whole entire revamp
This commit is contained in:
parent
7b3e28f66d
commit
1c86119fbb
21 changed files with 652 additions and 272 deletions
|
@ -1,251 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
# Git
|
||||
environment.systemPackages = [
|
||||
pkgs.git
|
||||
];
|
||||
|
||||
# Bootloader
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
# Enable flakes
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
# Networking
|
||||
networking.hostName = "nixos-server-reid";
|
||||
networking.wireless.environmentFile = "/run/secrets/wireless.env";
|
||||
networking.wireless = {
|
||||
enable = true;
|
||||
userControlled.enable = true;
|
||||
networks = {
|
||||
Ryan = {
|
||||
psk = "@password@";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "America/Los_Angeles";
|
||||
|
||||
# Editors
|
||||
# Editors - Nano
|
||||
programs.nano = {
|
||||
syntaxHighlight = true;
|
||||
nanorc = ''
|
||||
set mouse
|
||||
'';
|
||||
};
|
||||
|
||||
# Users
|
||||
users.groups.dotfiles = {};
|
||||
|
||||
# Users - reidlab
|
||||
users.users.reidlab = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "dotfiles" ];
|
||||
packages = with pkgs; [
|
||||
tree bat
|
||||
];
|
||||
};
|
||||
|
||||
# Programs
|
||||
# Programs - Mosh
|
||||
programs.mosh.enable = true;
|
||||
|
||||
# Services
|
||||
# Services - Openssh
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Services - Nginx
|
||||
services.nginx = {
|
||||
package = pkgs.openresty;
|
||||
enable = true;
|
||||
|
||||
logError = "stderr warn";
|
||||
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
services.nginx.commonHttpConfig = let
|
||||
lua-resty-template = pkgs.fetchFromGitHub {
|
||||
owner = "bungle";
|
||||
repo = "lua-resty-template";
|
||||
rev = "v2.0";
|
||||
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
|
||||
};
|
||||
lua-resty-redis = pkgs.fetchFromGitHub {
|
||||
owner = "openresty";
|
||||
repo = "lua-resty-redis";
|
||||
rev = "v0.29";
|
||||
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
|
||||
};
|
||||
lua-resty-websocket = pkgs.fetchFromGitHub {
|
||||
owner = "openresty";
|
||||
repo = "lua-resty-websocket";
|
||||
rev = "v0.10";
|
||||
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
|
||||
};
|
||||
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
||||
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
||||
cfipv4 = fileToList (pkgs.fetchurl {
|
||||
url = "https://www.cloudflare.com/ips-v4";
|
||||
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
||||
});
|
||||
cfipv6 = fileToList (pkgs.fetchurl {
|
||||
url = "https://www.cloudflare.com/ips-v6";
|
||||
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
||||
});
|
||||
in ''
|
||||
# Lua path
|
||||
lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
|
||||
|
||||
# Realip
|
||||
${realIpsFromList cfipv4}
|
||||
${realIpsFromList cfipv6}
|
||||
real_ip_header CF-Connecting-IP;
|
||||
|
||||
# Add HSTS header with preloading to HTTPS requests.
|
||||
# Adding this header to HTTP requests is discouraged
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
# Enable CSP for your services.
|
||||
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
# ^ this above is breaking forgejo
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# Enable XSS protection of the browser.
|
||||
# May be unnecessary when CSP is configured properly (see above)
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
# This might create errors
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
'';
|
||||
services.nginx.virtualHosts."reidlab.online" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/reidlab.online/public";
|
||||
extraConfig = ''
|
||||
error_page 404 /errors/404.html;
|
||||
error_page 403 /errors/403.html;
|
||||
error_page 500 /errors/500.html;
|
||||
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location / {
|
||||
try_files $uri @main;
|
||||
}
|
||||
|
||||
location /chat {
|
||||
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
|
||||
}
|
||||
|
||||
location @main {
|
||||
content_by_lua '
|
||||
require("main").handle_request()
|
||||
';
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# Services - Forgejo
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
package = pkgs.forgejo;
|
||||
stateDir = "/var/lib/git.reidlab.online";
|
||||
appName = "reidlab's git instance";
|
||||
database = {
|
||||
type = "postgres";
|
||||
name = "gitea";
|
||||
};
|
||||
settings = {
|
||||
"security" = {
|
||||
INSTALL_LOCK = true;
|
||||
PASSWORD_HASH_ALGO = "argon2";
|
||||
PASSWORD_CHECK_PWN = true;
|
||||
};
|
||||
"ui.meta" = {
|
||||
AUTHOR = "reidlab";
|
||||
DESCRIPTION = "reidlab's git instance";
|
||||
};
|
||||
"server" = {
|
||||
DOMAIN = "git.reidlab.online";
|
||||
HTTP_PORT = 3000;
|
||||
ROOT_URL = "https://git.reidlab.online/";
|
||||
};
|
||||
"repository" = {
|
||||
DEFAULT_BRANCH = "main";
|
||||
};
|
||||
"picture" = {
|
||||
DISABLE_GRAVATAR = false;
|
||||
ENABLE_FEDERATED_AVATAR = true;
|
||||
};
|
||||
"service" = {
|
||||
ENABLE_CAPTCHA = false;
|
||||
REGISTER_EMAIL_CONFIRM = false;
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
DEFAULT_ENABLE_TIMETRACKING = true;
|
||||
DISABLE_REGISTRATION = true;
|
||||
};
|
||||
"federation" = {
|
||||
ENABLED = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."git.reidlab.online" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass "http://127.0.0.1:3000";
|
||||
'';
|
||||
};
|
||||
|
||||
# Services - Postgres
|
||||
services.postgresql.enable = true;
|
||||
|
||||
# Services - Redis
|
||||
services.redis.servers."".enable = true;
|
||||
|
||||
# Security
|
||||
security = {
|
||||
protectKernelImage = true;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "reidlab325@gmail.com";
|
||||
};
|
||||
|
||||
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
67
hosts/server/default.nix
Executable file
67
hosts/server/default.nix
Executable file
|
@ -0,0 +1,67 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./webapps/default.nix
|
||||
];
|
||||
|
||||
user = {
|
||||
packages = with pkgs; [
|
||||
git
|
||||
curl
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.dotfiles = {};
|
||||
|
||||
normalUsers = {
|
||||
reidlab = {
|
||||
conf = {
|
||||
packages = with pkgs; [ bat tree ];
|
||||
extraGroups = [ "wheel" "dotfiles" ];
|
||||
};
|
||||
|
||||
homeConf.home = {
|
||||
sessionVariables = {
|
||||
EDITOR = "nano";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
keyboard = {
|
||||
locale = "en_US.UTF-8";
|
||||
variant = "qwerty";
|
||||
};
|
||||
|
||||
modules = {
|
||||
services = {
|
||||
ssh = {
|
||||
enable = true;
|
||||
requirePassword = true;
|
||||
};
|
||||
|
||||
postgres.enable = true;
|
||||
|
||||
redis.enable = true;
|
||||
|
||||
mosh.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = "America/Los_Angeles";
|
||||
|
||||
networking = {
|
||||
hostName = "nixos-server-reid";
|
||||
wireless = {
|
||||
environmentFile = "/run/secrets/wireless.env";
|
||||
enable = true;
|
||||
userControlled.enable = true;
|
||||
networks.Ryan.psk = "@password@";
|
||||
};
|
||||
};
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
}
|
|
@ -1,6 +1,7 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
# 🤓☝
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
|
@ -8,10 +9,18 @@
|
|||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot = {
|
||||
loader = {
|
||||
grub.enable = false;
|
||||
generic-extlinux-compatible.enable = true;
|
||||
};
|
||||
initrd = {
|
||||
availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
|
|
54
hosts/server/webapps/default.nix
Normal file
54
hosts/server/webapps/default.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
in {
|
||||
config = {
|
||||
modules = {
|
||||
services = {
|
||||
forgejo = {
|
||||
enable = true;
|
||||
domain = "git.reidlab.online";
|
||||
port = 3000;
|
||||
};
|
||||
|
||||
nginx-config = {
|
||||
enable = true;
|
||||
defaultLuaPackagePath = /var/www/reidlab.online/lua;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
nginx.virtualHosts = {
|
||||
"reidlab.online" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/reidlab.online/public";
|
||||
extraConfig = ''
|
||||
error_page 404 /errors/404.html;
|
||||
error_page 403 /errors/403.html;
|
||||
error_page 500 /errors/500.html;
|
||||
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
|
||||
|
||||
location / {
|
||||
try_files $uri @main;
|
||||
}
|
||||
|
||||
location /chat {
|
||||
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
|
||||
}
|
||||
|
||||
location @main {
|
||||
content_by_lua '
|
||||
require("main").handle_request()
|
||||
';
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue