Compare commits
No commits in common. "719c14f9549be9f69452a6276d026ac83aa1eb32" and "97804ef8799700304eac51abee25017b80ae25bf" have entirely different histories.
719c14f954
...
97804ef879
6 changed files with 36 additions and 161 deletions
27
default.nix
27
default.nix
|
|
@ -7,32 +7,13 @@ in {
|
|||
[ inputs.home-manager.nixosModules.home-manager ]
|
||||
++ _.mapModulesRec' ./modules import;
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
auto-optimise-store = true;
|
||||
keep-outputs = true;
|
||||
keep-derivations = true;
|
||||
substituters = [
|
||||
"https://nix-community.cachix.org"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
unrar unzip
|
||||
curl wget
|
||||
# hello! if you remove this, good luck
|
||||
# ever rebuilding your system using flakes!
|
||||
git
|
||||
curl git
|
||||
];
|
||||
|
||||
time.timeZone = lib.mkDefault "America/Los_Angeles";
|
||||
|
||||
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
system.stateVersion = lib.mkDefault "23.11";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,6 +10,13 @@ in {
|
|||
./webapps/default.nix
|
||||
];
|
||||
|
||||
user = {
|
||||
packages = with pkgs; [
|
||||
git
|
||||
curl
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.dotfiles = {};
|
||||
|
||||
normalUsers = {
|
||||
|
|
@ -50,7 +57,7 @@ in {
|
|||
mosh.enable = true;
|
||||
};
|
||||
|
||||
security.useDoas = true;
|
||||
security.enable = true;
|
||||
};
|
||||
|
||||
time.timeZone = "America/Los_Angeles";
|
||||
|
|
|
|||
|
|
@ -12,17 +12,10 @@ in {
|
|||
port = 3000;
|
||||
};
|
||||
|
||||
# you should probably keep this on
|
||||
# configures acme, gzip, optimization, proxy, and ssl config
|
||||
# opens ports and adds some Headers
|
||||
nginx-config = {
|
||||
enable = true;
|
||||
defaultLuaPackagePath = /var/www/reidlab.online/lua;
|
||||
};
|
||||
|
||||
staticSites = {
|
||||
"v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -5,43 +5,33 @@ let
|
|||
cfg = config.modules.security;
|
||||
in {
|
||||
options.modules.security = {
|
||||
useDoas = mkEnableOption "use doas instead of sudo";
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot = {
|
||||
tmp.useTmpfs = lib.mkDefault true;
|
||||
tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
|
||||
|
||||
kernel.sysctl = {
|
||||
"kernel.sysrq" = 0;
|
||||
security.rtkit.enable = true;
|
||||
|
||||
"net.ipv4.conf.all.accept_source_code" = 0;
|
||||
"net.ipv6.conf.all.accept_source_code" = 0;
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
"net.ipv4.tcp_conjestion_control" = "bbr";
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
};
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.sysrq" = 0;
|
||||
|
||||
security = {
|
||||
protectKernelImage = true;
|
||||
polkit.enable = true;
|
||||
rtkit.enable = true;
|
||||
};
|
||||
} // (mkIf cfg.useDoas {
|
||||
security.sudo.enable = false;
|
||||
security.doas.enable = true;
|
||||
environment.systemPackages = with pkgs; [ doas-sudo-shim ];
|
||||
});
|
||||
"net.ipv4.conf.all.accept_source_code" = 0;
|
||||
"net.ipv6.conf.all.accept_source_code" = 0;
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
"net.ipv4.tcp_conjestion_control" = "bbr";
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,88 +0,0 @@
|
|||
{ pkgs, lib, config, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
sites = config.modules.services.staticSites;
|
||||
staticSiteModule.options = {
|
||||
dataDir = mkOption {
|
||||
type = types.oneOf [ types.str types.path ];
|
||||
default = null;
|
||||
};
|
||||
|
||||
auth = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
description = "Basic authentication options. Defines a set of user = password pairs.";
|
||||
example = literalExpr ''
|
||||
{
|
||||
user = "password";
|
||||
anotherUser = "anotherPassword";
|
||||
/* ... */
|
||||
}
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
|
||||
disableLogsForMisc = mkOption {
|
||||
type = types.bool;
|
||||
description = "Disables access logs for /favicon.ico and /robots.txt";
|
||||
default = true;
|
||||
};
|
||||
|
||||
denySensitivePaths = mkOption {
|
||||
type = types.bool;
|
||||
description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
|
||||
default = true;
|
||||
};
|
||||
|
||||
forceSSL = mkOption {
|
||||
type = types.bool;
|
||||
description = "Redirects HTTP requests to HTTPS.";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
in {
|
||||
options.modules.services.staticSites = mkOption {
|
||||
type = types.attrsOf (types.submodule staticSiteModule);
|
||||
example = literalExpression ''
|
||||
{
|
||||
"goop.network".dataDir = /var/www/goop.network;
|
||||
"reidlab.online".dataDir = /etc/secret/private/reidlab-online;
|
||||
}
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
|
||||
config = {
|
||||
assertions = mapAttrsToList (domain: _@{dataDir, ...}:
|
||||
{ assertion = dataDir != null;
|
||||
description = "${domain} must specify a dataDir.";
|
||||
}) sites;
|
||||
|
||||
services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: {
|
||||
${domain} = {
|
||||
locations = mkMerge [
|
||||
{ "/".basicAuth = site.auth; }
|
||||
|
||||
( mkIf site.disableLogsForMisc {
|
||||
"= /favicon.ico".extraConfig = ''
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
'';
|
||||
"= /robots.txt".extraConfig = ''
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
'';
|
||||
})
|
||||
|
||||
( mkIf site.denySensitivePaths {
|
||||
"${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
|
||||
})
|
||||
];
|
||||
forceSSL = site.forceSSL;
|
||||
addSSL = !site.forceSSL;
|
||||
enableACME = true;
|
||||
root = site.dataDir;
|
||||
};
|
||||
}) sites);
|
||||
};
|
||||
}
|
||||
|
|
@ -15,11 +15,3 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"`
|
|||
please periodically run `nix flake update` to make sure we arent slacking on package versions
|
||||
|
||||
before committing, please run `nix flake check` and make sure everything is ok
|
||||
|
||||
## todo
|
||||
|
||||
- analytics using matomo
|
||||
- php support in staticsites
|
||||
- no more luapackagepath. please stop.
|
||||
- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
|
||||
- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue