diff options
Diffstat (limited to 'common')
| -rw-r--r-- | common/default.nix | 24 | ||||
| -rw-r--r-- | common/disks.nix | 60 | ||||
| -rw-r--r-- | common/fail2ban.nix | 13 | ||||
| -rw-r--r-- | common/hardware.nix | 16 | ||||
| -rw-r--r-- | common/mail.nix | 37 | ||||
| -rw-r--r-- | common/network.nix | 19 | ||||
| -rw-r--r-- | common/nginx.nix | 55 | ||||
| -rw-r--r-- | common/nvim.lua | 27 | ||||
| -rw-r--r-- | common/nvim.nix | 14 | ||||
| -rw-r--r-- | common/options.nix | 78 | ||||
| -rw-r--r-- | common/ssh.nix | 19 |
11 files changed, 362 insertions, 0 deletions
diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 0000000..fca1d03 --- /dev/null +++ b/common/default.nix @@ -0,0 +1,24 @@ +{ + imports = [ + ./disks.nix + ./fail2ban.nix + ./hardware.nix + ./mail.nix + ./network.nix + ./nginx.nix + ./nvim.nix + ./options.nix + ./ssh.nix + ]; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + nix.settings.experimental-features = ["nix-command" "flakes"]; + customOps.owner = { + username = "toufy"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8CKkq7m/FPTqjAO3yGWhH7y+9flDjyNC9hQFenvbKs toufy"; + }; + customOps.domain = { + name = "toufy"; + tld = "me"; + }; +} diff --git a/common/disks.nix b/common/disks.nix new file mode 100644 index 0000000..6208bdc --- /dev/null +++ b/common/disks.nix @@ -0,0 +1,60 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["fmask=0022" "dmask=0022"]; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountOptions = ["compress=zstd"]; + mountpoint = "/"; + }; + "/home" = { + mountOptions = ["compress=zstd"]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/nix"; + }; + "/swap" = { + mountpoint = "/swap"; + mountOptions = ["noatime"]; + swap.swapfile = { + size = "8G"; + path = "swapfile"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/common/fail2ban.nix b/common/fail2ban.nix new file mode 100644 index 0000000..0670df5 --- /dev/null +++ b/common/fail2ban.nix @@ -0,0 +1,13 @@ +{ + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "24h"; + bantime-increment = { + enable = true; + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + rndtime = "12h"; + overalljails = true; + }; + }; +} diff --git a/common/hardware.nix b/common/hardware.nix new file mode 100644 index 0000000..16db18b --- /dev/null +++ b/common/hardware.nix @@ -0,0 +1,16 @@ +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/common/mail.nix b/common/mail.nix new file mode 100644 index 0000000..fce389c --- /dev/null +++ b/common/mail.nix @@ -0,0 +1,37 @@ +{config, ...}: let + domainFqdn = config.customOps.domain.fqdn; + domainName = config.customOps.domain.name; + domainTld = config.customOps.domain.tld; +in { + customOps.mailAccounts = { + "domain@${domainFqdn}" = { + passwdFile = "mailserver/domain"; + aliases = [ + "dmarc@${domainFqdn}" + "rua@${domainFqdn}" + "ruf@${domainFqdn}" + "caa@${domainFqdn}" + "tls@${domainFqdn}" + ]; + }; + "root@${domainFqdn}" = { + passwdFile = "mailserver/root"; + aliases = [ + "postmaster@${domainFqdn}" + "security@${domainFqdn}" + "abuse@${domainFqdn}" + "webmaster@${domainFqdn}" + "info@${domainFqdn}" + "support@${domainFqdn}" + ]; + aliasesRegex = [ + "/^admin\\..*@${domainName}\\.${domainTld}$/" + ]; + }; + "contact@${domainFqdn}" = { + passwdFile = "mailserver/contact"; + aliases = ["@${domainFqdn}"]; + catchAll = [domainFqdn]; + }; + }; +} diff --git a/common/network.nix b/common/network.nix new file mode 100644 index 0000000..c1d6eda --- /dev/null +++ b/common/network.nix @@ -0,0 +1,19 @@ +{config, ...}: let + customDomain = config.customOps.domain.fqdn; + hostname = config.networking.hostName; +in { + networking = { + enableIPv6 = true; + firewall = { + logRefusedPackets = true; + allowedTCPPorts = [80 443]; + }; + }; + + services.nginx.virtualHosts."${hostname}.${customDomain}" = { + default = true; + locations."/".return = 204; + forceSSL = true; + enableACME = true; + }; +} diff --git a/common/nginx.nix b/common/nginx.nix new file mode 100644 index 0000000..1c4a6f1 --- /dev/null +++ b/common/nginx.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + ... +}: { + networking.firewall.allowedTCPPorts = [80 443]; + + services.nginx = { + enable = true; + package = pkgs.nginx.override { + modules = [ + pkgs.nginxModules.moreheaders + pkgs.nginxModules.brotli + ]; + }; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedUwsgiSettings = true; + recommendedProxySettings = true; + recommendedBrotliSettings = true; + + sslCiphers = "EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + more_set_headers 'Strict-Transport-Security: $hsts_header'; + more_set_headers 'Content-Security-Policy: upgrade-insecure-requests'; + more_set_headers 'Referrer-Policy: origin-when-cross-origin'; + more_set_headers 'X-Frame-Options: SAMEORIGIN'; + more_set_headers 'X-Content-Type-Options: nosniff'; + more_set_headers 'X-XSS-Protection: 0'; + ''; + }; + + services.phpfpm.pools.mypool = { + user = "nobody"; + settings = { + "pm" = "dynamic"; + "listen.owner" = config.services.nginx.user; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "security@${config.customOps.domain.fqdn}"; + }; +} diff --git a/common/nvim.lua b/common/nvim.lua new file mode 100644 index 0000000..7b7c4dc --- /dev/null +++ b/common/nvim.lua @@ -0,0 +1,27 @@ +-- global +vim.g.mapleader = " " +vim.g.maplocalleader = "\\" + +-- opts +vim.opt.nu = true +vim.opt.relativenumber = true +vim.opt.shiftwidth = 4 +vim.opt.tabstop = 4 +vim.opt.softtabstop = 4 +vim.opt.expandtab = false +vim.opt.smartindent = true +vim.opt.wrap = false +vim.opt.hlsearch = false +vim.opt.incsearch = true +vim.opt.scrolloff = 6 +vim.opt.cursorline = true +vim.opt.cursorcolumn = true +vim.opt.mouse = nil +vim.opt.clipboard = "unnamedplus" +vim.opt.completeopt = { "menu", "menuone", "noselect" } +vim.opt.winborder = "rounded" + +-- keymap +vim.keymap.set("n", "<leader>cd", vim.cmd.Ex) +vim.keymap.set("n", "<leader>|", vim.cmd.vsplit) +vim.keymap.set("n", "<leader>_", vim.cmd.split) diff --git a/common/nvim.nix b/common/nvim.nix new file mode 100644 index 0000000..94403a9 --- /dev/null +++ b/common/nvim.nix @@ -0,0 +1,14 @@ +{ + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + + configure = { + customRC = '' + luafile ${./nvim.lua} + ''; + }; + }; +} diff --git a/common/options.nix b/common/options.nix new file mode 100644 index 0000000..e193dd1 --- /dev/null +++ b/common/options.nix @@ -0,0 +1,78 @@ +{ + lib, + config, + ... +}: let + cfg = config.customOps; +in { + options = with lib; { + customOps = mkOption { + description = "custom options"; + type = types.submodule { + options = { + owner = mkOption { + type = types.submodule { + options = { + username = mkOption { + type = types.str; + default = null; + }; + pubkey = mkOption { + type = types.str; + default = null; + }; + }; + }; + description = "machine owner"; + }; + domain = mkOption { + type = types.submodule { + options = { + name = mkOption { + type = types.str; + default = null; + }; + tld = mkOption { + type = types.str; + default = null; + }; + fqdn = mkOption { + type = types.str; + default = "${cfg.domain.name}.${cfg.domain.tld}"; + }; + }; + }; + description = "machine domain name"; + }; + mailAccounts = mkOption { + type = types.attrsOf (types.submodule { + options = { + passwdFile = mkOption { + type = types.str; + default = null; + }; + aliases = mkOption { + type = types.listOf types.str; + default = []; + }; + aliasesRegex = mkOption { + type = types.listOf types.str; + default = []; + }; + catchAll = mkOption { + type = types.listOf types.str; + default = []; + }; + sendOnly = mkOption { + type = types.bool; + default = false; + }; + }; + }); + description = "accounts for the mail server"; + }; + }; + }; + }; + }; +} diff --git a/common/ssh.nix b/common/ssh.nix new file mode 100644 index 0000000..3af78d7 --- /dev/null +++ b/common/ssh.nix @@ -0,0 +1,19 @@ +{config, ...}: { + users.users.root.openssh.authorizedKeys.keys = [ + config.customOps.owner.pubkey + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII5gY2Jgg7MInzaWWq8c4+fT5DKdCBKM3kvgtqfcDxVI adonis" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcnEzwChlKUFUYHEUOQsCfVmkqm/FvWeItw3B0Z/uO4 aphrodite" + ]; + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + AllowUsers = null; + UseDns = true; + X11Forwarding = false; + PermitRootLogin = "prohibit-password"; + }; + }; +} |