Merge pull request #1 from adrlau/celebrian-fix

Celebrian fix
This commit is contained in:
Adrian G L 2023-12-06 23:00:16 +01:00 committed by GitHub
commit d57f4c6fb1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 139 additions and 128 deletions

View File

@ -6,16 +6,11 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ../../profiles/base.nix
../profiles/base.nix ../../services/ssh.nix
../services/ssh.nix ../../services/nginx.nix
]; ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
#boot.loader.grub.version = 2; #Depreciated
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Oslo"; time.timeZone = "Europe/Oslo";
@ -25,8 +20,8 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
networking.hostName = "addictedmaker"; # Define your hostname. networking.hostName = "celebrian"; # Define your hostname.
networking.domain = "addictedmaker.eu"; # Define your domain. networking.domain = "addictedmaker.eu"; # Define your domain.
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -61,91 +56,80 @@
#add proxyserver to acme #add proxyserver to acme
users.users.kanidm.extraGroups = [ "acme" ]; #users.users.kanidm.extraGroups = [ "acme" ];
#sequrity managment through kanidm #sequrity managment through kanidm
systemd.services.kanidm = let # systemd.services.kanidm = let
certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost; # certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
in { # in {
requires = [ "acme-finished-${certName}.target" ]; # requires = [ "acme-finished-${certName}.target" ];
serviceConfig.LoadCredential = let # serviceConfig.LoadCredential = let
certDir = config.security.acme.certs.${certName}.directory; # certDir = config.security.acme.certs.${certName}.directory;
in [ # in [
"fullchain.pem:${certDir}/fullchain.pem" # "fullchain.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem" # "key.pem:${certDir}/key.pem"
]; # ];
};
services.kanidm = {
enableServer = true;
#enablePam = true;
serverSettings = let
credsDir = "/run/credentials/kanidm.service";
#credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
in {
origin = "https://${config.services.kanidm.serverSettings.domain}";
domain = "auth.${config.networking.domain}";
tls_chain = "${credsDir}/fullchain.pem";
tls_key = "${credsDir}/key.pem";
bindaddress = "localhost:8300";
};
clientSettings = {
# This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
uri = "${config.services.kanidm.serverSettings.bindaddress}";
verify_ca = true;
verify_hostnames = true;
};
};
#environment = {
# etc."kanidm/config".text = ''
# uri="https://auth.${config.networking.domain}"
# '';
# }; # };
#
# services.kanidm = {
# enableServer = true;
# #enablePam = true;
# serverSettings = let
# credsDir = "/run/credentials/kanidm.service";
# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
# in {
# origin = "https://${config.services.kanidm.serverSettings.domain}";
# domain = "auth.${config.networking.domain}";
# tls_chain = "${credsDir}/fullchain.pem";
# tls_key = "${credsDir}/key.pem";
# bindaddress = "localhost:8300";
# };
#
# clientSettings = {
# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
# uri = "${config.services.kanidm.serverSettings.bindaddress}";
# verify_ca = true;
# verify_hostnames = true;
# };
# };
#
# #environment = {
# # etc."kanidm/config".text = ''
# # uri="https://auth.${config.networking.domain}"
# # '';
# #};
#vpn stuff #vpn stuff
#need to run at fresh install to create namespace: headscale namespaces create <namespace_name> # #need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
services.headscale = { # services.headscale = {
enable = true; # enable = true;
user = "headscale"; # user = "headscale";
address = "127.0.0.1"; # address = "127.0.0.1";
port = 8080; # port = 8080;
settings = { # settings = {
logtail.enabled = false; # logtail.enabled = false;
metrics_listen_addr = "127.0.0.1:9090"; # metrics_listen_addr = "127.0.0.1:9090";
server_url = "https://${"vpn."+config.networking.domain}"; # server_url = "https://${"vpn."+config.networking.domain}";
dns_config = { # dns_config = {
base_domain = "${config.networking.domain}"; # base_domain = "${config.networking.domain}";
magic_dns = true; # magic_dns = true;
nameservers = [ # nameservers = [
"1.1.1.1" # "1.1.1.1"
]; # ];
}; # };
#
##should really implement with fex github and kanidm # ##should really implement with fex github and kanidm
#oidc = { # #oidc = {
# issuer = "{config.services.kanidm.serverSettings.origin}"; # # issuer = "{config.services.kanidm.serverSettings.origin}";
# allowed_domains = Domains; # # allowed_domains = Domains;
# #};
# };
# }; # };
};
};
#tailscale #tailscale
services.tailscale.enable = true; services.tailscale.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.UseDns = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.startWhenNeeded = true;
services.openssh.ports = [ 6969 ];
services.endlessh.enable = true; #ssh honeypot
services.endlessh.port = 22;
services.endlessh.openFirewall = true;
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
users.users."root".openssh.authorizedKeys.keys = [ users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
]; ];
@ -174,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
checkReversePath = "loose"; checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ allowedUDPPorts = [
8096
80 80
443 443
6969
#config.services.openssh.ports #config.services.openssh.ports
config.services.tailscale.port config.services.tailscale.port
config.services.headscale.port config.services.headscale.port

View File

@ -10,18 +10,21 @@
# This will add secrets.yml to the nix store # This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e. # You can avoid this by adding a string to the full path instead, i.e.
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml";
sops.validateSopsFiles = false;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ]; sops.age.sshKeyPaths = [
"/etc/ssh/nixos"
#"/$HOME/.ssh/nixos"
#"/home/gunalx/.ssh/nixos"
];
# This is using an age key that is expected to already be in the filesystem # This is using an age key that is expected to already be in the filesystem
# sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist # This will generate a new key if the key specified above does not exist
sops.age.generateKey = true sops.age.generateKey = true;
# This is the actual specification of the secrets. # This is the actual specification of the secrets.
#sops.secrets."myservice/my_subdir/my_secret" = {}; #sops.secrets."myservice/my_subdir/my_secret" = {};
sops.secrets."acme/creds/domeneshop" = { sops.secrets."acme/certs" = { };
};
} }

0
secrets/secrets.yaml.dec Normal file
View File

View File

@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
basicAuthUser = "guest"; basicAuthUser = "guest";
basicAuthPass = "12345678"; basicAuthPass = "";
in in
{ {
@ -15,7 +15,7 @@ in
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"]; extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/ dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true; dnsPropagationCheck = true;
credentialsFile = config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
}; };
}; };
@ -39,37 +39,62 @@ in
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
virtualHosts.${"vpn."+config.networking.domain} = {
virtualHosts.${"managment.funn-nas.lauterer.it"} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${config.networking.domain}"; useACMEHost = "${config.networking.domain}";
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.headscale.port}"; proxyPass = "http://100.104.182.48";
}; };
};
virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
forceSSL = true;
useACMEHost = "${config.networking.domain}";
locations."/" = {
proxyWebsockets = true;
proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
};
};
virtualHosts.${"jellyfin."+config.networking.domain} = {
forceSSL = true;
#enableACME = true;
useACMEHost = "${config.networking.domain}";
locations."/" = {
proxyPass = "http://jellyfin.galadriel";
proxyWebsockets = true;
basicAuth = { basicAuth = {
guest = basicAuthPass; guest = basicAuthPass;
}; };
}; };
virtualHosts.${"funn-nas.lauterer.it"} = {
forceSSL = true;
useACMEHost = "${config.networking.domain}";
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48:30044";
}; };
basicAuth = {
guest = basicAuthPass;
};
};
# virtualHosts.${"vpn."+config.networking.domain} = {
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "http://localhost:${toString config.services.headscale.port}";
# };
# };
# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
# forceSSL = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyWebsockets = true;
# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
# };
# };
# virtualHosts.${"jellyfin."+config.networking.domain} = {
# forceSSL = true;
# #enableACME = true;
# useACMEHost = "${config.networking.domain}";
# locations."/" = {
# proxyPass = "http://jellyfin.galadriel";
# proxyWebsockets = true;
# basicAuth = {
# guest = basicAuthPass;
# };
# };
# };
}; };

View File

@ -11,23 +11,22 @@
settings.UseDns = true; settings.UseDns = true;
settings.PermitRootLogin = "prohibit-password"; settings.PermitRootLogin = "prohibit-password";
startWhenNeeded = true; startWhenNeeded = true;
UseDns = true; ports = [ 6969 ];
ports = [ 25264 ];
openFirewall = true; openFirewall = true;
Ciphers = [ #settings.Ciphers = [
"chacha20-poly1305@openssh.com" # "chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com" # "aes256-gcm@openssh.com"
"aes128-gcm@openssh.com" # "aes128-gcm@openssh.com"
"aes256-ctr" # "aes256-ctr"
# remove some weaker ciphers # # remove some weaker ciphers
] #];
} };
endlessh = { services.endlessh = {
enable = true; enable = true;
port = 22; port = 22;
openFirewall = true; openFirewall = true;
}; };
sshguard.enable = true; #protection against brute force attacks like fail2ban services.sshguard.enable = true; #protection against brute force attacks like fail2ban
} }