235 lines
6.1 KiB
Nix
235 lines
6.1 KiB
Nix
{ config, lib, pkgs, inputs, values, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./users
|
|
./modules/snakeoil-certs.nix
|
|
];
|
|
|
|
networking.domain = "pvv.ntnu.no";
|
|
networking.useDHCP = false;
|
|
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
|
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
|
|
# networking.tempAddresses = lib.mkDefault "disabled";
|
|
# networking.defaultGateway = values.hosts.gateway;
|
|
|
|
systemd.network.enable = true;
|
|
|
|
services.resolved = {
|
|
enable = lib.mkDefault true;
|
|
dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
|
|
};
|
|
|
|
time.timeZone = "Europe/Oslo";
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "no";
|
|
};
|
|
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
|
|
flags = [
|
|
"--update-input" "nixpkgs"
|
|
"--update-input" "nixpkgs-unstable"
|
|
"--no-write-lock-file"
|
|
];
|
|
};
|
|
nix.gc.automatic = true;
|
|
nix.gc.options = "--delete-older-than 2d";
|
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
/* This makes commandline tools like
|
|
** nix run nixpkgs#hello
|
|
** and nix-shell -p hello
|
|
** use the same channel the system
|
|
** was built with
|
|
*/
|
|
nix.registry = {
|
|
nixpkgs.flake = inputs.nixpkgs;
|
|
};
|
|
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
file
|
|
git
|
|
gnupg
|
|
htop
|
|
nano
|
|
ripgrep
|
|
rsync
|
|
screen
|
|
tmux
|
|
vim
|
|
wget
|
|
|
|
kitty.terminfo
|
|
];
|
|
|
|
programs.zsh.enable = true;
|
|
|
|
users.groups."drift".name = "drift";
|
|
|
|
# Trusted users on the nix builder machines
|
|
users.groups."nix-builder-users".name = "nix-builder-users";
|
|
|
|
# Let's not thermal throttle
|
|
services.thermald.enable = lib.mkIf (lib.all (x: x) [
|
|
(config.nixpkgs.system == "x86_64-linux")
|
|
(!config.boot.isContainer or false)
|
|
]) true;
|
|
|
|
systemd.services.thermald = lib.mkIf config.services.thermald.enable {
|
|
documentation = [ "man:thermald(8)" "man:thermal-conf.xml(5)" ];
|
|
unitConfig.ConditionVirtualization = "no";
|
|
|
|
serviceConfig = {
|
|
PrivateUsers = true;
|
|
PrivateNetwork = true;
|
|
|
|
# AmbientCapabilities = [ "" ];
|
|
# CapabilityBoundingSet = [ "" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
# PrivateDevices = true;
|
|
PrivateMounts = true;
|
|
PrivateTmp = "yes";
|
|
ProcSubset = "pid";
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true; #?
|
|
ProtectProc = "invisible"; #?
|
|
ProtectSystem = "strict";
|
|
RemoveIPC = true;
|
|
UMask = "0777";
|
|
RestrictNamespaces = true;
|
|
# RestrictRealtime = true; #?
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SocketBindDeny = [ "any" ];
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged"
|
|
"~@resources"
|
|
];
|
|
};
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
PubkeyAcceptedAlgorithms=+ssh-rsa
|
|
Match Group wheel
|
|
PasswordAuthentication no
|
|
Match All
|
|
'';
|
|
settings.PermitRootLogin = "yes";
|
|
};
|
|
|
|
# nginx return 444 for all nonexistent virtualhosts
|
|
|
|
systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
|
|
|
|
environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
|
|
"/etc/certs/nginx" = {
|
|
owner = "nginx";
|
|
group = "nginx";
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
recommendedTlsSettings = true;
|
|
recommendedProxySettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
|
|
appendConfig = ''
|
|
pcre_jit on;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 100000;
|
|
'';
|
|
eventsConfig = ''
|
|
worker_connections 2048;
|
|
use epoll;
|
|
multi_accept on;
|
|
'';
|
|
};
|
|
|
|
systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
|
|
LimitNOFILE = 65536;
|
|
};
|
|
|
|
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
|
|
sslCertificate = "/etc/certs/nginx.crt";
|
|
sslCertificateKey = "/etc/certs/nginx.key";
|
|
addSSL = true;
|
|
extraConfig = "return 444;";
|
|
};
|
|
|
|
# TODO: upstream
|
|
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
|
|
systemd.services.logrotate = {
|
|
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
|
|
unitConfig.RequiresMountsFor = "/var/log";
|
|
serviceConfig = {
|
|
Nice = 19;
|
|
IOSchedulingClass = "best-effort";
|
|
IOSchedulingPriority = 7;
|
|
|
|
ReadWritePaths = [ "/var/log" ];
|
|
|
|
AmbientCapabilities = [ "" ];
|
|
CapabilityBoundingSet = [ "" ];
|
|
DeviceAllow = [ "" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true; # disable for third party rotate scripts
|
|
PrivateDevices = true;
|
|
PrivateNetwork = true; # disable for mail delivery
|
|
PrivateTmp = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true; # disable for userdir logs
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
ProtectSystem = "full";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true; # disable for creating setgid directories
|
|
SocketBindDeny = [ "any" ];
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
# "~@privileged"
|
|
# "~@resources"
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "drift@pvv.ntnu.no";
|
|
};
|
|
# Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
|
|
virtualisation.vmVariant = {
|
|
security.acme.defaults.server = "https://127.0.0.1";
|
|
security.acme.preliminarySelfsigned = true;
|
|
|
|
users.users.root.initialPassword = "root";
|
|
};
|
|
|
|
}
|