Merge pull request #1 from adrlau/celebrian-fix

Celebrian fix

machines/celebrian/configuration.nix

@@ -6,16 +6,11 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../profiles/base.nix
-      ../services/ssh.nix
+      ../../profiles/base.nix
+      ../../services/ssh.nix
+      ../../services/nginx.nix
     ];
 
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  #boot.loader.grub.version = 2; #Depreciated
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
 
   # Set your time zone.
   time.timeZone = "Europe/Oslo";
@@ -25,8 +20,8 @@
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
   networking.useDHCP = false;                   
-  networking.interfaces.ens18.useDHCP = true;
-  networking.hostName = "addictedmaker"; # Define your hostname.
+  networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
+  networking.hostName = "celebrian"; # Define your hostname.
   networking.domain = "addictedmaker.eu"; # Define your domain.
   
   boot.kernel.sysctl = {
@@ -61,91 +56,80 @@
 
 
   #add proxyserver to acme
-  users.users.kanidm.extraGroups = [ "acme" ];
+  #users.users.kanidm.extraGroups = [ "acme" ];
 
 #sequrity managment through kanidm
-  systemd.services.kanidm = let
-    certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
-  in {
-    requires = [ "acme-finished-${certName}.target" ];
-    serviceConfig.LoadCredential = let
-      certDir = config.security.acme.certs.${certName}.directory;
-    in [
-      "fullchain.pem:${certDir}/fullchain.pem"
-      "key.pem:${certDir}/key.pem"
-    ];
-  };
-
-  services.kanidm = {
-    enableServer = true;
-    #enablePam = true;
-    serverSettings = let
-      credsDir = "/run/credentials/kanidm.service";
-      #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
-    in {
-      origin = "https://${config.services.kanidm.serverSettings.domain}";
-      domain = "auth.${config.networking.domain}";
-      tls_chain = "${credsDir}/fullchain.pem";
-      tls_key = "${credsDir}/key.pem";
-      bindaddress = "localhost:8300";
-    };
-
-    clientSettings = {
-      # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
-      uri = "${config.services.kanidm.serverSettings.bindaddress}";
-      verify_ca = true;
-      verify_hostnames = true;
-    };
-  };
-
-  #environment = {
-  #  etc."kanidm/config".text = ''
-  #    uri="https://auth.${config.networking.domain}"
-  #  '';
-  #}; 
+#  systemd.services.kanidm = let
+#    certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
+#  in {
+#    requires = [ "acme-finished-${certName}.target" ];
+#    serviceConfig.LoadCredential = let
+#      certDir = config.security.acme.certs.${certName}.directory;
+#    in [
+#      "fullchain.pem:${certDir}/fullchain.pem"
+#      "key.pem:${certDir}/key.pem"
+#    ];
+#  };
+#
+#  services.kanidm = {
+#    enableServer = true;
+#    #enablePam = true;
+#    serverSettings = let
+#      credsDir = "/run/credentials/kanidm.service";
+#      #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
+#    in {
+#      origin = "https://${config.services.kanidm.serverSettings.domain}";
+#      domain = "auth.${config.networking.domain}";
+#      tls_chain = "${credsDir}/fullchain.pem";
+#      tls_key = "${credsDir}/key.pem";
+#      bindaddress = "localhost:8300";
+#    };
+#
+#    clientSettings = {
+#      # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
+#      uri = "${config.services.kanidm.serverSettings.bindaddress}";
+#      verify_ca = true;
+#      verify_hostnames = true;
+#    };
+			#  };
+#
+#  #environment = {
+#  #  etc."kanidm/config".text = ''
+#  #    uri="https://auth.${config.networking.domain}"
+#  #  '';
+#  #}; 
 
 
 #vpn stuff
-  #need to run at fresh install to create namespace: headscale namespaces create <namespace_name> 
-  services.headscale = {
-    enable = true;
-    user = "headscale";
-    address = "127.0.0.1";
-    port = 8080;
-    settings = {
-      logtail.enabled = false;
-      metrics_listen_addr = "127.0.0.1:9090";
-      server_url = "https://${"vpn."+config.networking.domain}";
-      dns_config = {
-        base_domain = "${config.networking.domain}";
-        magic_dns = true;
-        nameservers = [
-          "1.1.1.1"
-        ];
-      };
-
-      ##should really implement with fex github and kanidm
-      #oidc = {
-      #  issuer  = "{config.services.kanidm.serverSettings.origin}";
-      #  allowed_domains = Domains;
-      #};
-    };
-  };
+#  #need to run at fresh install to create namespace: headscale namespaces create <namespace_name> 
+#  services.headscale = {
+#    enable = true;
+#    user = "headscale";
+#    address = "127.0.0.1";
+#	    port = 8080;
+#    settings = {
+#      logtail.enabled = false;
+#      metrics_listen_addr = "127.0.0.1:9090";
+#      server_url = "https://${"vpn."+config.networking.domain}";
+#      dns_config = {
+#        base_domain = "${config.networking.domain}";
+#        magic_dns = true;
+#        nameservers = [
+#          "1.1.1.1"
+#        ];
+#      };
+#
+#      ##should really implement with fex github and kanidm
+#      #oidc = {
+#      #  issuer  = "{config.services.kanidm.serverSettings.origin}";
+#      #  allowed_domains = Domains;
+#      #};
+#    };
+#  };
 
   #tailscale
   services.tailscale.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  services.openssh.settings.UseDns = true;
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  services.openssh.startWhenNeeded = true;
-  services.openssh.ports = [ 6969 ];
-  services.endlessh.enable = true; #ssh honeypot
-  services.endlessh.port = 22;
-  services.endlessh.openFirewall = true;
-  services.sshguard.enable = true; #protection against brute force attacks like fail2ban
-
   users.users."root".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
   ];
@@ -174,9 +158,9 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
     checkReversePath = "loose";
     trustedInterfaces = [ "tailscale0" ];
     allowedUDPPorts = [
-      8096
       80
       443
+      6969
       #config.services.openssh.ports
       config.services.tailscale.port
       config.services.headscale.port

profiles/sops.nix

@@ -10,18 +10,21 @@
   # This will add secrets.yml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml";
+  sops.validateSopsFiles = false;
   # This will automatically import SSH keys as age keys
-  sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ];
+  sops.age.sshKeyPaths = [
+			 "/etc/ssh/nixos"
+			 #"/$HOME/.ssh/nixos"
+		         #"/home/gunalx/.ssh/nixos"
+			 ];
   # This is using an age key that is expected to already be in the filesystem
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   # This will generate a new key if the key specified above does not exist
-  sops.age.generateKey = true
+  sops.age.generateKey = true;
 
   # This is the actual specification of the secrets.
   #sops.secrets."myservice/my_subdir/my_secret" = {};
-  sops.secrets."acme/creds/domeneshop" = {
-    
-  };
+  sops.secrets."acme/certs" = {  };
 
 }

services/nginx.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   basicAuthUser = "guest";
-  basicAuthPass = "12345678"; 
+  basicAuthPass = ""; 
 in
 {  
 
@@ -15,7 +15,7 @@ in
       extraDomainNames = [ "*.${config.networking.domain}"   "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
       dnsProvider = "domeneshop";   # from here according to privider https://go-acme.github.io/lego/dns/ 
       dnsPropagationCheck = true;
-      credentialsFile =  config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
+      credentialsFile =  config.sops.secrets."acme/certs".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
     };
   };
 
@@ -39,37 +39,62 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts.${"vpn."+config.networking.domain} = {
+
+    virtualHosts.${"managment.funn-nas.lauterer.it"} = {
       forceSSL = true;
       useACMEHost = "${config.networking.domain}";
       locations."/" = {
         proxyWebsockets = true;
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyPass = "http://100.104.182.48";
       };
-    };
-
-    virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
-      forceSSL = true;
-      useACMEHost = "${config.networking.domain}";
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
-
-      };
-    };
-
-    virtualHosts.${"jellyfin."+config.networking.domain} = {
-      forceSSL = true;
-      #enableACME = true;
-      useACMEHost = "${config.networking.domain}";
-      locations."/" = {
-        proxyPass = "http://jellyfin.galadriel";
-        proxyWebsockets = true;
       basicAuth = {
         guest = basicAuthPass;
       };
     };
+
+    virtualHosts.${"funn-nas.lauterer.it"} = {
+      forceSSL = true;
+      useACMEHost = "${config.networking.domain}";
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "https://100.104.182.48:30044";
       };
+      basicAuth = {
+        guest = basicAuthPass;
+      };
+    };
+
+   # virtualHosts.${"vpn."+config.networking.domain} = {
+   #   forceSSL = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyWebsockets = true;
+   #     proxyPass = "http://localhost:${toString config.services.headscale.port}";
+   #   };
+   # };
+
+   # virtualHosts.${config.services.kanidm.serverSettings.domain} = { # (auth.)
+   #   forceSSL = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyWebsockets = true;
+   #     proxyPass = "${"https://"+config.services.kanidm.serverSettings.bindaddress}";
+
+   #   };
+   # };
+
+   # virtualHosts.${"jellyfin."+config.networking.domain} = {
+   #   forceSSL = true;
+   #   #enableACME = true;
+   #   useACMEHost = "${config.networking.domain}";
+   #   locations."/" = {
+   #     proxyPass = "http://jellyfin.galadriel";
+   #     proxyWebsockets = true;
+   #     basicAuth = {
+   #       guest = basicAuthPass;
+   #     };
+   #   };
+   # };
   };
 
 

services/ssh.nix

@@ -11,23 +11,22 @@
     settings.UseDns = true;
     settings.PermitRootLogin = "prohibit-password";
     startWhenNeeded = true;
-    UseDns = true;
-    ports = [ 25264 ];
+    ports = [ 6969 ];
     openFirewall = true;
-    Ciphers = [
-      "chacha20-poly1305@openssh.com"
-      "aes256-gcm@openssh.com"
-      "aes128-gcm@openssh.com"
-      "aes256-ctr"
-      # remove some weaker ciphers
-    ]
-  }
-  endlessh = {
+    #settings.Ciphers = [
+    #  "chacha20-poly1305@openssh.com"
+    #  "aes256-gcm@openssh.com"
+    #  "aes128-gcm@openssh.com"
+    #  "aes256-ctr"
+    #  # remove some weaker ciphers
+    #];
+  };
+  services.endlessh = {
     enable = true;
     port = 22;
     openFirewall = true;
   };
-  sshguard.enable = true; #protection against brute force attacks like fail2ban
+  services.sshguard.enable = true; #protection against brute force attacks like fail2ban
 
 
 }