adriangl
/
nix-dotfiles
mirror of https://github.com/adrlau/nix-dotfiles.git
1
2
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nix-dotfiles/machines/celebrian/configuration.nix

198 lines
6.0 KiB
Nix
Raw Normal View History

added old config files and started moving stuff to seperate modules.
2023-09-24 03:59:47 +02:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
../profiles/base.nix
../services/ssh.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
#boot.loader.grub.version = 2; #Depreciated
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
# Set your time zone.
time.timeZone = "Europe/Oslo";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
networking.hostName = "addictedmaker"; # Define your hostname.
networking.domain = "addictedmaker.eu"; # Define your domain.
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
wget
tailscale
config.services.headscale.package
kanidm
];
users.users.gunalx = { # Define a user account. Don't forget to set a password with passwd.
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
initialPassword = "pw123"; # this is changed imedeately.
};
#add proxyserver to acme
users.users.kanidm.extraGroups = [ "acme" ];
#sequrity managment through kanidm
systemd.services.kanidm = let
certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
in {
requires = [ "acme-finished-${certName}.target" ];
serviceConfig.LoadCredential = let
certDir = config.security.acme.certs.${certName}.directory;
in [
"fullchain.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem"
];
};
services.kanidm = {
enableServer = true;
#enablePam = true;
serverSettings = let
credsDir = "/run/credentials/kanidm.service";
#credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
in {
origin = "https://${config.services.kanidm.serverSettings.domain}";
domain = "auth.${config.networking.domain}";
tls_chain = "${credsDir}/fullchain.pem";
tls_key = "${credsDir}/key.pem";
bindaddress = "localhost:8300";
};
clientSettings = {
# This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
uri = "${config.services.kanidm.serverSettings.bindaddress}";
verify_ca = true;
verify_hostnames = true;
};
};
#environment = {
# etc."kanidm/config".text = ''
# uri="https://auth.${config.networking.domain}"
# '';
#};
#vpn stuff
#need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
services.headscale = {
enable = true;
user = "headscale";
address = "127.0.0.1";
port = 8080;
settings = {
logtail.enabled = false;
metrics_listen_addr = "127.0.0.1:9090";
server_url = "https://${"vpn."+config.networking.domain}";
dns_config = {
base_domain = "${config.networking.domain}";
magic_dns = true;
nameservers = [
"1.1.1.1"
];
};
##should really implement with fex github and kanidm
#oidc = {
# issuer = "{config.services.kanidm.serverSettings.origin}";
# allowed_domains = Domains;
#};
};
};
#tailscale
services.tailscale.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.UseDns = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.startWhenNeeded = true;
services.openssh.ports = [ 6969 ];
services.endlessh.enable = true; #ssh honeypot
services.endlessh.port = 22;
services.endlessh.openFirewall = true;
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
];
users.users."gunalx".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
];
#fail2ban
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"100.64.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"8.8.8.8"
];
};
#firewall options
networking.firewall = {
enable = true;
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [
8096
80
443
#config.services.openssh.ports
config.services.tailscale.port
config.services.headscale.port
];
allowedTCPPorts = config.networking.firewall.allowedUDPPorts;
};
# not needed in this config but should sty in default configuration.nix
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
#system.stateVersion = "20.09"; # Did you read the comment?
}