From 5d10dff0ad06c8a5fd38ea73c79a2de37b8ce92e Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Thu, 17 Aug 2023 21:46:39 +0500 Subject: [PATCH] Initial commit --- .editorconfig | 5 +++ flake.lock | 27 +++++++++++++++ flake.nix | 27 +++++++++++++++ nixos/configuration.nix | 44 +++++++++++++++++++++++++ nixos/fail2ban.nix | 10 ++++++ nixos/hardware-configuration.nix | 56 ++++++++++++++++++++++++++++++++ nixos/networking.nix | 22 +++++++++++++ nixos/programs/acme.nix | 30 +++++++++++++++++ nixos/programs/bash.nix | 14 ++++++++ nixos/programs/nginx.nix | 36 ++++++++++++++++++++ nixos/time.nix | 8 +++++ nixos/users.nix | 15 +++++++++ readme.md | 20 ++++++++++++ 13 files changed, 314 insertions(+) create mode 100644 .editorconfig create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 nixos/configuration.nix create mode 100644 nixos/fail2ban.nix create mode 100644 nixos/hardware-configuration.nix create mode 100644 nixos/networking.nix create mode 100644 nixos/programs/acme.nix create mode 100644 nixos/programs/bash.nix create mode 100644 nixos/programs/nginx.nix create mode 100644 nixos/time.nix create mode 100644 nixos/users.nix create mode 100644 readme.md diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..8ffd4a3 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,5 @@ +root = true + +[*.nix] +indent_style = space +indent_size = 2 diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..867efcc --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1691592289, + "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8140bac --- /dev/null +++ b/flake.nix @@ -0,0 +1,27 @@ +{ + description = "flake for comfycamp.space"; + + inputs = { + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-23.05"; + }; + }; + + outputs = { self, nixpkgs }: + let + system = "x86_64-linux"; + pkgs = import nixpkgs { + inherit system; + }; + lib = nixpkgs.lib; + in { + nixosConfigurations = { + comfycamp = lib.nixosSystem { + inherit system; + modules = [ + ./nixos/configuration.nix + ]; + }; + }; + }; +} diff --git a/nixos/configuration.nix b/nixos/configuration.nix new file mode 100644 index 0000000..b819d7d --- /dev/null +++ b/nixos/configuration.nix @@ -0,0 +1,44 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + ./users.nix + ./fail2ban.nix + ./time.nix + ./programs/nginx.nix + ./programs/bash.nix + ./programs/acme.nix + ]; + + # Enable flakes + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + curl + neovim + htop + git + rsync + imagemagick + dig + iptables + cryptsetup + ffmpeg + ]; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + system.stateVersion = "22.11"; +} diff --git a/nixos/fail2ban.nix b/nixos/fail2ban.nix new file mode 100644 index 0000000..a0e19e6 --- /dev/null +++ b/nixos/fail2ban.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + services.fail2ban = { + enable = false; + maxretry = 5; + ignoreIP = [ + "192.168.88.0/24" + ]; + }; +} diff --git a/nixos/hardware-configuration.nix b/nixos/hardware-configuration.nix new file mode 100644 index 0000000..1455cd7 --- /dev/null +++ b/nixos/hardware-configuration.nix @@ -0,0 +1,56 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ "usb_storage" ]; + boot.initrd.luks.devices = { + hdd = { + device = "/dev/disk/by-uuid/157d0eca-01bf-4dfc-88ff-12eb1e1aff69"; + keyFileSize = 4096; + keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0"; + }; + ssd = { + device = "/dev/disk/by-uuid/d13d7d84-5fa2-4b0f-abcc-5834c75b4cb6"; + keyFileSize = 4096; + keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0"; + }; + }; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a4660ab9-09b8-45c2-a3fd-5f46300df9ff"; + fsType = "btrfs"; + options = [ "compress=zstd" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/D70C-F6A7"; + fsType = "vfat"; + }; + + fileSystems."/hdd" = + { device = "/dev/disk/by-uuid/24388265-a28d-4876-bc15-ad753de1ea2b"; + fsType = "btrfs"; + options = [ "compress=zstd" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos/networking.nix b/nixos/networking.nix new file mode 100644 index 0000000..d552f5a --- /dev/null +++ b/nixos/networking.nix @@ -0,0 +1,22 @@ +{ config, ... }: +{ + networking = { + hostName = "comfycamp"; + + dhcpcd.enable = true; + defaultGateway = "192.168.0.1"; + nameservers = [ "1.1.1.1" ]; + + firewall = { + # TODO: enable me + enable = false; + allowedTCPPorts = [ 22 80 443 1900 7359 30000 30025 30465 30993 ]; + allowedUDPPorts = [ 30000 1900 7359 ]; + + # Kubernetes + trustedInterfaces = [ "lo" "flannel.1" "cni0" ]; + }; + + wireless.enable = false; + }; +} diff --git a/nixos/programs/acme.nix b/nixos/programs/acme.nix new file mode 100644 index 0000000..a47f144 --- /dev/null +++ b/nixos/programs/acme.nix @@ -0,0 +1,30 @@ +{ config, ... }: +{ + # Настройки сервиса для получения wildcard сертификатов. + + # В /var/lib/secrets/certs.txt находится логин и пароль от reg.ru. + # REGRU_USERNAME=xxx + # REGRU_PASSWORD=xxx + + security.acme = { + acceptTerms = true; + defaults.email = "ordinarydev@protonmail.com"; + + certs = { + "comfycamp.space" = { + dnsProvider = "regru"; + domain = "comfycamp.space"; + extraDomainNames = [ "*.comfycamp.space" ]; + dnsPropagationCheck = true; + credentialsFile = "/var/lib/secrets/certs.txt"; + }; + "0ch.space" = { + dnsProvider = "regru"; + domain = "0ch.space"; + extraDomainNames = [ "*.0ch.space" ]; + dnsPropagationCheck = true; + credentialsFile = "/var/lib/secrets/certs.txt"; + }; + }; + }; +} diff --git a/nixos/programs/bash.nix b/nixos/programs/bash.nix new file mode 100644 index 0000000..618d6bd --- /dev/null +++ b/nixos/programs/bash.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + bash + ]; + programs.bash = { + shellAliases = { + ll = "ls -l"; + vi = "nvim"; + vim = "nvim"; + kubectl = "sudo k3s kubectl"; + }; + }; +} diff --git a/nixos/programs/nginx.nix b/nixos/programs/nginx.nix new file mode 100644 index 0000000..b2d2f85 --- /dev/null +++ b/nixos/programs/nginx.nix @@ -0,0 +1,36 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header Content-Security-Policy "frame-ancestors 'self' https://*.comfycamp.space;"; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + add_header X-XSS-Protection "1; mode=block"; + ''; + + virtualHosts = { + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; +} diff --git a/nixos/time.nix b/nixos/time.nix new file mode 100644 index 0000000..4c15d6c --- /dev/null +++ b/nixos/time.nix @@ -0,0 +1,8 @@ +{ config, ... }: +{ + # Часовой пояс + time.timeZone = "Asia/Yekaterinburg"; + + # Включить NTP. + services.timesyncd.enable = true; +} diff --git a/nixos/users.nix b/nixos/users.nix new file mode 100644 index 0000000..0bce235 --- /dev/null +++ b/nixos/users.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.lumin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; []; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbC39+hMx+JsowHuhI7tQDaG907iVJIY84ztLxdt/2DgPRBVNNhf0k/I/oB7lrLLuMzJnAgEEjBYHbeQqkhjmOE8J+rowXnRBY6uOAK1v12bqwRwCk8nnb4neGiv+TeIQ8uAdySjh5G+mdPbHYTfzw9th24KEQ++oHL2YUZ4kD/C1E337OvJz969qUPQsCOx31Qqo2GTiubJ4Tx4pqo5oBpNQGM1fPbs1/h+K4HV3pgTpEFLIIDe+yvjPJoCibCAYyU0fUf7Ji8kJWQT92eH58fH+VL7epfAfsaSwiqmMVJU7ORVOPYkZdpdXF87rakEydgdIVcTcttuRjKWoO4EDMYq/b1M9t+fa2lCTA+7TIBlrvjQzGUwrXIdvwBCKRiupZF/Jkz+YH104+sxc1DwxGe+BWzGTuH89ArElGQGpPoh01O7rlzaY1GpecM+ljpd3ra8hE+eJ212rBLVnANZhf/9AYEwnw2cBSi9n1xhJ05VqCHUELPfgiwANP/hLCxLM= lumin@thinkpad" ]; + }; + + users.users.maddy = { + isNormalUser = true; + extraGroups = [ "acme" ]; + }; +} diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..b2c70fe --- /dev/null +++ b/readme.md @@ -0,0 +1,20 @@ +# Nixos + +Настройки сервера. + +## Обновление системы + +```bash +sudo nixos-rebuild --flake .#comfycamp switch +``` + +Перед установкой требуется заполнить файл /var/lib/secrets/certs.txt: +```bash +REGRU_USERNAME=xxx +REGRU_PASSWORD=xxx +``` +Он должен быть доступен пользователю `acme`. + +Нужно проверить ID пользователя `maddy` и ID группы `acme`, +они используются сервисом `maddy` для доступа к сертификатам. +При необходимости отредактировать `maddy.deployment.yml`.