nixaalborg
/
nixos
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add editconfig, fix mixed indentation

This commit is contained in:
Emelie Graven 2021-11-22 15:12:43 +01:00
parent fae0ad2936
commit 38d4e7e12d
Signed by: emelie
GPG Key ID: C11123726DBB55A1
9 changed files with 191 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.editorconfig Normal file
View File

@ -0,0 +1,5 @@
root = true
[*]
indent_style = tab
indent_size = 2

4
config/.editorconfig Normal file
View File

@ -0,0 +1,4 @@
root = true
[*]
indent_style = tab
indent_size = 2

62
config/common/services/nginx.nix
View File

@ -1,43 +1,43 @@
{ ... }: { ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
# Use recommended settings # Use recommended settings
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = '' commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged # Adding this header to HTTP requests is discouraged
map $scheme $hsts_header { map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload"; https "max-age=31536000; includeSubdomains; preload";
} }
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services. # Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header 'Referrer-Policy' 'same-origin'; add_header 'Referrer-Policy' 'same-origin';
# Disable embedding as a frame # Disable embedding as a frame
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks) # Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser. # Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above) # May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
# This might create errors # This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
}; };
} }

36
config/common/services/ssh.nix
View File

@ -1,28 +1,28 @@
{ ... }: { ... }:
{ {
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "no"; permitRootLogin = "no";
passwordAuthentication = false; passwordAuthentication = false;
challengeResponseAuthentication = false; challengeResponseAuthentication = false;
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ]; macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
extraConfig = " extraConfig = "
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
"; ";
}; };
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
despondos = { despondos = {
hostNames = [ "despondos.nao.sh" ]; hostNames = [ "despondos.nao.sh" ];
publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
}; };
}; };
#services.sshguard = { #services.sshguard = {
# enable = true; # enable = true;
# blocktime = 300; # blocktime = 300;
#}; #};
} }

96
config/hosts/capetillo/configuration.nix
View File

@ -1,70 +1,70 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/services/acme.nix ../../common/services/acme.nix
./services/nginx.nix ./services/nginx.nix
./services/mail.nix ./services/mail.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.supportedFilesystems = ["zfs"]; boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = true; services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true; services.zfs.autoScrub.enable = true;
networking.hostName = "capetillo"; # Define your hostname. networking.hostName = "capetillo"; # Define your hostname.
networking.hostId = "17a9ec46"; networking.hostId = "17a9ec46";
time.timeZone = "Europe/Copenhagen"; time.timeZone = "Europe/Copenhagen";
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true; networking.interfaces.ens3.useDHCP = true;
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ]; networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
users.users.emelie = { users.users.emelie = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
]; ];
}; };
users.users.deploy = { users.users.deploy = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
]; ];
}; };
users.groups.backup.members = [ "virtualMail" ]; users.groups.backup.members = [ "virtualMail" ];
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
htop htop
iotop iotop
dig dig
]; ];
nix.trustedUsers = [ nix.trustedUsers = [
"root" "root"
"deploy" "deploy"
"@wheel" "@wheel"
]; ];
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ]; networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

62
config/hosts/capetillo/hardware-configuration.nix
View File

@ -1,42 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports =
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/minimal.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "rpool/safe/root"; { device = "rpool/safe/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = fileSystems."/home" =
{ device = "rpool/safe/home"; { device = "rpool/safe/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/www" = fileSystems."/var/www" =
{ device = "rpool/safe/webroot"; { device = "rpool/safe/webroot";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/vmail" = fileSystems."/var/vmail" =
{ device = "rpool/safe/mail"; { device = "rpool/safe/mail";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = fileSystems."/nix" =
{ device = "rpool/local/nix"; { device = "rpool/local/nix";
fsType = "zfs"; fsType = "zfs";
}; };
swapDevices = [ ]; swapDevices = [ ];
} }

50
config/hosts/capetillo/services/mail.nix
View File

@ -1,32 +1,32 @@
{ config, ... }: { config, ... }:
{ {
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
# Pick a commit from the branch you are interested in # Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
# And set its hash # And set its hash
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
}) })
]; ];
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "nixaalb.org"; fqdn = "nixaalb.org";
domains = [ "nixaalb.org" ]; domains = [ "nixaalb.org" ];
loginAccounts = { loginAccounts = {
"emelie@nixaalb.org" = { "emelie@nixaalb.org" = {
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
aliases = [ "admin@nixaalb.org" ]; aliases = [ "admin@nixaalb.org" ];
}; };
"sebastian@nixaalb.org" = { "sebastian@nixaalb.org" = {
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
}; };
"noreply@anarkafem.dev" = { "noreply@anarkafem.dev" = {
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
}; };
}; };
certificateScheme = 3; certificateScheme = 3;
}; };
} }

24
config/hosts/capetillo/services/restic.nix
View File

@ -2,16 +2,16 @@
{ {
services.restic.backups = { services.restic.backups = {
"mail" = { "mail" = {
paths = [ "/var/vmail" ]; paths = [ "/var/vmail" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail"; repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
initialize = true; initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "02:15"; }; timerConfig = { "OnCalendar" = "02:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file; passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "virtualMail"; user = "virtualMail";
}; };
}; };
} }

34
deploy/default.nix
View File

@ -1,23 +1,23 @@
let let
sources = import ../config/sources; sources = import ../config/sources;
in import "${sources.nixus}" {} ({ config, ... }: { in import "${sources.nixus}" {} ({ config, ... }: {
defaults = { name, ... }: { defaults = { name, ... }: {
configuration = { lib, ... }: { configuration = { lib, ... }: {
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
}; };
# use our nixpkgs from niv # use our nixpkgs from niv
nixpkgs = sources.nixpkgs; nixpkgs = sources.nixpkgs;
}; };
nodes = { nodes = {
capetillo = { lib, config, ... }: { mail = { lib, config, ... }: {
host = "deploy@nixaalb.org"; host = "deploy@nixaalb.org";
configuration = ../config/hosts/capetillo/configuration.nix; configuration = ../config/hosts/capetillo/configuration.nix;
switchTimeout = 300; switchTimeout = 300;
successTimeout = 300; successTimeout = 300;
#ignoreFailingSystemdUnits = true; #ignoreFailingSystemdUnits = true;
}; };
}; };
}) })