diff --git a/flake.nix b/flake.nix index 1ee3e62..5bfbd27 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ ./nixosModules/bonfire.nix self.nixosModules.spoofdpi ]; - specialArgs = { inherit inputs; }; + specialArgs = { inherit inputs self; }; }; }; diff --git a/nixosConfigurations/catarina/default.nix b/nixosConfigurations/catarina/default.nix index 3c241e1..5f1e1a4 100644 --- a/nixosConfigurations/catarina/default.nix +++ b/nixosConfigurations/catarina/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, inputs, ... }: +{ config, pkgs, lib, inputs, self, ... }: { system.stateVersion = "23.11"; @@ -28,6 +28,9 @@ hostPlatform = lib.mkDefault "x86_64-linux"; config.allowUnfree = true; config.cudaSupport = false; + config.packageOverrides = super: { + lego = self.packages.${pkgs.system}.lego; + }; }; # Services @@ -59,6 +62,7 @@ services.openssh = { enable = true; startWhenNeeded = true; + settings.PasswordAuthentication = false; }; services.udev = { @@ -67,14 +71,118 @@ services.blueman.enable = true; + services.fail2ban = { + enable = true; + maxretry = 5; + ignoreIP = [ + "192.168.0.0/16" + ]; + bantime = "24h"; + bantime-increment = { + enable = true; + multipliers = "1 2 4 8"; + maxtime = "168h"; + overalljails = true; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "l.nafaryus@gmail.com"; + defaults.group = "nginx"; + + certs = { + "elnafo.ru" = { + domain = "elnafo.ru"; + extraDomainNames = [ "*.elnafo.ru" ]; + dnsProvider = "webnames"; + credentialsFile = "/var/lib/secrets/certs.secret"; + group = "nginx"; + webroot = null; + }; + }; + }; + services.nginx = { enable = true; + recommendedProxySettings = true; - virtualHosts."astora" = { - root = "/var/www/astora"; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "elnafo.ru" = { + forceSSL = true; + enableACME = true; + root = "/var/www"; + }; + + "www.elnafo.ru" = { + forceSSL = true; + useACMEHost = "elnafo.ru"; + globalRedirect = "elnafo.ru"; + }; + + "vcs.elnafo.ru" = { + forceSSL = true; + useACMEHost = "elnafo.ru"; + locations."/".proxyPass = "http://127.0.0.1:3001"; + }; }; }; + services.postgresql = { + enable = true; + authentication = '' + # Type Database DB-User Auth-Method Ident-Map(optional) + local gitea all ident map=gitea-users + ''; + identMap = '' + # MapName System-User DB-User + gitea-users gitea gitea + ''; + ensureDatabases = [ "gitea" ]; + }; + + services.gitea = { + enable = true; + + settings = { + server = { + DOMAIN = "vcs.elnafo.ru"; + ROOT_URL = "https://vcs.elnafo.ru/"; + HTTP_ADDRESS = "127.0.0.1"; + HTTP_PORT = 3001; + }; + + session.COOKIE_SECURE = true; + + mailer = { + ENABLED = true; + FROM = "gitea@elnafo.ru"; + }; + + service.DISABLE_REGISTRATION = true; + + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + }; + + database = { + type = "postgres"; + passwordFile = "/var/lib/secrets/gitea/gitea-dbpassword"; + name = "gitea"; + user = "gitea"; + }; + + lfs.enable = true; + + appName = "Elnafo VCS"; + }; + services.spoofdpi.enable = true; # Packages diff --git a/nixosConfigurations/catarina/hardware.nix b/nixosConfigurations/catarina/hardware.nix index ca2aaea..2f7be7c 100644 --- a/nixosConfigurations/catarina/hardware.nix +++ b/nixosConfigurations/catarina/hardware.nix @@ -59,7 +59,6 @@ # Security security = { protectKernelImage = true; - acme.acceptTerms = true; sudo.extraConfig = ''Defaults timestamp_timeout=30''; rtkit.enable = true; }; @@ -110,7 +109,7 @@ firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 3001 ]; }; interfaces.enp9s0.ipv4.addresses = [ { diff --git a/nixosConfigurations/catarina/users.nix b/nixosConfigurations/catarina/users.nix index d82b619..f1c5cf4 100644 --- a/nixosConfigurations/catarina/users.nix +++ b/nixosConfigurations/catarina/users.nix @@ -10,4 +10,6 @@ initialPassword = "nixos"; shell = pkgs.fish; }; + + users.users.nginx.extraGroups = [ "acme" ]; }