diff --git a/machines/celebrian/configuration.nix b/machines/celebrian/configuration.nix index 4c15234..3148eff 100644 --- a/machines/celebrian/configuration.nix +++ b/machines/celebrian/configuration.nix @@ -6,16 +6,11 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ../profiles/base.nix - ../services/ssh.nix + ../../profiles/base.nix + ../../services/ssh.nix + ../../services/nginx.nix ]; - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - #boot.loader.grub.version = 2; #Depreciated - boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub. # Set your time zone. time.timeZone = "Europe/Oslo"; @@ -25,8 +20,8 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; - networking.hostName = "addictedmaker"; # Define your hostname. + networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way. + networking.hostName = "celebrian"; # Define your hostname. networking.domain = "addictedmaker.eu"; # Define your domain. boot.kernel.sysctl = { @@ -61,91 +56,80 @@ #add proxyserver to acme - users.users.kanidm.extraGroups = [ "acme" ]; + #users.users.kanidm.extraGroups = [ "acme" ]; #sequrity managment through kanidm - systemd.services.kanidm = let - certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; - in { - requires = [ "acme-finished-${certName}.target" ]; - serviceConfig.LoadCredential = let - certDir = config.security.acme.certs.${certName}.directory; - in [ - "fullchain.pem:${certDir}/fullchain.pem" - "key.pem:${certDir}/key.pem" - ]; - }; - - services.kanidm = { - enableServer = true; - #enablePam = true; - serverSettings = let - credsDir = "/run/credentials/kanidm.service"; - #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable - in { - origin = "https://${config.services.kanidm.serverSettings.domain}"; - domain = "auth.${config.networking.domain}"; - tls_chain = "${credsDir}/fullchain.pem"; - tls_key = "${credsDir}/key.pem"; - bindaddress = "localhost:8300"; - }; - - clientSettings = { - # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool - uri = "${config.services.kanidm.serverSettings.bindaddress}"; - verify_ca = true; - verify_hostnames = true; - }; - }; - - #environment = { - # etc."kanidm/config".text = '' - # uri="https://auth.${config.networking.domain}" - # ''; - #}; +# systemd.services.kanidm = let +# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; +# in { +# requires = [ "acme-finished-${certName}.target" ]; +# serviceConfig.LoadCredential = let +# certDir = config.security.acme.certs.${certName}.directory; +# in [ +# "fullchain.pem:${certDir}/fullchain.pem" +# "key.pem:${certDir}/key.pem" +# ]; +# }; +# +# services.kanidm = { +# enableServer = true; +# #enablePam = true; +# serverSettings = let +# credsDir = "/run/credentials/kanidm.service"; +# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable +# in { +# origin = "https://${config.services.kanidm.serverSettings.domain}"; +# domain = "auth.${config.networking.domain}"; +# tls_chain = "${credsDir}/fullchain.pem"; +# tls_key = "${credsDir}/key.pem"; +# bindaddress = "localhost:8300"; +# }; +# +# clientSettings = { +# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool +# uri = "${config.services.kanidm.serverSettings.bindaddress}"; +# verify_ca = true; +# verify_hostnames = true; +# }; + # }; +# +# #environment = { +# # etc."kanidm/config".text = '' +# # uri="https://auth.${config.networking.domain}" +# # ''; +# #}; #vpn stuff - #need to run at fresh install to create namespace: headscale namespaces create - services.headscale = { - enable = true; - user = "headscale"; - address = "127.0.0.1"; - port = 8080; - settings = { - logtail.enabled = false; - metrics_listen_addr = "127.0.0.1:9090"; - server_url = "https://${"vpn."+config.networking.domain}"; - dns_config = { - base_domain = "${config.networking.domain}"; - magic_dns = true; - nameservers = [ - "1.1.1.1" - ]; - }; - - ##should really implement with fex github and kanidm - #oidc = { - # issuer = "{config.services.kanidm.serverSettings.origin}"; - # allowed_domains = Domains; - #}; - }; - }; +# #need to run at fresh install to create namespace: headscale namespaces create +# services.headscale = { +# enable = true; +# user = "headscale"; +# address = "127.0.0.1"; +# port = 8080; +# settings = { +# logtail.enabled = false; +# metrics_listen_addr = "127.0.0.1:9090"; +# server_url = "https://${"vpn."+config.networking.domain}"; +# dns_config = { +# base_domain = "${config.networking.domain}"; +# magic_dns = true; +# nameservers = [ +# "1.1.1.1" +# ]; +# }; +# +# ##should really implement with fex github and kanidm +# #oidc = { +# # issuer = "{config.services.kanidm.serverSettings.origin}"; +# # allowed_domains = Domains; +# #}; +# }; +# }; #tailscale services.tailscale.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.settings.UseDns = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.startWhenNeeded = true; - services.openssh.ports = [ 6969 ]; - services.endlessh.enable = true; #ssh honeypot - services.endlessh.port = 22; - services.endlessh.openFirewall = true; - services.sshguard.enable = true; #protection against brute force attacks like fail2ban - users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" ]; @@ -174,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [ checkReversePath = "loose"; trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [ - 8096 80 443 + 6969 #config.services.openssh.ports config.services.tailscale.port config.services.headscale.port diff --git a/profiles/base.nix b/profiles/base.nix index d6c203d..4daa019 100644 --- a/profiles/base.nix +++ b/profiles/base.nix @@ -10,4 +10,4 @@ imports = nix.gc.automatic = true; system.autoUpgrade.enable = true; -} \ No newline at end of file +} diff --git a/profiles/sops.nix b/profiles/sops.nix index 70eedee..0ddbf93 100644 --- a/profiles/sops.nix +++ b/profiles/sops.nix @@ -10,18 +10,21 @@ # This will add secrets.yml to the nix store # You can avoid this by adding a string to the full path instead, i.e. # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; - sops.defaultSopsFile = ./secrets.yaml; + sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml"; + sops.validateSopsFiles = false; # This will automatically import SSH keys as age keys - sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ]; + sops.age.sshKeyPaths = [ + "/etc/ssh/nixos" + #"/$HOME/.ssh/nixos" + #"/home/gunalx/.ssh/nixos" + ]; # This is using an age key that is expected to already be in the filesystem - # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # This will generate a new key if the key specified above does not exist - sops.age.generateKey = true + sops.age.generateKey = true; # This is the actual specification of the secrets. #sops.secrets."myservice/my_subdir/my_secret" = {}; - sops.secrets."acme/creds/domeneshop" = { - - }; + sops.secrets."acme/certs" = { }; } diff --git a/secrets/secrets.yaml.dec b/secrets/secrets.yaml.dec new file mode 100644 index 0000000..e69de29 diff --git a/services/nginx.nix b/services/nginx.nix index 86b379e..543f207 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,9 +1,9 @@ { config, pkgs, lib, ... }: let basicAuthUser = "guest"; - basicAuthPass = "12345678"; + basicAuthPass = ""; in -{ +{ #acme and certs helpful blog https://carjorvaz.com/posts/ security.acme = { @@ -15,7 +15,7 @@ in extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"]; dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/ dnsPropagationCheck = true; - credentialsFile = config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml + credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml }; }; @@ -39,37 +39,62 @@ in recommendedGzipSettings = true; recommendedOptimisation = true; - virtualHosts.${"vpn."+config.networking.domain} = { + + virtualHosts.${"managment.funn-nas.lauterer.it"} = { forceSSL = true; useACMEHost = "${config.networking.domain}"; locations."/" = { proxyWebsockets = true; - proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyPass = "http://100.104.182.48"; + }; + basicAuth = { + guest = basicAuthPass; }; }; - virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.) + virtualHosts.${"funn-nas.lauterer.it"} = { forceSSL = true; useACMEHost = "${config.networking.domain}"; locations."/" = { proxyWebsockets = true; - proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}"; - + proxyPass = "https://100.104.182.48:30044"; + }; + basicAuth = { + guest = basicAuthPass; }; }; - virtualHosts.${"jellyfin."+config.networking.domain} = { - forceSSL = true; - #enableACME = true; - useACMEHost = "${config.networking.domain}"; - locations."/" = { - proxyPass = "http://jellyfin.galadriel"; - proxyWebsockets = true; - basicAuth = { - guest = basicAuthPass; - }; - }; - }; + # virtualHosts.${"vpn."+config.networking.domain} = { + # forceSSL = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "http://localhost:${toString config.services.headscale.port}"; + # }; + # }; + + # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.) + # forceSSL = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyWebsockets = true; + # proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}"; + + # }; + # }; + + # virtualHosts.${"jellyfin."+config.networking.domain} = { + # forceSSL = true; + # #enableACME = true; + # useACMEHost = "${config.networking.domain}"; + # locations."/" = { + # proxyPass = "http://jellyfin.galadriel"; + # proxyWebsockets = true; + # basicAuth = { + # guest = basicAuthPass; + # }; + # }; + # }; }; diff --git a/services/ssh.nix b/services/ssh.nix index 7f8e30b..37e5514 100644 --- a/services/ssh.nix +++ b/services/ssh.nix @@ -11,23 +11,22 @@ settings.UseDns = true; settings.PermitRootLogin = "prohibit-password"; startWhenNeeded = true; - UseDns = true; - ports = [ 25264 ]; + ports = [ 6969 ]; openFirewall = true; - Ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - "aes256-ctr" - # remove some weaker ciphers - ] - } - endlessh = { + #settings.Ciphers = [ + # "chacha20-poly1305@openssh.com" + # "aes256-gcm@openssh.com" + # "aes128-gcm@openssh.com" + # "aes256-ctr" + # # remove some weaker ciphers + #]; + }; + services.endlessh = { enable = true; port = 22; openFirewall = true; }; - sshguard.enable = true; #protection against brute force attacks like fail2ban + services.sshguard.enable = true; #protection against brute force attacks like fail2ban -} \ No newline at end of file +}