2023-09-24 03:59:47 +02:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘ ’
{ config , pkgs , lib , . . . }:
{
imports =
[ # Include the results of the hardware scan.
2023-10-17 19:42:00 +02:00
../../profiles/base.nix
../../services/ssh.nix
2023-12-06 22:21:44 +01:00
../../services/nginx.nix
2023-09-24 03:59:47 +02:00
] ;
# Set your time zone.
time . timeZone = " E u r o p e / O s l o " ;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking . useDHCP = false ;
2023-10-17 19:42:00 +02:00
networking . interfaces . ens3 . useDHCP = true ; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
2023-12-09 18:28:26 +01:00
networking . hostName = " e l r o n d " ; # Define your hostname.
2023-09-24 03:59:47 +02:00
networking . domain = " a d d i c t e d m a k e r . e u " ; # Define your domain.
boot . kernel . sysctl = {
" n e t . i p v 4 . c o n f . a l l . f o r w a r d i n g " = true ;
" n e t . i p v 6 . c o n f . a l l . f o r w a r d i n g " = true ;
} ;
# Select internationalisation properties.
i18n . defaultLocale = " e n _ U S . U T F - 8 " ;
console = {
font = " L a t 2 - T e r m i n u s 1 6 " ;
keyMap = " n o " ;
} ;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment . systemPackages = with pkgs ; [
git
wget
tailscale
config . services . headscale . package
kanidm
] ;
users . users . gunalx = { # Define a user account. Don't forget to set a password with ‘ ’
isNormalUser = true ;
extraGroups = [ " w h e e l " ] ; # Enable ‘ ’
initialPassword = " p w 1 2 3 " ; # this is changed imedeately.
} ;
#add proxyserver to acme
2023-10-17 19:42:00 +02:00
#users.users.kanidm.extraGroups = [ "acme" ];
2023-09-24 03:59:47 +02:00
#sequrity managment through kanidm
2023-10-17 19:42:00 +02:00
# systemd.services.kanidm = let
# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
# in {
# requires = [ "acme-finished-${certName}.target" ];
# serviceConfig.LoadCredential = let
# certDir = config.security.acme.certs.${certName}.directory;
# in [
# "fullchain.pem:${certDir}/fullchain.pem"
# "key.pem:${certDir}/key.pem"
# ];
# };
#
# services.kanidm = {
# enableServer = true;
# #enablePam = true;
# serverSettings = let
# credsDir = "/run/credentials/kanidm.service";
# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
# in {
# origin = "https://${config.services.kanidm.serverSettings.domain}";
# domain = "auth.${config.networking.domain}";
# tls_chain = "${credsDir}/fullchain.pem";
# tls_key = "${credsDir}/key.pem";
# bindaddress = "localhost:8300";
# };
#
# clientSettings = {
# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
# uri = "${config.services.kanidm.serverSettings.bindaddress}";
# verify_ca = true;
# verify_hostnames = true;
# };
# };
#
# #environment = {
# # etc."kanidm/config".text = ''
# # uri="https://auth.${config.networking.domain}"
# # '';
# #};
2023-09-24 03:59:47 +02:00
#vpn stuff
2023-12-06 22:21:44 +01:00
# #need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
# services.headscale = {
# enable = true;
# user = "headscale";
# address = "127.0.0.1";
# port = 8080;
# settings = {
# logtail.enabled = false;
# metrics_listen_addr = "127.0.0.1:9090";
# server_url = "https://${"vpn."+config.networking.domain}";
# dns_config = {
# base_domain = "${config.networking.domain}";
# magic_dns = true;
# nameservers = [
# "1.1.1.1"
# ];
# };
#
# ##should really implement with fex github and kanidm
# #oidc = {
# # issuer = "{config.services.kanidm.serverSettings.origin}";
# # allowed_domains = Domains;
# #};
# };
# };
2023-09-24 03:59:47 +02:00
#tailscale
services . tailscale . enable = true ;
users . users . " r o o t " . openssh . authorizedKeys . keys = [
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I H T E x Y o T 3 + f l r d 2 w P Y i T 7 s F F D m A U q i 2 Y A z 0 l d Q g 7 W M o p "
] ;
users . users . " g u n a l x " . openssh . authorizedKeys . keys = [
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I H T E x Y o T 3 + f l r d 2 w P Y i T 7 s F F D m A U q i 2 Y A z 0 l d Q g 7 W M o p "
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I E j + Y 0 R U r S a F 8 g U W 8 m 2 B Y 6 i 8 e 7 / 0 b U W h u 8 u 8 K W + A o H D h g u n a l x @ n i x o s "
] ;
#fail2ban
services . fail2ban = {
enable = true ;
maxretry = 5 ;
ignoreIP = [
" 1 2 7 . 0 . 0 . 0 / 8 "
" 1 0 . 0 . 0 . 0 / 8 "
" 1 0 0 . 6 4 . 0 . 0 / 8 "
" 1 7 2 . 1 6 . 0 . 0 / 1 2 "
" 1 9 2 . 1 6 8 . 0 . 0 / 1 6 "
" 8 . 8 . 8 . 8 "
] ;
} ;
#firewall options
networking . firewall = {
enable = true ;
checkReversePath = " l o o s e " ;
trustedInterfaces = [ " t a i l s c a l e 0 " ] ;
allowedUDPPorts = [
80
443
2023-12-06 22:21:44 +01:00
6969
2023-09-24 03:59:47 +02:00
#config.services.openssh.ports
config . services . tailscale . port
config . services . headscale . port
] ;
allowedTCPPorts = config . networking . firewall . allowedUDPPorts ;
} ;
# not needed in this config but should sty in default configuration.nix
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
#system.stateVersion = "20.09"; # Did you read the comment?
}
