From 38d4e7e12d6954c178c2b3ad788d9328726e07df Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Mon, 22 Nov 2021 15:12:43 +0100 Subject: [PATCH] Add editconfig, fix mixed indentation --- .editorconfig | 5 + config/.editorconfig | 4 + config/common/services/nginx.nix | 62 ++++++------ config/common/services/ssh.nix | 36 +++---- config/hosts/capetillo/configuration.nix | 96 +++++++++---------- .../capetillo/hardware-configuration.nix | 62 ++++++------ config/hosts/capetillo/services/mail.nix | 50 +++++----- config/hosts/capetillo/services/restic.nix | 24 ++--- deploy/default.nix | 34 +++---- 9 files changed, 191 insertions(+), 182 deletions(-) create mode 100644 .editorconfig create mode 100644 config/.editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..538ba2b --- /dev/null +++ b/.editorconfig @@ -0,0 +1,5 @@ +root = true + +[*] +indent_style = tab +indent_size = 2 diff --git a/config/.editorconfig b/config/.editorconfig new file mode 100644 index 0000000..0bb15bf --- /dev/null +++ b/config/.editorconfig @@ -0,0 +1,4 @@ +root = true +[*] +indent_style = tab +indent_size = 2 diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index 89a13a4..58ab094 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -1,43 +1,43 @@ { ... }: { - services.nginx = { - enable = true; + services.nginx = { + enable = true; - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'same-origin'; + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'same-origin'; - # Disable embedding as a frame - add_header X-Frame-Options DENY; + # Disable embedding as a frame + add_header X-Frame-Options DENY; - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - }; + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; } diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index 914cd07..562cba6 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -1,28 +1,28 @@ { ... }: { - services.openssh = { - enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - challengeResponseAuthentication = false; - kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; - macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ]; extraConfig = " HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 "; - }; + }; - programs.ssh.knownHosts = { - despondos = { - hostNames = [ "despondos.nao.sh" ]; - publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; - }; - }; + programs.ssh.knownHosts = { + despondos = { + hostNames = [ "despondos.nao.sh" ]; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + }; + }; - #services.sshguard = { - # enable = true; - # blocktime = 300; - #}; + #services.sshguard = { + # enable = true; + # blocktime = 300; + #}; } diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index 4251675..355cc40 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -1,70 +1,70 @@ { config, pkgs, lib, ... }: { - imports = - [ - ./hardware-configuration.nix - ../../common/services/ssh.nix - ../../common/services/acme.nix - ./services/nginx.nix - ./services/mail.nix - ./data/secrets/secrets.nix + imports = + [ + ./hardware-configuration.nix + ../../common/services/ssh.nix + ../../common/services/acme.nix + ./services/nginx.nix + ./services/mail.nix + ./data/secrets/secrets.nix ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = true; - services.zfs.autoScrub.enable = true; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; - networking.hostName = "capetillo"; # Define your hostname. - networking.hostId = "17a9ec46"; - time.timeZone = "Europe/Copenhagen"; - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ]; - networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + networking.hostName = "capetillo"; # Define your hostname. + networking.hostId = "17a9ec46"; + time.timeZone = "Europe/Copenhagen"; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ]; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - users.users.emelie = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; - users.users.deploy = { - isNormalUser = true; + users.users.deploy = { + isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - ]; - }; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; - users.groups.backup.members = [ "virtualMail" ]; + users.groups.backup.members = [ "virtualMail" ]; - security.sudo.wheelNeedsPassword = false; + security.sudo.wheelNeedsPassword = false; - environment.systemPackages = with pkgs; [ - vim - htop + environment.systemPackages = with pkgs; [ + vim + htop iotop dig - ]; + ]; - nix.trustedUsers = [ - "root" + nix.trustedUsers = [ + "root" "deploy" - "@wheel" - ]; + "@wheel" + ]; - services.openssh.enable = true; + services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; - system.stateVersion = "21.05"; + system.stateVersion = "21.05"; } diff --git a/config/hosts/capetillo/hardware-configuration.nix b/config/hosts/capetillo/hardware-configuration.nix index 812083f..7074e01 100644 --- a/config/hosts/capetillo/hardware-configuration.nix +++ b/config/hosts/capetillo/hardware-configuration.nix @@ -1,42 +1,42 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") - ]; + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "rpool/safe/root"; - fsType = "zfs"; - }; + fileSystems."/" = + { device = "rpool/safe/root"; + fsType = "zfs"; + }; - fileSystems."/home" = - { device = "rpool/safe/home"; - fsType = "zfs"; - }; + fileSystems."/home" = + { device = "rpool/safe/home"; + fsType = "zfs"; + }; - fileSystems."/var/www" = - { device = "rpool/safe/webroot"; - fsType = "zfs"; - }; - fileSystems."/var/vmail" = - { device = "rpool/safe/mail"; - fsType = "zfs"; - }; - fileSystems."/nix" = - { device = "rpool/local/nix"; - fsType = "zfs"; - }; + fileSystems."/var/www" = + { device = "rpool/safe/webroot"; + fsType = "zfs"; + }; + fileSystems."/var/vmail" = + { device = "rpool/safe/mail"; + fsType = "zfs"; + }; + fileSystems."/nix" = + { device = "rpool/local/nix"; + fsType = "zfs"; + }; - swapDevices = [ ]; + swapDevices = [ ]; } diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix index 8058063..a9e9aab 100644 --- a/config/hosts/capetillo/services/mail.nix +++ b/config/hosts/capetillo/services/mail.nix @@ -1,32 +1,32 @@ { config, ... }: { - imports = [ - (builtins.fetchTarball { - # Pick a commit from the branch you are interested in - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; - # And set its hash - sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; - }) - ]; + imports = [ + (builtins.fetchTarball { + # Pick a commit from the branch you are interested in + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; + # And set its hash + sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; + }) + ]; - mailserver = { - enable = true; - fqdn = "nixaalb.org"; - domains = [ "nixaalb.org" ]; + mailserver = { + enable = true; + fqdn = "nixaalb.org"; + domains = [ "nixaalb.org" ]; - loginAccounts = { - "emelie@nixaalb.org" = { - hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; + loginAccounts = { + "emelie@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; aliases = [ "admin@nixaalb.org" ]; - }; - "sebastian@nixaalb.org" = { - hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; - }; - "noreply@anarkafem.dev" = { - hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; - }; - }; - certificateScheme = 3; - }; + }; + "sebastian@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; + }; + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; + }; + }; + certificateScheme = 3; + }; } diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix index 6787e90..b49af89 100644 --- a/config/hosts/capetillo/services/restic.nix +++ b/config/hosts/capetillo/services/restic.nix @@ -2,16 +2,16 @@ { - services.restic.backups = { - "mail" = { - paths = [ "/var/vmail" ]; - repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail"; - initialize = true; - pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; - timerConfig = { "OnCalendar" = "02:15"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; - passwordFile = builtins.toString config.secrets.files.restic_pass.file; - user = "virtualMail"; - }; - }; + services.restic.backups = { + "mail" = { + paths = [ "/var/vmail" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "02:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "virtualMail"; + }; + }; } diff --git a/deploy/default.nix b/deploy/default.nix index dad5a6d..69a7d1f 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -1,23 +1,23 @@ let - sources = import ../config/sources; + sources = import ../config/sources; in import "${sources.nixus}" {} ({ config, ... }: { - defaults = { name, ... }: { - configuration = { lib, ... }: { - networking.hostName = lib.mkDefault name; - }; + defaults = { name, ... }: { + configuration = { lib, ... }: { + networking.hostName = lib.mkDefault name; + }; - # use our nixpkgs from niv - nixpkgs = sources.nixpkgs; - }; + # use our nixpkgs from niv + nixpkgs = sources.nixpkgs; + }; - nodes = { - capetillo = { lib, config, ... }: { - host = "deploy@nixaalb.org"; - configuration = ../config/hosts/capetillo/configuration.nix; - switchTimeout = 300; - successTimeout = 300; - #ignoreFailingSystemdUnits = true; - }; - }; + nodes = { + mail = { lib, config, ... }: { + host = "deploy@nixaalb.org"; + configuration = ../config/hosts/capetillo/configuration.nix; + switchTimeout = 300; + successTimeout = 300; + #ignoreFailingSystemdUnits = true; + }; + }; })