lib.mkOption { type = int; description = "what url to proxy the requests to"; };
in
{
enable = lib.mkEnableOption "enable this website";
extra_sites = attrsOf
(submodule {
options = {
enable = lib.mkEnableOption "enable this website";
proxy = proxyOption;
};
});
proxy = proxyOption;
};
});
};
};
config = lib.mkIf cfg.enable (
let
hostnames = lib.lists.flatten (
lib.attrsets.mapAttrsToList
(
name: config:
lib.mkIf config.enable (
[ name ] ++ lib.attrsets.mapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites
)
)
cfg.mainDomains
);
certs = lib.attrsets.MapAttrs
(
name: config:
lib.mkIf config.enable {
extraDomainNames = lib.attrsets.MapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites;
}
)
cfg.mainDomains;
hosts = lib.attrsets.MapAtrrs
(
name: config:
let
extra = ''
client_max_body_size 50000M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;'';
proxy = url: {
forceSSL = true;
useACMEHost = name;
extraConfig = extra;
locations."/" = {
proxyPass = url;
};
};
in
lib.mkIf config.enable (
lib.mkMerge (
{
forceSSL = true;
enableACME = true;
extraConfig = extra;
locations."/" = {
proxyPass = config.proxy;
};
}
++ (lib.attrsets.MapAttrsToList
(n: c: lib.mkIf c.enable (proxy c.proxy))
config.extra_sites)
)
)
)
cfg.mainDomains;
in
{
networking.hosts = {
# NOTE: this is needed because I don't have hairpin nat. :(
"127.0.0.1" = hostnames;
};
security.acme = {
acceptTerms = true;
defaults.email = cfg.cert_mail;
certs = certs;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts = hosts;
};
}
);
}