mirror of
https://github.com/ordinary-dev/nixos-config.git
synced 2024-09-19 19:30:28 +05:00
Initial commit
This commit is contained in:
commit
5d10dff0ad
5
.editorconfig
Normal file
5
.editorconfig
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
root = true
|
||||||
|
|
||||||
|
[*.nix]
|
||||||
|
indent_style = space
|
||||||
|
indent_size = 2
|
27
flake.lock
Normal file
27
flake.lock
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1691592289,
|
||||||
|
"narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-23.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
27
flake.nix
Normal file
27
flake.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
description = "flake for comfycamp.space";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs = {
|
||||||
|
url = "github:NixOS/nixpkgs/nixos-23.05";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs }:
|
||||||
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
|
pkgs = import nixpkgs {
|
||||||
|
inherit system;
|
||||||
|
};
|
||||||
|
lib = nixpkgs.lib;
|
||||||
|
in {
|
||||||
|
nixosConfigurations = {
|
||||||
|
comfycamp = lib.nixosSystem {
|
||||||
|
inherit system;
|
||||||
|
modules = [
|
||||||
|
./nixos/configuration.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
44
nixos/configuration.nix
Normal file
44
nixos/configuration.nix
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./networking.nix
|
||||||
|
./users.nix
|
||||||
|
./fail2ban.nix
|
||||||
|
./time.nix
|
||||||
|
./programs/nginx.nix
|
||||||
|
./programs/bash.nix
|
||||||
|
./programs/acme.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enable flakes
|
||||||
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
|
||||||
|
# Use the systemd-boot EFI boot loader.
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
# List packages installed in system profile. To search, run:
|
||||||
|
# $ nix search wget
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
wget
|
||||||
|
curl
|
||||||
|
neovim
|
||||||
|
htop
|
||||||
|
git
|
||||||
|
rsync
|
||||||
|
imagemagick
|
||||||
|
dig
|
||||||
|
iptables
|
||||||
|
cryptsetup
|
||||||
|
ffmpeg
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enable the OpenSSH daemon.
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings.PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
}
|
10
nixos/fail2ban.nix
Normal file
10
nixos/fail2ban.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = false;
|
||||||
|
maxretry = 5;
|
||||||
|
ignoreIP = [
|
||||||
|
"192.168.88.0/24"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
56
nixos/hardware-configuration.nix
Normal file
56
nixos/hardware-configuration.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ "usb_storage" ];
|
||||||
|
boot.initrd.luks.devices = {
|
||||||
|
hdd = {
|
||||||
|
device = "/dev/disk/by-uuid/157d0eca-01bf-4dfc-88ff-12eb1e1aff69";
|
||||||
|
keyFileSize = 4096;
|
||||||
|
keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
|
||||||
|
};
|
||||||
|
ssd = {
|
||||||
|
device = "/dev/disk/by-uuid/d13d7d84-5fa2-4b0f-abcc-5834c75b4cb6";
|
||||||
|
keyFileSize = 4096;
|
||||||
|
keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/a4660ab9-09b8-45c2-a3fd-5f46300df9ff";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/D70C-F6A7";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/hdd" =
|
||||||
|
{ device = "/dev/disk/by-uuid/24388265-a28d-4876-bc15-ad753de1ea2b";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "compress=zstd" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
22
nixos/networking.nix
Normal file
22
nixos/networking.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
networking = {
|
||||||
|
hostName = "comfycamp";
|
||||||
|
|
||||||
|
dhcpcd.enable = true;
|
||||||
|
defaultGateway = "192.168.0.1";
|
||||||
|
nameservers = [ "1.1.1.1" ];
|
||||||
|
|
||||||
|
firewall = {
|
||||||
|
# TODO: enable me
|
||||||
|
enable = false;
|
||||||
|
allowedTCPPorts = [ 22 80 443 1900 7359 30000 30025 30465 30993 ];
|
||||||
|
allowedUDPPorts = [ 30000 1900 7359 ];
|
||||||
|
|
||||||
|
# Kubernetes
|
||||||
|
trustedInterfaces = [ "lo" "flannel.1" "cni0" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
wireless.enable = false;
|
||||||
|
};
|
||||||
|
}
|
30
nixos/programs/acme.nix
Normal file
30
nixos/programs/acme.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
# Настройки сервиса для получения wildcard сертификатов.
|
||||||
|
|
||||||
|
# В /var/lib/secrets/certs.txt находится логин и пароль от reg.ru.
|
||||||
|
# REGRU_USERNAME=xxx
|
||||||
|
# REGRU_PASSWORD=xxx
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "ordinarydev@protonmail.com";
|
||||||
|
|
||||||
|
certs = {
|
||||||
|
"comfycamp.space" = {
|
||||||
|
dnsProvider = "regru";
|
||||||
|
domain = "comfycamp.space";
|
||||||
|
extraDomainNames = [ "*.comfycamp.space" ];
|
||||||
|
dnsPropagationCheck = true;
|
||||||
|
credentialsFile = "/var/lib/secrets/certs.txt";
|
||||||
|
};
|
||||||
|
"0ch.space" = {
|
||||||
|
dnsProvider = "regru";
|
||||||
|
domain = "0ch.space";
|
||||||
|
extraDomainNames = [ "*.0ch.space" ];
|
||||||
|
dnsPropagationCheck = true;
|
||||||
|
credentialsFile = "/var/lib/secrets/certs.txt";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
14
nixos/programs/bash.nix
Normal file
14
nixos/programs/bash.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
bash
|
||||||
|
];
|
||||||
|
programs.bash = {
|
||||||
|
shellAliases = {
|
||||||
|
ll = "ls -l";
|
||||||
|
vi = "nvim";
|
||||||
|
vim = "nvim";
|
||||||
|
kubectl = "sudo k3s kubectl";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
36
nixos/programs/nginx.nix
Normal file
36
nixos/programs/nginx.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
|
commonHttpConfig = ''
|
||||||
|
# Add HSTS header with preloading to HTTPS requests.
|
||||||
|
# Adding this header to HTTP requests is discouraged
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
||||||
|
# Minimize information leaked to other domains
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
|
||||||
|
# Disable embedding as a frame
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'self' https://*.comfycamp.space;";
|
||||||
|
|
||||||
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
# Enable XSS protection of the browser.
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nginx.extraGroups = [ "acme" ];
|
||||||
|
}
|
8
nixos/time.nix
Normal file
8
nixos/time.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
# Часовой пояс
|
||||||
|
time.timeZone = "Asia/Yekaterinburg";
|
||||||
|
|
||||||
|
# Включить NTP.
|
||||||
|
services.timesyncd.enable = true;
|
||||||
|
}
|
15
nixos/users.nix
Normal file
15
nixos/users.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||||
|
users.users.lumin = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
|
packages = with pkgs; [];
|
||||||
|
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbC39+hMx+JsowHuhI7tQDaG907iVJIY84ztLxdt/2DgPRBVNNhf0k/I/oB7lrLLuMzJnAgEEjBYHbeQqkhjmOE8J+rowXnRBY6uOAK1v12bqwRwCk8nnb4neGiv+TeIQ8uAdySjh5G+mdPbHYTfzw9th24KEQ++oHL2YUZ4kD/C1E337OvJz969qUPQsCOx31Qqo2GTiubJ4Tx4pqo5oBpNQGM1fPbs1/h+K4HV3pgTpEFLIIDe+yvjPJoCibCAYyU0fUf7Ji8kJWQT92eH58fH+VL7epfAfsaSwiqmMVJU7ORVOPYkZdpdXF87rakEydgdIVcTcttuRjKWoO4EDMYq/b1M9t+fa2lCTA+7TIBlrvjQzGUwrXIdvwBCKRiupZF/Jkz+YH104+sxc1DwxGe+BWzGTuH89ArElGQGpPoh01O7rlzaY1GpecM+ljpd3ra8hE+eJ212rBLVnANZhf/9AYEwnw2cBSi9n1xhJ05VqCHUELPfgiwANP/hLCxLM= lumin@thinkpad" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.maddy = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "acme" ];
|
||||||
|
};
|
||||||
|
}
|
20
readme.md
Normal file
20
readme.md
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# Nixos
|
||||||
|
|
||||||
|
Настройки сервера.
|
||||||
|
|
||||||
|
## Обновление системы
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo nixos-rebuild --flake .#comfycamp switch
|
||||||
|
```
|
||||||
|
|
||||||
|
Перед установкой требуется заполнить файл /var/lib/secrets/certs.txt:
|
||||||
|
```bash
|
||||||
|
REGRU_USERNAME=xxx
|
||||||
|
REGRU_PASSWORD=xxx
|
||||||
|
```
|
||||||
|
Он должен быть доступен пользователю `acme`.
|
||||||
|
|
||||||
|
Нужно проверить ID пользователя `maddy` и ID группы `acme`,
|
||||||
|
они используются сервисом `maddy` для доступа к сертификатам.
|
||||||
|
При необходимости отредактировать `maddy.deployment.yml`.
|
Loading…
Reference in a new issue