whole entire revamp

This commit is contained in:
Reid 2023-08-22 21:49:15 -07:00
parent 7b3e28f66d
commit 1c86119fbb
21 changed files with 652 additions and 272 deletions

View file

@ -1,251 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
];
# Git
environment.systemPackages = [
pkgs.git
];
# Bootloader
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Enable flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Networking
networking.hostName = "nixos-server-reid";
networking.wireless.environmentFile = "/run/secrets/wireless.env";
networking.wireless = {
enable = true;
userControlled.enable = true;
networks = {
Ryan = {
psk = "@password@";
};
};
};
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Editors
# Editors - Nano
programs.nano = {
syntaxHighlight = true;
nanorc = ''
set mouse
'';
};
# Users
users.groups.dotfiles = {};
# Users - reidlab
users.users.reidlab = {
isNormalUser = true;
extraGroups = [ "wheel" "dotfiles" ];
packages = with pkgs; [
tree bat
];
};
# Programs
# Programs - Mosh
programs.mosh.enable = true;
# Services
# Services - Openssh
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = true;
};
};
# Services - Nginx
services.nginx = {
package = pkgs.openresty;
enable = true;
logError = "stderr warn";
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
services.nginx.commonHttpConfig = let
lua-resty-template = pkgs.fetchFromGitHub {
owner = "bungle";
repo = "lua-resty-template";
rev = "v2.0";
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
};
lua-resty-redis = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-redis";
rev = "v0.29";
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
};
lua-resty-websocket = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-websocket";
rev = "v0.10";
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
};
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
cfipv4 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
});
cfipv6 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
});
in ''
# Lua path
lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
# Realip
${realIpsFromList cfipv4}
${realIpsFromList cfipv6}
real_ip_header CF-Connecting-IP;
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# ^ this above is breaking forgejo
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
services.nginx.virtualHosts."reidlab.online" = {
forceSSL = true;
enableACME = true;
root = "/var/www/reidlab.online/public";
extraConfig = ''
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 /errors/500.html;
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
location / {
try_files $uri @main;
}
location /chat {
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
}
location @main {
content_by_lua '
require("main").handle_request()
';
}
'';
};
# Services - Forgejo
services.gitea = {
enable = true;
package = pkgs.forgejo;
stateDir = "/var/lib/git.reidlab.online";
appName = "reidlab's git instance";
database = {
type = "postgres";
name = "gitea";
};
settings = {
"security" = {
INSTALL_LOCK = true;
PASSWORD_HASH_ALGO = "argon2";
PASSWORD_CHECK_PWN = true;
};
"ui.meta" = {
AUTHOR = "reidlab";
DESCRIPTION = "reidlab's git instance";
};
"server" = {
DOMAIN = "git.reidlab.online";
HTTP_PORT = 3000;
ROOT_URL = "https://git.reidlab.online/";
};
"repository" = {
DEFAULT_BRANCH = "main";
};
"picture" = {
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
"service" = {
ENABLE_CAPTCHA = false;
REGISTER_EMAIL_CONFIRM = false;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_ENABLE_TIMETRACKING = true;
DISABLE_REGISTRATION = true;
};
"federation" = {
ENABLED = true;
};
};
};
services.nginx.virtualHosts."git.reidlab.online" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass "http://127.0.0.1:3000";
'';
};
# Services - Postgres
services.postgresql.enable = true;
# Services - Redis
services.redis.servers."".enable = true;
# Security
security = {
protectKernelImage = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "reidlab325@gmail.com";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.11"; # Did you read the comment?
}

67
hosts/server/default.nix Executable file
View file

@ -0,0 +1,67 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./webapps/default.nix
];
user = {
packages = with pkgs; [
git
curl
];
};
users.groups.dotfiles = {};
normalUsers = {
reidlab = {
conf = {
packages = with pkgs; [ bat tree ];
extraGroups = [ "wheel" "dotfiles" ];
};
homeConf.home = {
sessionVariables = {
EDITOR = "nano";
};
};
};
};
keyboard = {
locale = "en_US.UTF-8";
variant = "qwerty";
};
modules = {
services = {
ssh = {
enable = true;
requirePassword = true;
};
postgres.enable = true;
redis.enable = true;
mosh.enable = true;
};
};
time.timeZone = "America/Los_Angeles";
networking = {
hostName = "nixos-server-reid";
wireless = {
environmentFile = "/run/secrets/wireless.env";
enable = true;
userControlled.enable = true;
networks.Ryan.psk = "@password@";
};
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

View file

@ -1,6 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
# 🤓☝
{ config, lib, pkgs, modulesPath, ... }:
{
@ -8,10 +9,18 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot = {
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
initrd = {
availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";

View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with lib;
let
in {
config = {
modules = {
services = {
forgejo = {
enable = true;
domain = "git.reidlab.online";
port = 3000;
};
nginx-config = {
enable = true;
defaultLuaPackagePath = /var/www/reidlab.online/lua;
};
};
};
services = {
nginx.virtualHosts = {
"reidlab.online" = {
forceSSL = true;
enableACME = true;
root = "/var/www/reidlab.online/public";
extraConfig = ''
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 /errors/500.html;
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
location / {
try_files $uri @main;
}
location /chat {
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
}
location @main {
content_by_lua '
require("main").handle_request()
';
}
'';
};
};
};
};
}