From 1c86119fbb179c82613b8088ea08220c9e665684 Mon Sep 17 00:00:00 2001 From: reidlab Date: Tue, 22 Aug 2023 21:49:15 -0700 Subject: [PATCH] whole entire revamp --- default.nix | 17 ++ flake.lock | 37 +++- flake.nix | 36 ++-- hosts/server/configuration.nix | 251 ------------------------ hosts/server/default.nix | 67 +++++++ hosts/server/hardware-configuration.nix | 17 +- hosts/server/webapps/default.nix | 54 +++++ lib/default.nix | 15 ++ lib/modules.nix | 27 +++ lib/nixos.nix | 21 ++ modules/keyboard.nix | 17 ++ modules/services/forgejo.nix | 81 ++++++++ modules/services/mosh.nix | 19 ++ modules/services/nginx-conf.nix | 109 ++++++++++ modules/services/postgres.nix | 19 ++ modules/services/redis.nix | 19 ++ modules/services/ssh.nix | 35 ++++ modules/users.nix | 82 ++++++++ overlays/.gitkeep | 0 packages/.gitkeep | 0 readme.md | 1 - 21 files changed, 652 insertions(+), 272 deletions(-) create mode 100644 default.nix delete mode 100755 hosts/server/configuration.nix create mode 100755 hosts/server/default.nix create mode 100644 hosts/server/webapps/default.nix create mode 100644 lib/default.nix create mode 100644 lib/modules.nix create mode 100644 lib/nixos.nix create mode 100644 modules/keyboard.nix create mode 100644 modules/services/forgejo.nix create mode 100644 modules/services/mosh.nix create mode 100644 modules/services/nginx-conf.nix create mode 100644 modules/services/postgres.nix create mode 100644 modules/services/redis.nix create mode 100644 modules/services/ssh.nix create mode 100644 modules/users.nix create mode 100644 overlays/.gitkeep create mode 100644 packages/.gitkeep diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..97e07dd --- /dev/null +++ b/default.nix @@ -0,0 +1,17 @@ +{ config, inputs, lib, pkgs, ... }: + +let + inherit (lib) filterAttrs _; +in { + imports = + [ inputs.home-manager.nixosModules.home-manager ] + ++ _.mapModulesRec' ./modules import; + + environment.systemPackages = with pkgs; [ + curl git + ]; + + i18n.defaultLocale = "en_US.UTF-8"; + + system.stateVersion = lib.mkDefault "23.11"; +} diff --git a/flake.lock b/flake.lock index 574bf19..586c440 100755 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,40 @@ { "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1692720545, + "narHash": "sha256-DQDremUH7lRxiZEIVh6C6kQusuPe1vUKtiVl29nmP0E=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "8eb8c212e50e2fd95af5849585a2eb819add0a1e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1692447944, + "narHash": "sha256-fkJGNjEmTPvqBs215EQU4r9ivecV5Qge5cF/QDLVn3U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d680ded26da5cf104dd2735a51e88d2d8f487b4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1691654369, "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", @@ -18,7 +52,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "home-manager": "home-manager", + "nixpkgs": "nixpkgs_2" } } }, diff --git a/flake.nix b/flake.nix index 0061ec5..a4e0cb3 100755 --- a/flake.nix +++ b/flake.nix @@ -3,25 +3,31 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager"; }; - outputs = { self, nixpkgs }: - let - system = "aarch64-linux"; + outputs = inputs @ { self, nixpkgs, ... }: + let + system = "aarch64-linux"; - pkgs = import nixpkgs { - allowUnfree = true; - }; - in - { - nixosConfigurations = { - server = nixpkgs.lib.nixosSystem { - specialArgs = { inherit system; }; + lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; }; + inherit (lib._) mapModules mapModulesRec mkHost; - modules = [ - ./hosts/server/configuration.nix - ]; + mkPkgs = pkgs: overlays: import pkgs { + inherit system; + config.allowUnfree = true; + overlays = overlays ++ (lib.attrValues self.overlays); }; + + pkgs = mkPkgs nixpkgs [ self.overlay ]; + in { + packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {}); + overlay = final: prev: { + _ = self.packages."${system}"; + }; + overlays = mapModules ./overlays import; + nixosModules = (mapModulesRec ./modules import); + nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; }); }; - }; } diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix deleted file mode 100755 index 99bb521..0000000 --- a/hosts/server/configuration.nix +++ /dev/null @@ -1,251 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = - [ - ./hardware-configuration.nix - ]; - - # Git - environment.systemPackages = [ - pkgs.git - ]; - - # Bootloader - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; - - # Enable flakes - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - # Networking - networking.hostName = "nixos-server-reid"; - networking.wireless.environmentFile = "/run/secrets/wireless.env"; - networking.wireless = { - enable = true; - userControlled.enable = true; - networks = { - Ryan = { - psk = "@password@"; - }; - }; - }; - - # Set your time zone. - time.timeZone = "America/Los_Angeles"; - - # Editors - # Editors - Nano - programs.nano = { - syntaxHighlight = true; - nanorc = '' - set mouse - ''; - }; - - # Users - users.groups.dotfiles = {}; - - # Users - reidlab - users.users.reidlab = { - isNormalUser = true; - extraGroups = [ "wheel" "dotfiles" ]; - packages = with pkgs; [ - tree bat - ]; - }; - - # Programs - # Programs - Mosh - programs.mosh.enable = true; - - # Services - # Services - Openssh - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = true; - }; - }; - - # Services - Nginx - services.nginx = { - package = pkgs.openresty; - enable = true; - - logError = "stderr warn"; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - }; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - services.nginx.commonHttpConfig = let - lua-resty-template = pkgs.fetchFromGitHub { - owner = "bungle"; - repo = "lua-resty-template"; - rev = "v2.0"; - sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1"; - }; - lua-resty-redis = pkgs.fetchFromGitHub { - owner = "openresty"; - repo = "lua-resty-redis"; - rev = "v0.29"; - sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9"; - }; - lua-resty-websocket = pkgs.fetchFromGitHub { - owner = "openresty"; - repo = "lua-resty-websocket"; - rev = "v0.10"; - sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh"; - }; - realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); - fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); - cfipv4 = fileToList (pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v4"; - sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; - }); - cfipv6 = fileToList (pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v6"; - sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; - }); - in '' - # Lua path - lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;"; - - # Realip - ${realIpsFromList cfipv4} - ${realIpsFromList cfipv6} - real_ip_header CF-Connecting-IP; - - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - # ^ this above is breaking forgejo - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - services.nginx.virtualHosts."reidlab.online" = { - forceSSL = true; - enableACME = true; - root = "/var/www/reidlab.online/public"; - extraConfig = '' - error_page 404 /errors/404.html; - error_page 403 /errors/403.html; - error_page 500 /errors/500.html; - location = /errors/404.html { root /var/www/reidlab.online/public/; internal; } - location = /errors/403.html { root /var/www/reidlab.online/public/; internal; } - location = /errors/500.html { root /var/www/reidlab.online/public/; internal; } - location / { - try_files $uri @main; - } - - location /chat { - access_by_lua_file /var/www/reidlab.online/lua/chat.lua; - } - - location @main { - content_by_lua ' - require("main").handle_request() - '; - } - ''; - }; - - # Services - Forgejo - services.gitea = { - enable = true; - package = pkgs.forgejo; - stateDir = "/var/lib/git.reidlab.online"; - appName = "reidlab's git instance"; - database = { - type = "postgres"; - name = "gitea"; - }; - settings = { - "security" = { - INSTALL_LOCK = true; - PASSWORD_HASH_ALGO = "argon2"; - PASSWORD_CHECK_PWN = true; - }; - "ui.meta" = { - AUTHOR = "reidlab"; - DESCRIPTION = "reidlab's git instance"; - }; - "server" = { - DOMAIN = "git.reidlab.online"; - HTTP_PORT = 3000; - ROOT_URL = "https://git.reidlab.online/"; - }; - "repository" = { - DEFAULT_BRANCH = "main"; - }; - "picture" = { - DISABLE_GRAVATAR = false; - ENABLE_FEDERATED_AVATAR = true; - }; - "service" = { - ENABLE_CAPTCHA = false; - REGISTER_EMAIL_CONFIRM = false; - DEFAULT_KEEP_EMAIL_PRIVATE = true; - DEFAULT_ENABLE_TIMETRACKING = true; - DISABLE_REGISTRATION = true; - }; - "federation" = { - ENABLED = true; - }; - }; - }; - services.nginx.virtualHosts."git.reidlab.online" = { - forceSSL = true; - enableACME = true; - locations."/".extraConfig = '' - proxy_pass "http://127.0.0.1:3000"; - ''; - }; - - # Services - Postgres - services.postgresql.enable = true; - - # Services - Redis - services.redis.servers."".enable = true; - - # Security - security = { - protectKernelImage = true; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "reidlab325@gmail.com"; - }; - - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion - system.stateVersion = "23.11"; # Did you read the comment? -} - diff --git a/hosts/server/default.nix b/hosts/server/default.nix new file mode 100755 index 0000000..4706625 --- /dev/null +++ b/hosts/server/default.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./webapps/default.nix + ]; + + user = { + packages = with pkgs; [ + git + curl + ]; + }; + + users.groups.dotfiles = {}; + + normalUsers = { + reidlab = { + conf = { + packages = with pkgs; [ bat tree ]; + extraGroups = [ "wheel" "dotfiles" ]; + }; + + homeConf.home = { + sessionVariables = { + EDITOR = "nano"; + }; + }; + }; + }; + + keyboard = { + locale = "en_US.UTF-8"; + variant = "qwerty"; + }; + + modules = { + services = { + ssh = { + enable = true; + requirePassword = true; + }; + + postgres.enable = true; + + redis.enable = true; + + mosh.enable = true; + }; + }; + + time.timeZone = "America/Los_Angeles"; + + networking = { + hostName = "nixos-server-reid"; + wireless = { + environmentFile = "/run/secrets/wireless.env"; + enable = true; + userControlled.enable = true; + networks.Ryan.psk = "@password@"; + }; + }; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; +} diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix index d1a9d7c..2a7de82 100755 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware-configuration.nix @@ -1,6 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +# 🤓☝ { config, lib, pkgs, modulesPath, ... }: { @@ -8,10 +9,18 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot = { + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + initrd = { + availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; fileSystems."/" = { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix new file mode 100644 index 0000000..c85749d --- /dev/null +++ b/hosts/server/webapps/default.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; +let +in { + config = { + modules = { + services = { + forgejo = { + enable = true; + domain = "git.reidlab.online"; + port = 3000; + }; + + nginx-config = { + enable = true; + defaultLuaPackagePath = /var/www/reidlab.online/lua; + }; + }; + }; + + services = { + nginx.virtualHosts = { + "reidlab.online" = { + forceSSL = true; + enableACME = true; + root = "/var/www/reidlab.online/public"; + extraConfig = '' + error_page 404 /errors/404.html; + error_page 403 /errors/403.html; + error_page 500 /errors/500.html; + location = /errors/404.html { root /var/www/reidlab.online/public/; internal; } + location = /errors/403.html { root /var/www/reidlab.online/public/; internal; } + location = /errors/500.html { root /var/www/reidlab.online/public/; internal; } + + location / { + try_files $uri @main; + } + + location /chat { + access_by_lua_file /var/www/reidlab.online/lua/chat.lua; + } + + location @main { + content_by_lua ' + require("main").handle_request() + '; + } + ''; + }; + }; + }; + }; +} diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..c015f0b --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,15 @@ +{ inputs, lib, pkgs, ... }: + +lib.extend (self: super: + let + inherit (lib) attrValues foldr; + inherit (modules) mapModules; + + modules = import ./modules.nix { inherit lib; }; + in { + _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file { + inherit pkgs inputs; + lib = self; + }))); + } +) diff --git a/lib/modules.nix b/lib/modules.nix new file mode 100644 index 0000000..287c1f6 --- /dev/null +++ b/lib/modules.nix @@ -0,0 +1,27 @@ +{ lib, ... }: + +let + inherit (builtins) attrValues readDir pathExists; + inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs; +in rec { + mapModules' = dir: fn: dirfn: + filterAttrs + (name: type: type != null && !(hasPrefix "_" name)) + (mapAttrs' + (name: type: + let path = "${toString dir}/${name}"; in + if type == "directory" + then nameValuePair name (dirfn path) + else if + type == "regular" && + name != "default.nix" && + hasSuffix ".nix" name + then nameValuePair (removeSuffix ".nix" name) (fn path) + else nameValuePair "" null + ) + (readDir dir)); + + mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null); + mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn); + mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn); +} diff --git a/lib/nixos.nix b/lib/nixos.nix new file mode 100644 index 0000000..464bf91 --- /dev/null +++ b/lib/nixos.nix @@ -0,0 +1,21 @@ +{ inputs, lib, pkgs, ... }: + +with lib; +{ + mkHost = path: attrs@{ system, ... }: + nixosSystem { + inherit system; + specialArgs = { inherit lib inputs system; }; + modules = [ + { + nixpkgs.pkgs = pkgs; + networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path)); + } + (filterAttrs (n: v: !elem n [ "system" ]) attrs) + + ../. + + (import path) + ]; + }; +} diff --git a/modules/keyboard.nix b/modules/keyboard.nix new file mode 100644 index 0000000..7c39e8d --- /dev/null +++ b/modules/keyboard.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.keyboard; +in { + options.keyboard = { + locale = mkOption { + type = types.str; + default = "en_US.UTF-8"; + }; + variant = mkOption { + type = types.str; + default = ""; + }; + }; +} diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix new file mode 100644 index 0000000..7eb23a7 --- /dev/null +++ b/modules/services/forgejo.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.forgejo; +in { + options.modules.services.forgejo = { + enable = mkOption { + type = types.bool; + default = false; + }; + domain = mkOption { + type = types.str; + default = "git.reidlab.online"; + }; + port = mkOption { + type = types.int; + default = 3000; + }; + package = mkOption { + type = types.package; + default = pkgs.forgejo; + }; + }; + + config = mkIf cfg.enable { + services = { + gitea = { + enable = true; + package = cfg.package; + stateDir = "/var/lib/${cfg.domain}"; + appName = "reidlab's git instance"; + database = { + type = "postgres"; + name = "gitea"; + }; + settings = { + "security" = { + INSTALL_LOCK = true; + PASSWORD_HASH_ALGO = "argon2"; + PASSWORD_CHECK_PWN = true; + }; + "ui.meta" = { + AUTHOR = "reidlab"; + DESCRIPTION = "reidlab's git instance"; + }; + "server" = { + DOMAIN = cfg.domain; + HTTP_PORT = cfg.port; + ROOT_URL = "https://${cfg.domain}/"; + }; + "repository" = { + DEFAULT_BRANCH = "main"; + }; + "picture" = { + DISABLE_GRAVATAR = false; + ENABLE_FEDERATED_AVATAR = true; + }; + "service" = { + ENABLE_CAPTCHA = false; + REGISTER_EMAIL_CONFIRM = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_ENABLE_TIMETRACING = true; + DISABLE_REGISTRATION = true; + }; + "federation" = { + ENABLED = true; + }; + }; + }; + + nginx.virtualHosts."${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:${toString cfg.port}; + ''; + }; + }; + }; +} diff --git a/modules/services/mosh.nix b/modules/services/mosh.nix new file mode 100644 index 0000000..da344a3 --- /dev/null +++ b/modules/services/mosh.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.mosh; +in { + options.modules.services.mosh = { + enable = mkOption { + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + programs.mosh = { + enable = true; + }; + }; +} diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix new file mode 100644 index 0000000..f3dc6a8 --- /dev/null +++ b/modules/services/nginx-conf.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.nginx-config; +in { + options.modules.services.nginx-config = { + enable = mkOption { + type = types.bool; + default = false; + }; + + package = mkOption { + type = types.package; + default = pkgs.openresty; + }; + + defaultLuaPackagePath = mkOption { + type = types.path; + default = null; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.defaultLuaPackagePath != null; + description = "The defaultLuaPackagePath property *must* be explicitly specified."; + } + ]; + + security.acme = { + acceptTerms = true; + defaults.email = "reidlab325@gmail.com"; + # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + + services.nginx = { + enable = true; + package = cfg.package; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + logError = "stderr warn"; + + # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this. + commonHttpConfig = let + # lua + lua-resty-template = pkgs.fetchFromGitHub { + owner = "bungle"; + repo = "lua-resty-template"; + rev = "v2.0"; + sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1"; + }; + lua-resty-redis = pkgs.fetchFromGitHub { + owner = "openresty"; + repo = "lua-resty-redis"; + rev = "v0.29"; + sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9"; + }; + lua-resty-websocket = pkgs.fetchFromGitHub { + owner = "openresty"; + repo = "lua-resty-websocket"; + rev = "v0.10"; + sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh"; + }; + + # cloudflare + realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); + fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); + cfipv4 = fileToList (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v4"; + sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; + }); + cfipv6 = fileToList (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v6"; + sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; + }); + in '' + lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;"; + + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # ^ this above breaks forgejo/gitea so + + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + ${realIpsFromList cfipv4} + ${realIpsFromList cfipv6} + real_ip_header CF-Connecting-IP; + ''; + }; + + networking.firewall.allowedTCPPorts = [ 443 80 ]; + networking.firewall.allowedUDPPorts = [ 443 80 ]; + }; +} diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix new file mode 100644 index 0000000..00291b2 --- /dev/null +++ b/modules/services/postgres.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.postgres; +in { + options.modules.services.postgres = { + enable = mkOption { + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + services.postgresql = { + enable = true; + }; + }; +} diff --git a/modules/services/redis.nix b/modules/services/redis.nix new file mode 100644 index 0000000..cc8ae4b --- /dev/null +++ b/modules/services/redis.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.redis; +in { + options.modules.services.redis = { + enable = mkOption { + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + services.redis.servers."" = { + enable = true; + }; + }; +} diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix new file mode 100644 index 0000000..e8dba7c --- /dev/null +++ b/modules/services/ssh.nix @@ -0,0 +1,35 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +let + cfg = config.modules.services.ssh; +in { + options.modules.services.ssh = { + enable = mkOption { + type = types.bool; + default = false; + description = "Provide system SSH support though OpenSSH."; + }; + + requirePassword = mkOption { + type = types.bool; + default = true; + }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings = { + PasswordAuthentication = cfg.requirePassword; + PermitRootLogin = "no"; + }; + }; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; +} diff --git a/modules/users.nix b/modules/users.nix new file mode 100644 index 0000000..119ec40 --- /dev/null +++ b/modules/users.nix @@ -0,0 +1,82 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +let + +in { + options = { + user = mkOption { + type = types.attrs; + default = {}; + description = "Defaults to apply to all normal users in the system."; + }; + normalUsers = mkOption { + type = types.attrsOf (types.submodule { options = { + conf = mkOption { + type = types.attrs; + default = {}; + }; + homeConf = mkOption { + type = types.attrs; + default = {}; + }; + };}); + default = {}; + }; + home = { + _ = mkOption { + type = types.attrs; + default = {}; + description = "Universal home-level user configuration"; + }; + configFile = mkOption { + type = types.attrs; + default = {}; + description = "(XDG) Configuration files managed by home-manager"; + }; + }; + configDir = mkOption { + type = types.path; + default = ../config; + }; + }; + + config = { + home-manager.useUserPackages = true; + + user = { + packages = with pkgs; [ wget ]; + extraGroups = [ ]; + }; + + home._ = { + home.stateVersion = config.system.stateVersion; + home.file = mkAliasDefinitions options.home.configFile; + xdg.enable = true; + xdg.configFile = mkAliasDefinitions options.home.configFile; + }; + + environment = { + sessionVariables = { + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_BIN_HOME = "$HOME/.local/bin"; + XDG_DESKTOP_DIR = "$HOME"; + }; + }; + + users.groups = mapAttrs (_: _: {}) config.normalUsers; + + users.users = mapAttrs (username: user: (mkMerge [ + (mkAliasDefinitions options.user) + user.conf + { + isNormalUser = true; + group = username; + } + ])) config.normalUsers; + + home-manager.users = mapAttrs (username: user: (mkMerge [(mkAliasDefinitions options.home._) user.homeConf])) config.normalUsers; + }; +} diff --git a/overlays/.gitkeep b/overlays/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/packages/.gitkeep b/packages/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/readme.md b/readme.md index bf021a6..595589b 100755 --- a/readme.md +++ b/readme.md @@ -5,7 +5,6 @@ Nix Flake dotfiles used on my server. ## Todo * Make it so our secrets consist upon reboot (currently just our wifi password, have to set every reboot) (maybe with [Agenix](https://github.com/ryantm/agenix) + [Age](https://github.com/FiloSottile/age)? -* Make everything __modular__. ## Development