commit
d57f4c6fb1
|
@ -6,16 +6,11 @@
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
../../profiles/base.nix
|
||||||
../profiles/base.nix
|
../../services/ssh.nix
|
||||||
../services/ssh.nix
|
../../services/nginx.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Use the GRUB 2 boot loader.
|
|
||||||
boot.loader.grub.enable = true;
|
|
||||||
#boot.loader.grub.version = 2; #Depreciated
|
|
||||||
boot.loader.grub.efiSupport = true;
|
|
||||||
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
|
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Europe/Oslo";
|
time.timeZone = "Europe/Oslo";
|
||||||
|
@ -25,8 +20,8 @@
|
||||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||||
# replicates the default behaviour.
|
# replicates the default behaviour.
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
networking.interfaces.ens18.useDHCP = true;
|
networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
|
||||||
networking.hostName = "addictedmaker"; # Define your hostname.
|
networking.hostName = "celebrian"; # Define your hostname.
|
||||||
networking.domain = "addictedmaker.eu"; # Define your domain.
|
networking.domain = "addictedmaker.eu"; # Define your domain.
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
|
@ -61,91 +56,80 @@
|
||||||
|
|
||||||
|
|
||||||
#add proxyserver to acme
|
#add proxyserver to acme
|
||||||
users.users.kanidm.extraGroups = [ "acme" ];
|
#users.users.kanidm.extraGroups = [ "acme" ];
|
||||||
|
|
||||||
#sequrity managment through kanidm
|
#sequrity managment through kanidm
|
||||||
systemd.services.kanidm = let
|
# systemd.services.kanidm = let
|
||||||
certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
|
# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
|
||||||
in {
|
# in {
|
||||||
requires = [ "acme-finished-${certName}.target" ];
|
# requires = [ "acme-finished-${certName}.target" ];
|
||||||
serviceConfig.LoadCredential = let
|
# serviceConfig.LoadCredential = let
|
||||||
certDir = config.security.acme.certs.${certName}.directory;
|
# certDir = config.security.acme.certs.${certName}.directory;
|
||||||
in [
|
# in [
|
||||||
"fullchain.pem:${certDir}/fullchain.pem"
|
# "fullchain.pem:${certDir}/fullchain.pem"
|
||||||
"key.pem:${certDir}/key.pem"
|
# "key.pem:${certDir}/key.pem"
|
||||||
];
|
# ];
|
||||||
};
|
# };
|
||||||
|
#
|
||||||
services.kanidm = {
|
# services.kanidm = {
|
||||||
enableServer = true;
|
# enableServer = true;
|
||||||
#enablePam = true;
|
# #enablePam = true;
|
||||||
serverSettings = let
|
# serverSettings = let
|
||||||
credsDir = "/run/credentials/kanidm.service";
|
# credsDir = "/run/credentials/kanidm.service";
|
||||||
#credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
|
# #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
|
||||||
in {
|
# in {
|
||||||
origin = "https://${config.services.kanidm.serverSettings.domain}";
|
# origin = "https://${config.services.kanidm.serverSettings.domain}";
|
||||||
domain = "auth.${config.networking.domain}";
|
# domain = "auth.${config.networking.domain}";
|
||||||
tls_chain = "${credsDir}/fullchain.pem";
|
# tls_chain = "${credsDir}/fullchain.pem";
|
||||||
tls_key = "${credsDir}/key.pem";
|
# tls_key = "${credsDir}/key.pem";
|
||||||
bindaddress = "localhost:8300";
|
# bindaddress = "localhost:8300";
|
||||||
};
|
# };
|
||||||
|
#
|
||||||
clientSettings = {
|
# clientSettings = {
|
||||||
# This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
|
# # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
|
||||||
uri = "${config.services.kanidm.serverSettings.bindaddress}";
|
# uri = "${config.services.kanidm.serverSettings.bindaddress}";
|
||||||
verify_ca = true;
|
# verify_ca = true;
|
||||||
verify_hostnames = true;
|
# verify_hostnames = true;
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
#
|
||||||
#environment = {
|
# #environment = {
|
||||||
# etc."kanidm/config".text = ''
|
# # etc."kanidm/config".text = ''
|
||||||
# uri="https://auth.${config.networking.domain}"
|
# # uri="https://auth.${config.networking.domain}"
|
||||||
# '';
|
# # '';
|
||||||
#};
|
# #};
|
||||||
|
|
||||||
|
|
||||||
#vpn stuff
|
#vpn stuff
|
||||||
#need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
|
# #need to run at fresh install to create namespace: headscale namespaces create <namespace_name>
|
||||||
services.headscale = {
|
# services.headscale = {
|
||||||
enable = true;
|
# enable = true;
|
||||||
user = "headscale";
|
# user = "headscale";
|
||||||
address = "127.0.0.1";
|
# address = "127.0.0.1";
|
||||||
port = 8080;
|
# port = 8080;
|
||||||
settings = {
|
# settings = {
|
||||||
logtail.enabled = false;
|
# logtail.enabled = false;
|
||||||
metrics_listen_addr = "127.0.0.1:9090";
|
# metrics_listen_addr = "127.0.0.1:9090";
|
||||||
server_url = "https://${"vpn."+config.networking.domain}";
|
# server_url = "https://${"vpn."+config.networking.domain}";
|
||||||
dns_config = {
|
# dns_config = {
|
||||||
base_domain = "${config.networking.domain}";
|
# base_domain = "${config.networking.domain}";
|
||||||
magic_dns = true;
|
# magic_dns = true;
|
||||||
nameservers = [
|
# nameservers = [
|
||||||
"1.1.1.1"
|
# "1.1.1.1"
|
||||||
];
|
# ];
|
||||||
};
|
# };
|
||||||
|
#
|
||||||
##should really implement with fex github and kanidm
|
# ##should really implement with fex github and kanidm
|
||||||
#oidc = {
|
# #oidc = {
|
||||||
# issuer = "{config.services.kanidm.serverSettings.origin}";
|
# # issuer = "{config.services.kanidm.serverSettings.origin}";
|
||||||
# allowed_domains = Domains;
|
# # allowed_domains = Domains;
|
||||||
#};
|
# #};
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
#tailscale
|
#tailscale
|
||||||
services.tailscale.enable = true;
|
services.tailscale.enable = true;
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.openssh.settings.UseDns = true;
|
|
||||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
|
||||||
services.openssh.startWhenNeeded = true;
|
|
||||||
services.openssh.ports = [ 6969 ];
|
|
||||||
services.endlessh.enable = true; #ssh honeypot
|
|
||||||
services.endlessh.port = 22;
|
|
||||||
services.endlessh.openFirewall = true;
|
|
||||||
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
|
||||||
|
|
||||||
users.users."root".openssh.authorizedKeys.keys = [
|
users.users."root".openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
|
||||||
];
|
];
|
||||||
|
@ -174,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
trustedInterfaces = [ "tailscale0" ];
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
8096
|
|
||||||
80
|
80
|
||||||
443
|
443
|
||||||
|
6969
|
||||||
#config.services.openssh.ports
|
#config.services.openssh.ports
|
||||||
config.services.tailscale.port
|
config.services.tailscale.port
|
||||||
config.services.headscale.port
|
config.services.headscale.port
|
||||||
|
|
|
@ -10,18 +10,21 @@
|
||||||
# This will add secrets.yml to the nix store
|
# This will add secrets.yml to the nix store
|
||||||
# You can avoid this by adding a string to the full path instead, i.e.
|
# You can avoid this by adding a string to the full path instead, i.e.
|
||||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml";
|
||||||
|
sops.validateSopsFiles = false;
|
||||||
# This will automatically import SSH keys as age keys
|
# This will automatically import SSH keys as age keys
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ];
|
sops.age.sshKeyPaths = [
|
||||||
|
"/etc/ssh/nixos"
|
||||||
|
#"/$HOME/.ssh/nixos"
|
||||||
|
#"/home/gunalx/.ssh/nixos"
|
||||||
|
];
|
||||||
# This is using an age key that is expected to already be in the filesystem
|
# This is using an age key that is expected to already be in the filesystem
|
||||||
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
# This will generate a new key if the key specified above does not exist
|
# This will generate a new key if the key specified above does not exist
|
||||||
sops.age.generateKey = true
|
sops.age.generateKey = true;
|
||||||
|
|
||||||
# This is the actual specification of the secrets.
|
# This is the actual specification of the secrets.
|
||||||
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||||
sops.secrets."acme/creds/domeneshop" = {
|
sops.secrets."acme/certs" = { };
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
basicAuthUser = "guest";
|
basicAuthUser = "guest";
|
||||||
basicAuthPass = "12345678";
|
basicAuthPass = "";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ in
|
||||||
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
|
extraDomainNames = [ "*.${config.networking.domain}" "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
|
||||||
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
|
dnsProvider = "domeneshop"; # from here according to privider https://go-acme.github.io/lego/dns/
|
||||||
dnsPropagationCheck = true;
|
dnsPropagationCheck = true;
|
||||||
credentialsFile = config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
credentialsFile = config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -39,37 +39,62 @@ in
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
|
|
||||||
virtualHosts.${"vpn."+config.networking.domain} = {
|
|
||||||
|
virtualHosts.${"managment.funn-nas.lauterer.it"} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "${config.networking.domain}";
|
useACMEHost = "${config.networking.domain}";
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
proxyPass = "http://localhost:${toString config.services.headscale.port}";
|
proxyPass = "http://100.104.182.48";
|
||||||
|
};
|
||||||
|
basicAuth = {
|
||||||
|
guest = basicAuthPass;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
|
virtualHosts.${"funn-nas.lauterer.it"} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "${config.networking.domain}";
|
useACMEHost = "${config.networking.domain}";
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
|
proxyPass = "https://100.104.182.48:30044";
|
||||||
|
};
|
||||||
|
basicAuth = {
|
||||||
|
guest = basicAuthPass;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualHosts.${"jellyfin."+config.networking.domain} = {
|
# virtualHosts.${"vpn."+config.networking.domain} = {
|
||||||
forceSSL = true;
|
# forceSSL = true;
|
||||||
#enableACME = true;
|
# useACMEHost = "${config.networking.domain}";
|
||||||
useACMEHost = "${config.networking.domain}";
|
# locations."/" = {
|
||||||
locations."/" = {
|
# proxyWebsockets = true;
|
||||||
proxyPass = "http://jellyfin.galadriel";
|
# proxyPass = "http://localhost:${toString config.services.headscale.port}";
|
||||||
proxyWebsockets = true;
|
# };
|
||||||
basicAuth = {
|
# };
|
||||||
guest = basicAuthPass;
|
|
||||||
};
|
# virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
|
||||||
};
|
# forceSSL = true;
|
||||||
};
|
# useACMEHost = "${config.networking.domain}";
|
||||||
|
# locations."/" = {
|
||||||
|
# proxyWebsockets = true;
|
||||||
|
# proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
|
||||||
|
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
|
||||||
|
# virtualHosts.${"jellyfin."+config.networking.domain} = {
|
||||||
|
# forceSSL = true;
|
||||||
|
# #enableACME = true;
|
||||||
|
# useACMEHost = "${config.networking.domain}";
|
||||||
|
# locations."/" = {
|
||||||
|
# proxyPass = "http://jellyfin.galadriel";
|
||||||
|
# proxyWebsockets = true;
|
||||||
|
# basicAuth = {
|
||||||
|
# guest = basicAuthPass;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -11,23 +11,22 @@
|
||||||
settings.UseDns = true;
|
settings.UseDns = true;
|
||||||
settings.PermitRootLogin = "prohibit-password";
|
settings.PermitRootLogin = "prohibit-password";
|
||||||
startWhenNeeded = true;
|
startWhenNeeded = true;
|
||||||
UseDns = true;
|
ports = [ 6969 ];
|
||||||
ports = [ 25264 ];
|
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
Ciphers = [
|
#settings.Ciphers = [
|
||||||
"chacha20-poly1305@openssh.com"
|
# "chacha20-poly1305@openssh.com"
|
||||||
"aes256-gcm@openssh.com"
|
# "aes256-gcm@openssh.com"
|
||||||
"aes128-gcm@openssh.com"
|
# "aes128-gcm@openssh.com"
|
||||||
"aes256-ctr"
|
# "aes256-ctr"
|
||||||
# remove some weaker ciphers
|
# # remove some weaker ciphers
|
||||||
]
|
#];
|
||||||
}
|
};
|
||||||
endlessh = {
|
services.endlessh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 22;
|
port = 22;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
sshguard.enable = true; #protection against brute force attacks like fail2ban
|
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
Loading…
Reference in New Issue