changed some module stuf

oops
sitev2 prog and static sites mod
2024-02-26 16:23:49 -08:00 · 2024-02-04 17:37:23 -08:00 · 2024-02-04 17:33:38 -08:00
6 changed files with 161 additions and 36 deletions
--- a/default.nix
+++ b/default.nix
@ -7,13 +7,32 @@ in {
    [ inputs.home-manager.nixosModules.home-manager ]
    ++ _.mapModulesRec' ./modules import;

+  nix = {
+  	settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+      keep-outputs = true;
+      keep-derivations = true;
+      substituters = [ 
+        "https://nix-community.cachix.org" 
+      ];
+      trusted-public-keys = [
+      	"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+  	};
+  };
+
  environment.systemPackages = with pkgs; [
-    curl git
+    unrar unzip
+    curl wget
+    # hello! if you remove this, good luck
+    # ever rebuilding your system using flakes!
+    git
  ];

-  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = lib.mkDefault "America/Los_Angeles";
+
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  
  system.stateVersion = lib.mkDefault "23.11";
 }
--- a/hosts/server/default.nix
+++ b/hosts/server/default.nix
@ -10,13 +10,6 @@ in {
    ./webapps/default.nix
  ];

-  user = {
-    packages = with pkgs; [
-      git
-      curl
-    ];
-  };
-
  users.groups.dotfiles = {};

  normalUsers = {
@ -57,7 +50,7 @@ in {
      mosh.enable = true;
    };

-    security.enable = true;
+    security.useDoas = true;
  };

  time.timeZone = "America/Los_Angeles";
--- a/hosts/server/webapps/default.nix
+++ b/hosts/server/webapps/default.nix
@ -12,10 +12,17 @@ in {
          port = 3000;
        };

+        # you should probably keep this on
+        # configures acme, gzip, optimization, proxy, and ssl config
+        # opens ports and adds some Headers
        nginx-config = {
          enable = true;
          defaultLuaPackagePath = /var/www/reidlab.online/lua;
        };
+
+        staticSites = {
+          "v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";	
+        };
      };
    };

--- a/modules/security.nix
+++ b/modules/security.nix
@ -5,33 +5,43 @@ let
  cfg = config.modules.security;
 in {
  options.modules.security = {
-    enable = mkOption {
-      type = types.bool;
-      default = true;
-    };
+    useDoas = mkEnableOption "use doas instead of sudo";
  };

  config = mkIf cfg.enable {
-    security.rtkit.enable = true;
+	boot = {
+		tmp.useTmpfs = lib.mkDefault true;
+		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+		
+    	kernel.sysctl = {
+      	  "kernel.sysrq" = 0;

-    boot.kernel.sysctl = {
-      "kernel.sysrq" = 0;
+          "net.ipv4.conf.all.accept_source_code" = 0;
+          "net.ipv6.conf.all.accept_source_code" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          "net.ipv4.conf.all.send_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.tcp_syncookies" = 1;
+          "net.ipv4.tcp_rfc1337" = 1;
+          "net.ipv4.tcp_fastopen" = 3;
+          "net.ipv4.tcp_conjestion_control" = "bbr";
+          "net.core.default_qdisc" = "cake";
+        };
+      };

-      "net.ipv4.conf.all.accept_source_code" = 0;
-      "net.ipv6.conf.all.accept_source_code" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.tcp_syncookies" = 1;
-      "net.ipv4.tcp_rfc1337" = 1;
-      "net.ipv4.tcp_fastopen" = 3;
-      "net.ipv4.tcp_conjestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
-    };
-  };
+      security = {
+      	protectKernelImage = true;
+      	polkit.enable = true;
+      	rtkit.enable = true;
+      };
+    } // (mkIf cfg.useDoas {
+    	security.sudo.enable = false;
+    	security.doas.enable = true;
+    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+    });
 }
--- a/modules/services/staticSites.nix
+++ b/modules/services/staticSites.nix
@ -0,0 +1,88 @@
+{ pkgs, lib, config, options, ... }:
+
+with lib;
+let
+  sites = config.modules.services.staticSites;
+  staticSiteModule.options = {
+    dataDir = mkOption {
+      type = types.oneOf [ types.str types.path ];
+      default = null;
+    };
+
+    auth = mkOption {
+      type = types.attrsOf types.str;
+      description = "Basic authentication options. Defines a set of user = password pairs.";
+      example = literalExpr ''
+        {
+          user = "password";
+          anotherUser = "anotherPassword";
+          /* ... */
+        }
+      '';
+      default = {};
+    };
+
+    disableLogsForMisc = mkOption {
+      type = types.bool;
+      description = "Disables access logs for /favicon.ico and /robots.txt";
+      default = true;
+    };
+
+    denySensitivePaths = mkOption {
+      type = types.bool;
+      description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
+      default = true;
+    };
+
+    forceSSL = mkOption {
+      type = types.bool;
+      description = "Redirects HTTP requests to HTTPS.";
+      default = true;
+    };
+  };
+in {
+  options.modules.services.staticSites = mkOption {
+    type = types.attrsOf (types.submodule staticSiteModule);
+    example = literalExpression ''
+      {
+        "goop.network".dataDir = /var/www/goop.network;
+        "reidlab.online".dataDir = /etc/secret/private/reidlab-online;
+      }
+    '';
+    default = {};
+  };
+
+  config = {
+    assertions = mapAttrsToList (domain: _@{dataDir, ...}:
+      { assertion = dataDir != null;
+        description = "${domain} must specify a dataDir.";
+      }) sites;
+
+    services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: {
+      ${domain} = {
+        locations = mkMerge [
+          { "/".basicAuth = site.auth; }
+
+          ( mkIf site.disableLogsForMisc {
+            "= /favicon.ico".extraConfig = ''
+              access_log off;
+              log_not_found off;
+            '';
+            "= /robots.txt".extraConfig = ''
+              access_log off;
+              log_not_found off;
+            '';
+          })
+
+          ( mkIf site.denySensitivePaths {
+            "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
+          })
+        ];
+        forceSSL = site.forceSSL;
+        addSSL = !site.forceSSL;
+        enableACME = true;
+        root = site.dataDir;
+      };
+    }) sites);
+  };
+}
--- a/readme.md
+++ b/readme.md
@ -15,3 +15,11 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"`
 please periodically run `nix flake update` to make sure we arent slacking on package versions

 before committing, please run `nix flake check` and make sure everything is ok
+
+## todo
+
+- analytics using matomo
+- php support in staticsites
+- no more luapackagepath. please stop.
+- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
+- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz
Author	SHA1	Message	Date
reidlab	719c14f954	changed some module stuf	2024-02-26 16:23:49 -08:00
reidlab	3ef34be9db	oops	2024-02-04 17:37:23 -08:00
reidlab	0c2895de1b	sitev2 prog and static sites mod	2024-02-04 17:33:38 -08:00