Add editconfig, fix mixed indentation
This commit is contained in:
parent
fae0ad2936
commit
38d4e7e12d
5
.editorconfig
Normal file
5
.editorconfig
Normal file
|
@ -0,0 +1,5 @@
|
|||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = tab
|
||||
indent_size = 2
|
4
config/.editorconfig
Normal file
4
config/.editorconfig
Normal file
|
@ -0,0 +1,4 @@
|
|||
root = true
|
||||
[*]
|
||||
indent_style = tab
|
||||
indent_size = 2
|
|
@ -1,43 +1,43 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
# Use recommended settings
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
# Use recommended settings
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
# Only allow PFS-enabled ciphers with AES256
|
||||
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
# Only allow PFS-enabled ciphers with AES256
|
||||
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
|
||||
commonHttpConfig = ''
|
||||
# Add HSTS header with preloading to HTTPS requests.
|
||||
# Adding this header to HTTP requests is discouraged
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
commonHttpConfig = ''
|
||||
# Add HSTS header with preloading to HTTPS requests.
|
||||
# Adding this header to HTTP requests is discouraged
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
# Enable CSP for your services.
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
# Enable CSP for your services.
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'same-origin';
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'same-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# Enable XSS protection of the browser.
|
||||
# May be unnecessary when CSP is configured properly (see above)
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
# Enable XSS protection of the browser.
|
||||
# May be unnecessary when CSP is configured properly (see above)
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
# This might create errors
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
'';
|
||||
};
|
||||
# This might create errors
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "no";
|
||||
passwordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "no";
|
||||
passwordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
||||
ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
|
||||
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
|
||||
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
|
||||
extraConfig = "
|
||||
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
||||
";
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.knownHosts = {
|
||||
despondos = {
|
||||
hostNames = [ "despondos.nao.sh" ];
|
||||
publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
|
||||
};
|
||||
};
|
||||
programs.ssh.knownHosts = {
|
||||
despondos = {
|
||||
hostNames = [ "despondos.nao.sh" ];
|
||||
publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
|
||||
};
|
||||
};
|
||||
|
||||
#services.sshguard = {
|
||||
# enable = true;
|
||||
# blocktime = 300;
|
||||
#};
|
||||
#services.sshguard = {
|
||||
# enable = true;
|
||||
# blocktime = 300;
|
||||
#};
|
||||
}
|
||||
|
||||
|
|
|
@ -1,70 +1,70 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
../../common/services/ssh.nix
|
||||
../../common/services/acme.nix
|
||||
./services/nginx.nix
|
||||
./services/mail.nix
|
||||
./data/secrets/secrets.nix
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
../../common/services/ssh.nix
|
||||
../../common/services/acme.nix
|
||||
./services/nginx.nix
|
||||
./services/mail.nix
|
||||
./data/secrets/secrets.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.supportedFilesystems = ["zfs"];
|
||||
services.zfs.autoSnapshot.enable = true;
|
||||
services.zfs.autoScrub.enable = true;
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.supportedFilesystems = ["zfs"];
|
||||
services.zfs.autoSnapshot.enable = true;
|
||||
services.zfs.autoScrub.enable = true;
|
||||
|
||||
networking.hostName = "capetillo"; # Define your hostname.
|
||||
networking.hostId = "17a9ec46";
|
||||
time.timeZone = "Europe/Copenhagen";
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.ens3.useDHCP = true;
|
||||
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
|
||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
|
||||
networking.hostName = "capetillo"; # Define your hostname.
|
||||
networking.hostId = "17a9ec46";
|
||||
time.timeZone = "Europe/Copenhagen";
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.ens3.useDHCP = true;
|
||||
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
|
||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
|
||||
|
||||
users.users.emelie = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||
];
|
||||
};
|
||||
users.users.emelie = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||
];
|
||||
};
|
||||
|
||||
users.users.deploy = {
|
||||
isNormalUser = true;
|
||||
users.users.deploy = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||
];
|
||||
};
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.backup.members = [ "virtualMail" ];
|
||||
users.groups.backup.members = [ "virtualMail" ];
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
htop
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
htop
|
||||
iotop
|
||||
dig
|
||||
];
|
||||
];
|
||||
|
||||
nix.trustedUsers = [
|
||||
"root"
|
||||
nix.trustedUsers = [
|
||||
"root"
|
||||
"deploy"
|
||||
"@wheel"
|
||||
];
|
||||
"@wheel"
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.enable = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
system.stateVersion = "21.05";
|
||||
|
||||
}
|
||||
|
|
|
@ -1,42 +1,42 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
(modulesPath + "/profiles/minimal.nix")
|
||||
];
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
(modulesPath + "/profiles/minimal.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/safe/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/" =
|
||||
{ device = "rpool/safe/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "rpool/safe/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/home" =
|
||||
{ device = "rpool/safe/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/www" =
|
||||
{ device = "rpool/safe/webroot";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/vmail" =
|
||||
{ device = "rpool/safe/mail";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/nix" =
|
||||
{ device = "rpool/local/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/www" =
|
||||
{ device = "rpool/safe/webroot";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/vmail" =
|
||||
{ device = "rpool/safe/mail";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/nix" =
|
||||
{ device = "rpool/local/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
swapDevices = [ ];
|
||||
|
||||
}
|
||||
|
|
|
@ -1,32 +1,32 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(builtins.fetchTarball {
|
||||
# Pick a commit from the branch you are interested in
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
|
||||
# And set its hash
|
||||
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
||||
})
|
||||
];
|
||||
imports = [
|
||||
(builtins.fetchTarball {
|
||||
# Pick a commit from the branch you are interested in
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
|
||||
# And set its hash
|
||||
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
||||
})
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "nixaalb.org";
|
||||
domains = [ "nixaalb.org" ];
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "nixaalb.org";
|
||||
domains = [ "nixaalb.org" ];
|
||||
|
||||
loginAccounts = {
|
||||
"emelie@nixaalb.org" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
|
||||
loginAccounts = {
|
||||
"emelie@nixaalb.org" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
|
||||
aliases = [ "admin@nixaalb.org" ];
|
||||
};
|
||||
"sebastian@nixaalb.org" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
|
||||
};
|
||||
"noreply@anarkafem.dev" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
|
||||
};
|
||||
};
|
||||
certificateScheme = 3;
|
||||
};
|
||||
};
|
||||
"sebastian@nixaalb.org" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
|
||||
};
|
||||
"noreply@anarkafem.dev" = {
|
||||
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
|
||||
};
|
||||
};
|
||||
certificateScheme = 3;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
|
||||
{
|
||||
|
||||
services.restic.backups = {
|
||||
"mail" = {
|
||||
paths = [ "/var/vmail" ];
|
||||
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
|
||||
initialize = true;
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
|
||||
timerConfig = { "OnCalendar" = "02:15"; };
|
||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||
user = "virtualMail";
|
||||
};
|
||||
};
|
||||
services.restic.backups = {
|
||||
"mail" = {
|
||||
paths = [ "/var/vmail" ];
|
||||
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
|
||||
initialize = true;
|
||||
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
|
||||
timerConfig = { "OnCalendar" = "02:15"; };
|
||||
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
|
||||
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
|
||||
user = "virtualMail";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
let
|
||||
sources = import ../config/sources;
|
||||
sources = import ../config/sources;
|
||||
in import "${sources.nixus}" {} ({ config, ... }: {
|
||||
|
||||
defaults = { name, ... }: {
|
||||
configuration = { lib, ... }: {
|
||||
networking.hostName = lib.mkDefault name;
|
||||
};
|
||||
defaults = { name, ... }: {
|
||||
configuration = { lib, ... }: {
|
||||
networking.hostName = lib.mkDefault name;
|
||||
};
|
||||
|
||||
# use our nixpkgs from niv
|
||||
nixpkgs = sources.nixpkgs;
|
||||
};
|
||||
# use our nixpkgs from niv
|
||||
nixpkgs = sources.nixpkgs;
|
||||
};
|
||||
|
||||
nodes = {
|
||||
capetillo = { lib, config, ... }: {
|
||||
host = "deploy@nixaalb.org";
|
||||
configuration = ../config/hosts/capetillo/configuration.nix;
|
||||
switchTimeout = 300;
|
||||
successTimeout = 300;
|
||||
#ignoreFailingSystemdUnits = true;
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
mail = { lib, config, ... }: {
|
||||
host = "deploy@nixaalb.org";
|
||||
configuration = ../config/hosts/capetillo/configuration.nix;
|
||||
switchTimeout = 300;
|
||||
successTimeout = 300;
|
||||
#ignoreFailingSystemdUnits = true;
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue