fixed networking with new interface, removed nginx and acme to fix credentials.
This commit is contained in:
parent
74518dbefa
commit
5b8b8ae3ec
|
@ -6,16 +6,10 @@
|
|||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
../profiles/base.nix
|
||||
../services/ssh.nix
|
||||
../../profiles/base.nix
|
||||
../../services/ssh.nix
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
#boot.loader.grub.version = 2; #Depreciated
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Oslo";
|
||||
|
@ -25,8 +19,8 @@
|
|||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.ens18.useDHCP = true;
|
||||
networking.hostName = "addictedmaker"; # Define your hostname.
|
||||
networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
|
||||
networking.hostName = "celebrian"; # Define your hostname.
|
||||
networking.domain = "addictedmaker.eu"; # Define your domain.
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
|
@ -61,48 +55,48 @@
|
|||
|
||||
|
||||
#add proxyserver to acme
|
||||
users.users.kanidm.extraGroups = [ "acme" ];
|
||||
#users.users.kanidm.extraGroups = [ "acme" ];
|
||||
|
||||
#sequrity managment through kanidm
|
||||
systemd.services.kanidm = let
|
||||
certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
|
||||
in {
|
||||
requires = [ "acme-finished-${certName}.target" ];
|
||||
serviceConfig.LoadCredential = let
|
||||
certDir = config.security.acme.certs.${certName}.directory;
|
||||
in [
|
||||
"fullchain.pem:${certDir}/fullchain.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
];
|
||||
};
|
||||
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
#enablePam = true;
|
||||
serverSettings = let
|
||||
credsDir = "/run/credentials/kanidm.service";
|
||||
#credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
|
||||
in {
|
||||
origin = "https://${config.services.kanidm.serverSettings.domain}";
|
||||
domain = "auth.${config.networking.domain}";
|
||||
tls_chain = "${credsDir}/fullchain.pem";
|
||||
tls_key = "${credsDir}/key.pem";
|
||||
bindaddress = "localhost:8300";
|
||||
};
|
||||
|
||||
clientSettings = {
|
||||
# This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
|
||||
uri = "${config.services.kanidm.serverSettings.bindaddress}";
|
||||
verify_ca = true;
|
||||
verify_hostnames = true;
|
||||
};
|
||||
};
|
||||
|
||||
#environment = {
|
||||
# etc."kanidm/config".text = ''
|
||||
# uri="https://auth.${config.networking.domain}"
|
||||
# '';
|
||||
# systemd.services.kanidm = let
|
||||
# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
|
||||
# in {
|
||||
# requires = [ "acme-finished-${certName}.target" ];
|
||||
# serviceConfig.LoadCredential = let
|
||||
# certDir = config.security.acme.certs.${certName}.directory;
|
||||
# in [
|
||||
# "fullchain.pem:${certDir}/fullchain.pem"
|
||||
# "key.pem:${certDir}/key.pem"
|
||||
# ];
|
||||
# };
|
||||
#
|
||||
# services.kanidm = {
|
||||
# enableServer = true;
|
||||
# #enablePam = true;
|
||||
# serverSettings = let
|
||||
# credsDir = "/run/credentials/kanidm.service";
|
||||
# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
|
||||
# in {
|
||||
# origin = "https://${config.services.kanidm.serverSettings.domain}";
|
||||
# domain = "auth.${config.networking.domain}";
|
||||
# tls_chain = "${credsDir}/fullchain.pem";
|
||||
# tls_key = "${credsDir}/key.pem";
|
||||
# bindaddress = "localhost:8300";
|
||||
# };
|
||||
#
|
||||
# clientSettings = {
|
||||
# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
|
||||
# uri = "${config.services.kanidm.serverSettings.bindaddress}";
|
||||
# verify_ca = true;
|
||||
# verify_hostnames = true;
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# #environment = {
|
||||
# # etc."kanidm/config".text = ''
|
||||
# # uri="https://auth.${config.networking.domain}"
|
||||
# # '';
|
||||
# #};
|
||||
|
||||
|
||||
#vpn stuff
|
||||
|
@ -135,17 +129,6 @@
|
|||
#tailscale
|
||||
services.tailscale.enable = true;
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.UseDns = true;
|
||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||
services.openssh.startWhenNeeded = true;
|
||||
services.openssh.ports = [ 6969 ];
|
||||
services.endlessh.enable = true; #ssh honeypot
|
||||
services.endlessh.port = 22;
|
||||
services.endlessh.openFirewall = true;
|
||||
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
||||
|
||||
users.users."root".openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
|
||||
];
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
imports =
|
||||
[
|
||||
../packages/vim.nix
|
||||
./sops.nix
|
||||
#./sops.nix
|
||||
];
|
||||
|
||||
#nix stuff
|
||||
|
|
|
@ -10,18 +10,20 @@
|
|||
# This will add secrets.yml to the nix store
|
||||
# You can avoid this by adding a string to the full path instead, i.e.
|
||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
sops.defaultSopsFile = ../secrets/secrets.yaml;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ];
|
||||
sops.age.sshKeyPaths = [
|
||||
"/etc/ssh/nixos"
|
||||
#"/$HOME/.ssh/nixos"
|
||||
#"/home/gunalx/.ssh/nixos"
|
||||
];
|
||||
# This is using an age key that is expected to already be in the filesystem
|
||||
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
# This will generate a new key if the key specified above does not exist
|
||||
sops.age.generateKey = true
|
||||
sops.age.generateKey = true;
|
||||
|
||||
# This is the actual specification of the secrets.
|
||||
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||
sops.secrets."acme/creds/domeneshop" = {
|
||||
|
||||
};
|
||||
sops.secrets."acme/certs/domeneshop" = { };
|
||||
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@ in
|
|||
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
|
||||
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
|
||||
dnsPropagationCheck = true;
|
||||
credentialsFile = config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||
credentialsFile = config.sops.secrets."acme/certs/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -11,23 +11,22 @@
|
|||
settings.UseDns = true;
|
||||
settings.PermitRootLogin = "prohibit-password";
|
||||
startWhenNeeded = true;
|
||||
UseDns = true;
|
||||
ports = [ 25264 ];
|
||||
ports = [ 6969 ];
|
||||
openFirewall = true;
|
||||
Ciphers = [
|
||||
settings.Ciphers = [
|
||||
"chacha20-poly1305@openssh.com"
|
||||
"aes256-gcm@openssh.com"
|
||||
"aes128-gcm@openssh.com"
|
||||
"aes256-ctr"
|
||||
# remove some weaker ciphers
|
||||
]
|
||||
}
|
||||
endlessh = {
|
||||
];
|
||||
};
|
||||
services.endlessh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
openFirewall = true;
|
||||
};
|
||||
sshguard.enable = true; #protection against brute force attacks like fail2ban
|
||||
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
||||
|
||||
|
||||
}
|
Loading…
Reference in New Issue