nixosConfigurations: catarina: base server setup

config/git/config

@@ -1,7 +1,7 @@
 [user]
     name = L-Nafaryus
     email = l.nafaryus@gmail.com
-    signingKey = C76D8DCD2727DBB7
+    signingKey = 9B576DE3
 [commit]
     gpgsign = true
 [tag]

config/nvim/init.lua

@@ -1,2 +1,7 @@
 -- bootstrap lazy.nvim, LazyVim and your plugins
 require("config.lazy")
+
+vim.o.tabstop = 4 -- A TAB character looks like 4 spaces
+vim.o.expandtab = true -- Pressing the TAB key will insert spaces instead of a TAB character
+vim.o.softtabstop = 4 -- Number of spaces inserted instead of a TAB character
+vim.o.shiftwidth = 4 -- Number of spaces inserted when indenting

devShells/default.nix

@@ -17,4 +17,7 @@ in forAllSystems(system: let
     openfoam = import ./openfoam.nix { inherit pkgs bpkgs; };
 
     rust = import ./rust.nix { inherit pkgs cranelib; };
+    rust-x11 = import ./rust-x11.nix { inherit pkgs cranelib; };
+
+    go = import ./go.nix { inherit pkgs; };
 })

devShells/go.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+pkgs.mkShell {
+    buildInputs = with pkgs; [ go gopls gotools go-tools golangci-lint gnumake ];
+}

devShells/rust-x11.nix

@@ -0,0 +1,21 @@
+{ pkgs, cranelib, ... }:
+cranelib.devShell {
+    packages = with pkgs; [ 
+        libGL 
+        xorg.libXi xorg.libX11 xorg.libXcursor xorg.libXrandr 
+        lld 
+        libxkbcommon
+        vulkan-loader
+    ];
+
+    shellHook = ''
+        export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${
+            with pkgs; lib.makeLibraryPath [ 
+                libGL 
+                xorg.libX11 xorg.libXi xorg.libXcursor xorg.libXrandr 
+                libxkbcommon 
+                vulkan-loader 
+            ]
+        }"
+    '';
+}

flake.nix

@@ -37,7 +37,7 @@
                     ./nixosModules/bonfire.nix
                     self.nixosModules.spoofdpi
                 ];
-                specialArgs = { inherit inputs; };
+                specialArgs = { inherit inputs self; };
             };
         };
 

nixosConfigurations/astora/default.nix

@@ -44,7 +44,10 @@
  
         videoDrivers = [ "nvidia" ];
 
-        displayManager.gdm.enable = true;
+        displayManager.gdm = {
+            enable = true;
+            autoSuspend = false;
+        };
         desktopManager.gnome.enable = true;
         windowManager.awesome.enable = true;
 
@@ -63,6 +66,7 @@
     services.openssh = {
         enable = true;
         startWhenNeeded = true;
+        settings.PasswordAuthentication = false;
     };
 
     services.udev = {
@@ -116,6 +120,18 @@
         };
     };
 
+    programs.ssh.extraConfig = ''
+        Host astora
+            HostName 192.168.156.101
+            Port 22
+            User nafaryus 
+
+        Host catarina
+            HostName 192.168.156.102
+            Port 22
+            User nafaryus
+    '';
+
     programs.direnv.enable = true;
 
     fonts.packages = with pkgs; [ nerdfonts ];

nixosConfigurations/astora/hardware.nix

@@ -128,6 +128,14 @@
             enable = true;
             allowedTCPPorts = [ 80 443 ];
         };
+
+        interfaces.wlo1.ipv4.addresses = [ {
+            address = "192.168.156.101";
+            prefixLength = 24;
+        } ];
+
+        defaultGateway = "192.168.156.1";
+        nameservers = [ "192.168.156.1" "8.8.8.8" ];
     };
 
 # Common

nixosConfigurations/catarina/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, inputs, ... }:
+{ config, pkgs, lib, inputs, self, ... }:
 {
     system.stateVersion = "23.11";
 
@@ -28,6 +28,9 @@
         hostPlatform = lib.mkDefault "x86_64-linux";
         config.allowUnfree = true;
         config.cudaSupport = false;
+        config.packageOverrides = super: {
+            lego = self.packages.${pkgs.system}.lego; 
+        };
     };
 
 # Services
@@ -39,7 +42,10 @@
  
         videoDrivers = [ "nvidia" ];
 
-        displayManager.gdm.enable = true;
+        displayManager.gdm = {
+            enable = true;
+            autoSuspend = false;
+        };
         desktopManager.gnome.enable = true;
         windowManager.awesome.enable = true;
     };
@@ -56,6 +62,7 @@
     services.openssh = {
         enable = true;
         startWhenNeeded = true;
+        settings.PasswordAuthentication = false;
     };
 
     services.udev = {
@@ -64,6 +71,118 @@
 
     services.blueman.enable = true;
 
+    services.fail2ban = {
+        enable = true;
+        maxretry = 5;
+        ignoreIP = [
+            "192.168.0.0/16"
+        ];
+        bantime = "24h";
+        bantime-increment = {
+            enable = true; 
+            multipliers = "1 2 4 8";
+            maxtime = "168h"; 
+            overalljails = true; 
+        };
+    };
+
+    security.acme = {
+        acceptTerms = true;
+        defaults.email = "l.nafaryus@gmail.com";
+        defaults.group = "nginx";
+
+        certs = {
+            "elnafo.ru" = {
+                domain = "elnafo.ru";
+                extraDomainNames = [ "*.elnafo.ru" ];
+                dnsProvider = "webnames";
+                credentialsFile = "/var/lib/secrets/certs.secret";
+                group = "nginx";
+                webroot = null;
+            };
+        };
+    };
+
+    services.nginx = {
+        enable = true;
+
+        recommendedProxySettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedTlsSettings = true; 
+
+        virtualHosts = {
+            "elnafo.ru" = {
+                forceSSL = true;
+                enableACME = true;
+                root = "/var/www";
+            };
+
+            "www.elnafo.ru" = {
+                forceSSL = true;
+                useACMEHost = "elnafo.ru";
+                globalRedirect = "elnafo.ru";
+            };
+
+            "vcs.elnafo.ru" = {
+                forceSSL = true;
+                useACMEHost = "elnafo.ru";
+                locations."/".proxyPass = "http://127.0.0.1:3001";
+            };
+        };
+    };
+
+    services.postgresql = {
+        enable = true;
+        authentication = ''
+            # Type      Database    DB-User     Auth-Method     Ident-Map(optional)
+            local       gitea       all         ident           map=gitea-users
+        '';
+        identMap = ''
+            # MapName       System-User     DB-User
+            gitea-users     gitea           gitea
+        '';
+        ensureDatabases = [ "gitea" ];
+    };
+
+    services.gitea = {
+        enable = true;
+
+        settings = {
+            server = {
+                DOMAIN = "vcs.elnafo.ru";
+                ROOT_URL = "https://vcs.elnafo.ru/";
+                HTTP_ADDRESS = "127.0.0.1";
+                HTTP_PORT = 3001;
+            };
+
+            session.COOKIE_SECURE = true;
+
+            mailer = {
+                ENABLED = true;
+                FROM = "gitea@elnafo.ru";
+            };
+
+            service.DISABLE_REGISTRATION = true;
+
+            other = {
+                SHOW_FOOTER_VERSION = false;
+                SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
+            };
+        };
+
+        database = {
+            type = "postgres";
+            passwordFile = "/var/lib/secrets/gitea/gitea-dbpassword";
+            name = "gitea";
+            user = "gitea";
+        };
+
+        lfs.enable = true;
+
+        appName = "Elnafo VCS";
+    };
+
     services.spoofdpi.enable = true;
 
 # Packages
@@ -111,6 +230,18 @@
         };
     };
 
+    programs.ssh.extraConfig = ''
+        Host astora
+            HostName 192.168.156.101
+            Port 22
+            User nafaryus 
+
+        Host catarina
+            HostName 192.168.156.102
+            Port 22
+            User nafaryus
+    '';
+
     programs.direnv.enable = true;
 
     fonts.packages = with pkgs; [ nerdfonts ];

nixosConfigurations/catarina/hardware.nix

@@ -59,7 +59,6 @@
 # Security
     security = {
         protectKernelImage = true;
-        acme.acceptTerms = true;
         sudo.extraConfig = ''Defaults timestamp_timeout=30'';
         rtkit.enable = true;
     };
@@ -110,10 +109,20 @@
 
         firewall = {
             enable = true;
-            allowedTCPPorts = [ 80 443 ];
+            allowedTCPPorts = [ 80 443 3001 ];
         };
+
+        interfaces.enp9s0.ipv4.addresses = [ {
+            address = "192.168.156.102";
+            prefixLength = 24;
+        } ];
+
+        defaultGateway = "192.168.156.1";
+        nameservers = [ "192.168.156.1" "8.8.8.8" ];
     };
 
+    services.logind.lidSwitchExternalPower = "ignore";
+
 # Common
     time.timeZone = "Asia/Yekaterinburg";
 

nixosConfigurations/catarina/users.nix

@@ -10,4 +10,6 @@
         initialPassword = "nixos";
         shell = pkgs.fish;
     };
+
+    users.users.nginx.extraGroups = [ "acme" ];
 }

packages/default.nix

@@ -16,4 +16,6 @@ in forAllSystems(system: let pkgs = nixpkgsFor.${system}; in {
     openfoam = pkgs.callPackage ./openfoam {};
 
     spoofdpi = pkgs.callPackage ./spoofdpi {};
+
+    lego = pkgs.callPackage ./lego {};
 })

packages/lego/default.nix

@@ -0,0 +1,37 @@
+{ 
+    lib, 
+    fetchFromGitHub, buildGoModule, nixosTests, 
+    version ? "c847ac4a4c55d6a5a457f6ef494cf45a47299e01",
+    hash ? "sha256-g9OxhM+iNUrAZgM1we8qPsismPy5a0eN654tSYuM/No=",
+    vendorHash ? "sha256-wG0x86lptEY3x+7kVN7v1XZniliMOxaJ6Y95YS6ivJY=", ...
+}:
+buildGoModule rec {
+    pname = "lego";
+    inherit version;
+
+    src = fetchFromGitHub {
+        owner = "go-acme";
+        repo = "lego";
+        rev = version;
+        hash = hash;
+    };
+
+    inherit vendorHash;
+
+    doCheck = false;
+
+    subPackages = [ "cmd/lego" ];
+
+    ldflags = [
+        "-X main.version=${version}"
+    ];
+
+    meta = with lib; {
+        description = "Let's Encrypt client and ACME library written in Go";
+        license = licenses.mit;
+        homepage = "https://go-acme.github.io/lego/";
+        maintainers = [];
+    };
+
+    passthru.tests.lego = nixosTests.acme;
+}