commit 834ba83f0b85d185d4ed1d30ba8a9f2364076753 Author: reidlab Date: Wed Aug 9 21:05:37 2023 -0700 init diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a9fb58d --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1691368598, + "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5a8e9243812ba528000995b294292d3b5e120947", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..a3995d3 --- /dev/null +++ b/flake.nix @@ -0,0 +1,27 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + }; + + outputs = { self, nixpkgs }: + let + system = "aarch64-linux"; + + pkgs = import nixpkgs { + allowUnfree = true; + }; + in + { + nixosConfigurations = { + server = nixpkgs.lib.nixosSystem { + specialArgs = { inherit system; }; + + modules = [ + ./hosts/server/configuration.nix + ]; + }; + }; + }; +} diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix new file mode 100644 index 0000000..42104bd --- /dev/null +++ b/hosts/server/configuration.nix @@ -0,0 +1,207 @@ +{ config, lib, pkgs, luaOlder, buildLuarocksPackage, lua, fetchgit, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ]; + + # Git + environment.systemPackages = [ + pkgs.git + ]; + + # Bootloader + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + # Enable flakes + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Networking + networking.hostName = "nixos-server-reid"; + networking.wireless.environmentFile = "/run/secrets/wireless.env"; + networking.wireless = { + enable = true; + userControlled.enable = true; + networks = { + Ryan = { + psk = "@password@"; + }; + }; + }; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Users + # Users - reidlab + users.users.reidlab = { + isNormalUser = true; + extraGroups = [ "wheel" "dotfiles" ]; + packages = with pkgs; [ + tree + ]; + }; + + # Services + # Services - Openssh + services.openssh = { + enable = true; + permitRootLogin = "no"; + }; + + # Services - Nginx + services.nginx = { + package = pkgs.openresty; + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + services.nginx.commonHttpConfig = let + lua-resty-template = pkgs.fetchFromGitHub { + owner = "bungle"; + repo = "lua-resty-template"; + rev = "v2.0"; + sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1"; + }; + lua-resty-redis = pkgs.fetchFromGitHub { + owner = "openresty"; + repo = "lua-resty-redis"; + rev = "v0.29"; + sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9"; + }; + in '' + # Lua path + lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;"; + + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # ^ this above is breaking forgejo + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + services.nginx.virtualHosts."reidlab.online" = { + forceSSL = true; + enableACME = true; + root = "/var/www/reidlab.online/public"; + extraConfig = '' + error_page 404 /errors/404.html; + error_page 403 /errors/403.html; + error_page 500 /errors/500.html; + location = /errors/404.html { root /var/www/reidlab.online/public/; internal; } + location = /errors/403.html { root /var/www/reidlab.online/public/; internal; } + location = /errors/500.html { root /var/www/reidlab.online/public/; internal; } + location / { + try_files $uri @main; + } + + location /chat { + access_by_lua_file /var/www/reidlab.online/lua/chat.lua; + } + + location @main { + content_by_lua ' + require("main").handle_request() + '; + } + ''; + }; + + # Services - Forgejo + services.gitea = { + enable = true; + package = pkgs.forgejo; + stateDir = "/var/lib/git.reidlab.online"; + appName = "Forgejo: reidlab.online git"; + database = { + type = "postgres"; + name = "gitea"; + }; + settings = { + "security" = { + INSTALL_LOCK = true; + PASSWORD_HASH_ALGO = "argon2"; + PASSWORD_CHECK_PWN = true; + }; + "ui.meta" = { + AUTHOR = "reidlab"; + DESCRIPTION = "reidlab's git instance"; + }; + "server" = { + DOMAIN = "git.reidlab.online"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.reidlab.online/"; + }; + "repository" = { + DEFAULT_BRANCH = "main"; + }; + "picture" = { + DISABLE_GRAVATAR = false; + ENABLE_FEDERATED_AVATAR = true; + }; + "service" = { + ENABLE_CAPTCHA = false; + REGISTER_EMAIL_CONFIRM = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_ENABLE_TIMETRACKING = true; + DISABLE_REGISTRATION = true; + }; + }; + }; + services.nginx.virtualHosts."git.reidlab.online" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass "http://127.0.0.1:3000"; + ''; + }; + + # Services - Postgres + services.postgresql.enable = true; + + # Services - Redis + services.redis.enable = true; + + # Security + security = { + protectKernelImage = true; + }; + + security.acme = { + acceptTerms = true; + email = "reidlab325@gmail.com"; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "23.11"; # Did you read the comment? +} + diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix new file mode 100644 index 0000000..d1a9d7c --- /dev/null +++ b/hosts/server/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +}