diff --git a/default.nix b/default.nix index c6e0ae6..465ddb6 100755 --- a/default.nix +++ b/default.nix @@ -7,32 +7,13 @@ in { [ inputs.home-manager.nixosModules.home-manager ] ++ _.mapModulesRec' ./modules import; - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; - auto-optimise-store = true; - keep-outputs = true; - keep-derivations = true; - substituters = [ - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; - }; - environment.systemPackages = with pkgs; [ - unrar unzip - curl wget - # hello! if you remove this, good luck - # ever rebuilding your system using flakes! - git + curl git ]; - time.timeZone = lib.mkDefault "America/Los_Angeles"; - - i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; + i18n.defaultLocale = "en_US.UTF-8"; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + system.stateVersion = lib.mkDefault "23.11"; } diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 431ca38..b2a06d8 100755 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -10,6 +10,13 @@ in { ./webapps/default.nix ]; + user = { + packages = with pkgs; [ + git + curl + ]; + }; + users.groups.dotfiles = {}; normalUsers = { @@ -50,7 +57,7 @@ in { mosh.enable = true; }; - security.useDoas = true; + security.enable = true; }; time.timeZone = "America/Los_Angeles"; diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix index 26b43b7..c85749d 100755 --- a/hosts/server/webapps/default.nix +++ b/hosts/server/webapps/default.nix @@ -12,17 +12,10 @@ in { port = 3000; }; - # you should probably keep this on - # configures acme, gzip, optimization, proxy, and ssl config - # opens ports and adds some Headers nginx-config = { enable = true; defaultLuaPackagePath = /var/www/reidlab.online/lua; }; - - staticSites = { - "v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online"; - }; }; }; diff --git a/modules/security.nix b/modules/security.nix index a00b377..4dc2268 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -5,43 +5,33 @@ let cfg = config.modules.security; in { options.modules.security = { - useDoas = mkEnableOption "use doas instead of sudo"; + enable = mkOption { + type = types.bool; + default = true; + }; }; config = mkIf cfg.enable { - boot = { - tmp.useTmpfs = lib.mkDefault true; - tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - - kernel.sysctl = { - "kernel.sysrq" = 0; + security.rtkit.enable = true; - "net.ipv4.conf.all.accept_source_code" = 0; - "net.ipv6.conf.all.accept_source_code" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.tcp_syncookies" = 1; - "net.ipv4.tcp_rfc1337" = 1; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_conjestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - }; - }; + boot.kernel.sysctl = { + "kernel.sysrq" = 0; - security = { - protectKernelImage = true; - polkit.enable = true; - rtkit.enable = true; - }; - } // (mkIf cfg.useDoas { - security.sudo.enable = false; - security.doas.enable = true; - environment.systemPackages = with pkgs; [ doas-sudo-shim ]; - }); + "net.ipv4.conf.all.accept_source_code" = 0; + "net.ipv6.conf.all.accept_source_code" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.tcp_syncookies" = 1; + "net.ipv4.tcp_rfc1337" = 1; + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_conjestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + }; } diff --git a/modules/services/staticSites.nix b/modules/services/staticSites.nix deleted file mode 100755 index b6abee0..0000000 --- a/modules/services/staticSites.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ pkgs, lib, config, options, ... }: - -with lib; -let - sites = config.modules.services.staticSites; - staticSiteModule.options = { - dataDir = mkOption { - type = types.oneOf [ types.str types.path ]; - default = null; - }; - - auth = mkOption { - type = types.attrsOf types.str; - description = "Basic authentication options. Defines a set of user = password pairs."; - example = literalExpr '' - { - user = "password"; - anotherUser = "anotherPassword"; - /* ... */ - } - ''; - default = {}; - }; - - disableLogsForMisc = mkOption { - type = types.bool; - description = "Disables access logs for /favicon.ico and /robots.txt"; - default = true; - }; - - denySensitivePaths = mkOption { - type = types.bool; - description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data"; - default = true; - }; - - forceSSL = mkOption { - type = types.bool; - description = "Redirects HTTP requests to HTTPS."; - default = true; - }; - }; -in { - options.modules.services.staticSites = mkOption { - type = types.attrsOf (types.submodule staticSiteModule); - example = literalExpression '' - { - "goop.network".dataDir = /var/www/goop.network; - "reidlab.online".dataDir = /etc/secret/private/reidlab-online; - } - ''; - default = {}; - }; - - config = { - assertions = mapAttrsToList (domain: _@{dataDir, ...}: - { assertion = dataDir != null; - description = "${domain} must specify a dataDir."; - }) sites; - - services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: { - ${domain} = { - locations = mkMerge [ - { "/".basicAuth = site.auth; } - - ( mkIf site.disableLogsForMisc { - "= /favicon.ico".extraConfig = '' - access_log off; - log_not_found off; - ''; - "= /robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - }) - - ( mkIf site.denySensitivePaths { - "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;''; - }) - ]; - forceSSL = site.forceSSL; - addSSL = !site.forceSSL; - enableACME = true; - root = site.dataDir; - }; - }) sites); - }; -} diff --git a/readme.md b/readme.md index a0fc4d7..ee86baf 100755 --- a/readme.md +++ b/readme.md @@ -15,11 +15,3 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"` please periodically run `nix flake update` to make sure we arent slacking on package versions before committing, please run `nix flake check` and make sure everything is ok - -## todo - -- analytics using matomo -- php support in staticsites -- no more luapackagepath. please stop. -- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error -- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz