L-Nafaryus/bonfire
L-Nafaryus/bonfire
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects 2 Releases Wiki Activity

nixosConfigurations: catarina: base server setup

Browse Source
This commit is contained in:
L-Nafaryus 2024-01-16 01:43:51 +05:00
parent 2bf5a1e329
commit a51b445706
Signed by: L-Nafaryus
GPG Key ID: 582F8B0866B294A1
4 changed files with 115 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@ -37,7 +37,7 @@
./nixosModules/bonfire.nix ./nixosModules/bonfire.nix
self.nixosModules.spoofdpi self.nixosModules.spoofdpi
]; ];
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs self; };
}; };
}; };

114
nixosConfigurations/catarina/default.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, inputs, ... }: { config, pkgs, lib, inputs, self, ... }:
{ {
system.stateVersion = "23.11"; system.stateVersion = "23.11";
@ -28,6 +28,9 @@
hostPlatform = lib.mkDefault "x86_64-linux"; hostPlatform = lib.mkDefault "x86_64-linux";
config.allowUnfree = true; config.allowUnfree = true;
config.cudaSupport = false; config.cudaSupport = false;
config.packageOverrides = super: {
lego = self.packages.${pkgs.system}.lego;
};
}; };
# Services # Services
@ -59,6 +62,7 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
startWhenNeeded = true; startWhenNeeded = true;
settings.PasswordAuthentication = false;
}; };
services.udev = { services.udev = {
@ -67,12 +71,116 @@
services.blueman.enable = true; services.blueman.enable = true;
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"192.168.0.0/16"
];
bantime = "24h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8";
maxtime = "168h";
overalljails = true;
};
};
security.acme = {
acceptTerms = true;
defaults.email = "l.nafaryus@gmail.com";
defaults.group = "nginx";
certs = {
"elnafo.ru" = {
domain = "elnafo.ru";
extraDomainNames = [ "*.elnafo.ru" ];
dnsProvider = "webnames";
credentialsFile = "/var/lib/secrets/certs.secret";
group = "nginx";
webroot = null;
};
};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts."astora" = { recommendedOptimisation = true;
root = "/var/www/astora"; recommendedGzipSettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"elnafo.ru" = {
forceSSL = true;
enableACME = true;
root = "/var/www";
}; };
"www.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
globalRedirect = "elnafo.ru";
};
"vcs.elnafo.ru" = {
forceSSL = true;
useACMEHost = "elnafo.ru";
locations."/".proxyPass = "http://127.0.0.1:3001";
};
};
};
services.postgresql = {
enable = true;
authentication = ''
# Type Database DB-User Auth-Method Ident-Map(optional)
local gitea all ident map=gitea-users
'';
identMap = ''
# MapName System-User DB-User
gitea-users gitea gitea
'';
ensureDatabases = [ "gitea" ];
};
services.gitea = {
enable = true;
settings = {
server = {
DOMAIN = "vcs.elnafo.ru";
ROOT_URL = "https://vcs.elnafo.ru/";
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = 3001;
};
session.COOKIE_SECURE = true;
mailer = {
ENABLED = true;
FROM = "gitea@elnafo.ru";
};
service.DISABLE_REGISTRATION = true;
other = {
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
};
database = {
type = "postgres";
passwordFile = "/var/lib/secrets/gitea/gitea-dbpassword";
name = "gitea";
user = "gitea";
};
lfs.enable = true;
appName = "Elnafo VCS";
}; };
services.spoofdpi.enable = true; services.spoofdpi.enable = true;

3
nixosConfigurations/catarina/hardware.nix
View File

@ -59,7 +59,6 @@
# Security # Security
security = { security = {
protectKernelImage = true; protectKernelImage = true;
acme.acceptTerms = true;
sudo.extraConfig = ''Defaults timestamp_timeout=30''; sudo.extraConfig = ''Defaults timestamp_timeout=30'';
rtkit.enable = true; rtkit.enable = true;
}; };
@ -110,7 +109,7 @@
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [ 80 443 3001 ];
}; };
interfaces.enp9s0.ipv4.addresses = [ { interfaces.enp9s0.ipv4.addresses = [ {

2
nixosConfigurations/catarina/users.nix
View File

@ -10,4 +10,6 @@
initialPassword = "nixos"; initialPassword = "nixos";
shell = pkgs.fish; shell = pkgs.fish;
}; };
users.users.nginx.extraGroups = [ "acme" ];
} }