mirror of
https://github.com/ordinary-dev/nixos-config.git
synced 2024-09-19 03:10:28 +05:00
Initial commit
This commit is contained in:
commit
5d10dff0ad
5
.editorconfig
Normal file
5
.editorconfig
Normal file
|
@ -0,0 +1,5 @@
|
|||
root = true
|
||||
|
||||
[*.nix]
|
||||
indent_style = space
|
||||
indent_size = 2
|
27
flake.lock
Normal file
27
flake.lock
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1691592289,
|
||||
"narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
27
flake.nix
Normal file
27
flake.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
description = "flake for comfycamp.space";
|
||||
|
||||
inputs = {
|
||||
nixpkgs = {
|
||||
url = "github:NixOS/nixpkgs/nixos-23.05";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
};
|
||||
lib = nixpkgs.lib;
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
comfycamp = lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
./nixos/configuration.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
44
nixos/configuration.nix
Normal file
44
nixos/configuration.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
./users.nix
|
||||
./fail2ban.nix
|
||||
./time.nix
|
||||
./programs/nginx.nix
|
||||
./programs/bash.nix
|
||||
./programs/acme.nix
|
||||
];
|
||||
|
||||
# Enable flakes
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget
|
||||
curl
|
||||
neovim
|
||||
htop
|
||||
git
|
||||
rsync
|
||||
imagemagick
|
||||
dig
|
||||
iptables
|
||||
cryptsetup
|
||||
ffmpeg
|
||||
];
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
10
nixos/fail2ban.nix
Normal file
10
nixos/fail2ban.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.fail2ban = {
|
||||
enable = false;
|
||||
maxretry = 5;
|
||||
ignoreIP = [
|
||||
"192.168.88.0/24"
|
||||
];
|
||||
};
|
||||
}
|
56
nixos/hardware-configuration.nix
Normal file
56
nixos/hardware-configuration.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "usb_storage" ];
|
||||
boot.initrd.luks.devices = {
|
||||
hdd = {
|
||||
device = "/dev/disk/by-uuid/157d0eca-01bf-4dfc-88ff-12eb1e1aff69";
|
||||
keyFileSize = 4096;
|
||||
keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
|
||||
};
|
||||
ssd = {
|
||||
device = "/dev/disk/by-uuid/d13d7d84-5fa2-4b0f-abcc-5834c75b4cb6";
|
||||
keyFileSize = 4096;
|
||||
keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
|
||||
};
|
||||
};
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/a4660ab9-09b8-45c2-a3fd-5f46300df9ff";
|
||||
fsType = "btrfs";
|
||||
options = [ "compress=zstd" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/D70C-F6A7";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/hdd" =
|
||||
{ device = "/dev/disk/by-uuid/24388265-a28d-4876-bc15-ad753de1ea2b";
|
||||
fsType = "btrfs";
|
||||
options = [ "compress=zstd" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
22
nixos/networking.nix
Normal file
22
nixos/networking.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
networking = {
|
||||
hostName = "comfycamp";
|
||||
|
||||
dhcpcd.enable = true;
|
||||
defaultGateway = "192.168.0.1";
|
||||
nameservers = [ "1.1.1.1" ];
|
||||
|
||||
firewall = {
|
||||
# TODO: enable me
|
||||
enable = false;
|
||||
allowedTCPPorts = [ 22 80 443 1900 7359 30000 30025 30465 30993 ];
|
||||
allowedUDPPorts = [ 30000 1900 7359 ];
|
||||
|
||||
# Kubernetes
|
||||
trustedInterfaces = [ "lo" "flannel.1" "cni0" ];
|
||||
};
|
||||
|
||||
wireless.enable = false;
|
||||
};
|
||||
}
|
30
nixos/programs/acme.nix
Normal file
30
nixos/programs/acme.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
# Настройки сервиса для получения wildcard сертификатов.
|
||||
|
||||
# В /var/lib/secrets/certs.txt находится логин и пароль от reg.ru.
|
||||
# REGRU_USERNAME=xxx
|
||||
# REGRU_PASSWORD=xxx
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "ordinarydev@protonmail.com";
|
||||
|
||||
certs = {
|
||||
"comfycamp.space" = {
|
||||
dnsProvider = "regru";
|
||||
domain = "comfycamp.space";
|
||||
extraDomainNames = [ "*.comfycamp.space" ];
|
||||
dnsPropagationCheck = true;
|
||||
credentialsFile = "/var/lib/secrets/certs.txt";
|
||||
};
|
||||
"0ch.space" = {
|
||||
dnsProvider = "regru";
|
||||
domain = "0ch.space";
|
||||
extraDomainNames = [ "*.0ch.space" ];
|
||||
dnsPropagationCheck = true;
|
||||
credentialsFile = "/var/lib/secrets/certs.txt";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
14
nixos/programs/bash.nix
Normal file
14
nixos/programs/bash.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
bash
|
||||
];
|
||||
programs.bash = {
|
||||
shellAliases = {
|
||||
ll = "ls -l";
|
||||
vi = "nvim";
|
||||
vim = "nvim";
|
||||
kubectl = "sudo k3s kubectl";
|
||||
};
|
||||
};
|
||||
}
|
36
nixos/programs/nginx.nix
Normal file
36
nixos/programs/nginx.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
|
||||
commonHttpConfig = ''
|
||||
# Add HSTS header with preloading to HTTPS requests.
|
||||
# Adding this header to HTTP requests is discouraged
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header Content-Security-Policy "frame-ancestors 'self' https://*.comfycamp.space;";
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# Enable XSS protection of the browser.
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
'';
|
||||
|
||||
virtualHosts = {
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
}
|
8
nixos/time.nix
Normal file
8
nixos/time.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
# Часовой пояс
|
||||
time.timeZone = "Asia/Yekaterinburg";
|
||||
|
||||
# Включить NTP.
|
||||
services.timesyncd.enable = true;
|
||||
}
|
15
nixos/users.nix
Normal file
15
nixos/users.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
users.users.lumin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
packages = with pkgs; [];
|
||||
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbC39+hMx+JsowHuhI7tQDaG907iVJIY84ztLxdt/2DgPRBVNNhf0k/I/oB7lrLLuMzJnAgEEjBYHbeQqkhjmOE8J+rowXnRBY6uOAK1v12bqwRwCk8nnb4neGiv+TeIQ8uAdySjh5G+mdPbHYTfzw9th24KEQ++oHL2YUZ4kD/C1E337OvJz969qUPQsCOx31Qqo2GTiubJ4Tx4pqo5oBpNQGM1fPbs1/h+K4HV3pgTpEFLIIDe+yvjPJoCibCAYyU0fUf7Ji8kJWQT92eH58fH+VL7epfAfsaSwiqmMVJU7ORVOPYkZdpdXF87rakEydgdIVcTcttuRjKWoO4EDMYq/b1M9t+fa2lCTA+7TIBlrvjQzGUwrXIdvwBCKRiupZF/Jkz+YH104+sxc1DwxGe+BWzGTuH89ArElGQGpPoh01O7rlzaY1GpecM+ljpd3ra8hE+eJ212rBLVnANZhf/9AYEwnw2cBSi9n1xhJ05VqCHUELPfgiwANP/hLCxLM= lumin@thinkpad" ];
|
||||
};
|
||||
|
||||
users.users.maddy = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "acme" ];
|
||||
};
|
||||
}
|
20
readme.md
Normal file
20
readme.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Nixos
|
||||
|
||||
Настройки сервера.
|
||||
|
||||
## Обновление системы
|
||||
|
||||
```bash
|
||||
sudo nixos-rebuild --flake .#comfycamp switch
|
||||
```
|
||||
|
||||
Перед установкой требуется заполнить файл /var/lib/secrets/certs.txt:
|
||||
```bash
|
||||
REGRU_USERNAME=xxx
|
||||
REGRU_PASSWORD=xxx
|
||||
```
|
||||
Он должен быть доступен пользователю `acme`.
|
||||
|
||||
Нужно проверить ID пользователя `maddy` и ID группы `acme`,
|
||||
они используются сервисом `maddy` для доступа к сертификатам.
|
||||
При необходимости отредактировать `maddy.deployment.yml`.
|
Loading…
Reference in a new issue