changed some module stuf

oops
sitev2 prog and static sites mod
2024-02-26 16:23:49 -08:00 · 2024-02-04 17:37:23 -08:00 · 2024-02-04 17:33:38 -08:00
6 changed files with 161 additions and 36 deletions
--- a/default.nix
+++ b/default.nix
@ -7,13 +7,32 @@ in {
    [ inputs.home-manager.nixosModules.home-manager ]
    ++ _.mapModulesRec' ./modules import;
  nix = {
  	settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
      keep-outputs = true;
      keep-derivations = true;
      substituters = [ 
        "https://nix-community.cachix.org" 
      ];
      trusted-public-keys = [
      	"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
  	};
  };
  environment.systemPackages = with pkgs; [
-    curl git
+    unrar unzip
    curl wget
    # hello! if you remove this, good luck
    # ever rebuilding your system using flakes!
    git
  ];
-  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = lib.mkDefault "America/Los_Angeles";
  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  system.stateVersion = lib.mkDefault "23.11";
 }
--- a/hosts/server/default.nix
+++ b/hosts/server/default.nix
@ -10,13 +10,6 @@ in {
    ./webapps/default.nix
  ];
  user = {
    packages = with pkgs; [
      git
      curl
    ];
  };
  users.groups.dotfiles = {};
  normalUsers = {
@ -57,7 +50,7 @@ in {
      mosh.enable = true;
    };
-    security.enable = true;
+    security.useDoas = true;
  };
  time.timeZone = "America/Los_Angeles";
--- a/hosts/server/webapps/default.nix
+++ b/hosts/server/webapps/default.nix
@ -12,10 +12,17 @@ in {
          port = 3000;
        };
        # you should probably keep this on
        # configures acme, gzip, optimization, proxy, and ssl config
        # opens ports and adds some Headers
        nginx-config = {
          enable = true;
          defaultLuaPackagePath = /var/www/reidlab.online/lua;
        };
        staticSites = {
          "v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";	
        };
      };
    };
--- a/modules/security.nix
+++ b/modules/security.nix
@ -5,33 +5,43 @@ let
  cfg = config.modules.security;
 in {
  options.modules.security = {
-    enable = mkOption {
+    useDoas = mkEnableOption "use doas instead of sudo";
      type = types.bool;
      default = true;
    };
  };
  config = mkIf cfg.enable {
-    security.rtkit.enable = true;
+	boot = {
 		tmp.useTmpfs = lib.mkDefault true;
 		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
    	kernel.sysctl = {
      	  "kernel.sysrq" = 0;
-    boot.kernel.sysctl = {
+          "net.ipv4.conf.all.accept_source_code" = 0;
-      "kernel.sysrq" = 0;
+          "net.ipv6.conf.all.accept_source_code" = 0;
          "net.ipv4.conf.default.send_redirects" = 0;
          "net.ipv4.conf.all.send_redirects" = 0;
          "net.ipv4.conf.default.accept_redirects" = 0;
          "net.ipv4.conf.all.accept_redirects" = 0;
          "net.ipv6.conf.default.accept_redirects" = 0;
          "net.ipv6.conf.all.accept_redirects" = 0;
          "net.ipv4.conf.default.secure_redirects" = 0;
          "net.ipv4.conf.all.secure_redirects" = 0;
          "net.ipv4.tcp_syncookies" = 1;
          "net.ipv4.tcp_rfc1337" = 1;
          "net.ipv4.tcp_fastopen" = 3;
          "net.ipv4.tcp_conjestion_control" = "bbr";
          "net.core.default_qdisc" = "cake";
        };
      };
-      "net.ipv4.conf.all.accept_source_code" = 0;
+      security = {
-      "net.ipv6.conf.all.accept_source_code" = 0;
+      	protectKernelImage = true;
-      "net.ipv4.conf.default.send_redirects" = 0;
+      	polkit.enable = true;
-      "net.ipv4.conf.all.send_redirects" = 0;
+      	rtkit.enable = true;
-      "net.ipv4.conf.default.accept_redirects" = 0;
+      };
-      "net.ipv4.conf.all.accept_redirects" = 0;
+    } // (mkIf cfg.useDoas {
-      "net.ipv6.conf.default.accept_redirects" = 0;
+    	security.sudo.enable = false;
-      "net.ipv6.conf.all.accept_redirects" = 0;
+    	security.doas.enable = true;
-      "net.ipv4.conf.default.secure_redirects" = 0;
+    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
-      "net.ipv4.conf.all.secure_redirects" = 0;
+    });
      "net.ipv4.tcp_syncookies" = 1;
      "net.ipv4.tcp_rfc1337" = 1;
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_conjestion_control" = "bbr";
      "net.core.default_qdisc" = "cake";
    };
  };
 }
--- a/modules/services/staticSites.nix
+++ b/modules/services/staticSites.nix
@ -0,0 +1,88 @@
 { pkgs, lib, config, options, ... }:
 with lib;
 let
  sites = config.modules.services.staticSites;
  staticSiteModule.options = {
    dataDir = mkOption {
      type = types.oneOf [ types.str types.path ];
      default = null;
    };
    auth = mkOption {
      type = types.attrsOf types.str;
      description = "Basic authentication options. Defines a set of user = password pairs.";
      example = literalExpr ''
        {
          user = "password";
          anotherUser = "anotherPassword";
          /* ... */
        }
      '';
      default = {};
    };
    disableLogsForMisc = mkOption {
      type = types.bool;
      description = "Disables access logs for /favicon.ico and /robots.txt";
      default = true;
    };
    denySensitivePaths = mkOption {
      type = types.bool;
      description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
      default = true;
    };
    forceSSL = mkOption {
      type = types.bool;
      description = "Redirects HTTP requests to HTTPS.";
      default = true;
    };
  };
 in {
  options.modules.services.staticSites = mkOption {
    type = types.attrsOf (types.submodule staticSiteModule);
    example = literalExpression ''
      {
        "goop.network".dataDir = /var/www/goop.network;
        "reidlab.online".dataDir = /etc/secret/private/reidlab-online;
      }
    '';
    default = {};
  };
  config = {
    assertions = mapAttrsToList (domain: _@{dataDir, ...}:
      { assertion = dataDir != null;
        description = "${domain} must specify a dataDir.";
      }) sites;
    services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: {
      ${domain} = {
        locations = mkMerge [
          { "/".basicAuth = site.auth; }
          ( mkIf site.disableLogsForMisc {
            "= /favicon.ico".extraConfig = ''
              access_log off;
              log_not_found off;
            '';
            "= /robots.txt".extraConfig = ''
              access_log off;
              log_not_found off;
            '';
          })
          ( mkIf site.denySensitivePaths {
            "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
          })
        ];
        forceSSL = site.forceSSL;
        addSSL = !site.forceSSL;
        enableACME = true;
        root = site.dataDir;
      };
    }) sites);
  };
 }
--- a/readme.md
+++ b/readme.md
@ -15,3 +15,11 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"`
 please periodically run `nix flake update` to make sure we arent slacking on package versions
 before committing, please run `nix flake check` and make sure everything is ok
 ## todo
 - analytics using matomo
 - php support in staticsites
 - no more luapackagepath. please stop.
 - not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
 - this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz
Author	SHA1	Message	Date
reidlab	719c14f954	changed some module stuf	2024-02-26 16:23:49 -08:00
reidlab	3ef34be9db	oops	2024-02-04 17:37:23 -08:00
reidlab	0c2895de1b	sitev2 prog and static sites mod	2024-02-04 17:33:38 -08:00