Initial commit

2024-09-19 19:30:28 +05:00 · 2023-08-17 21:46:39 +05:00 · 2023-08-17 21:46:39 +05:00 · 5d10dff0ad
commit 5d10dff0ad
13 changed files with 314 additions and 0 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,5 @@
+root = true
+
+[*.nix]
+indent_style = space
+indent_size = 2
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1691592289,
+        "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,27 @@
+{
+  description = "flake for comfycamp.space";
+
+  inputs = {
+    nixpkgs = {
+      url = "github:NixOS/nixpkgs/nixos-23.05";
+    };
+  };
+
+  outputs = { self, nixpkgs }:
+  let
+    system = "x86_64-linux";
+    pkgs = import nixpkgs {
+      inherit system;
+    };
+    lib = nixpkgs.lib;
+  in {
+    nixosConfigurations = {
+      comfycamp = lib.nixosSystem {
+        inherit system;
+        modules = [
+          ./nixos/configuration.nix
+        ];
+      };
+    };
+  };
+}
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix
+    ./users.nix
+    ./fail2ban.nix
+    ./time.nix
+    ./programs/nginx.nix
+    ./programs/bash.nix
+    ./programs/acme.nix
+  ];
+
+  # Enable flakes
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    wget
+    curl
+    neovim
+    htop
+    git
+    rsync
+    imagemagick
+    dig
+    iptables
+    cryptsetup
+    ffmpeg
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/nixos/fail2ban.nix
+++ b/nixos/fail2ban.nix
@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  services.fail2ban = {
+    enable = false;
+    maxretry = 5;
+    ignoreIP = [
+      "192.168.88.0/24"
+    ];
+  };
+}
--- a/nixos/hardware-configuration.nix
+++ b/nixos/hardware-configuration.nix
@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "usb_storage" ];
+  boot.initrd.luks.devices = {
+    hdd = {
+      device = "/dev/disk/by-uuid/157d0eca-01bf-4dfc-88ff-12eb1e1aff69";
+      keyFileSize = 4096;
+      keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
+    };
+    ssd = {
+      device = "/dev/disk/by-uuid/d13d7d84-5fa2-4b0f-abcc-5834c75b4cb6";
+      keyFileSize = 4096;
+      keyFile = "/dev/disk/by-id/usb-General_UDisk_2111031038384184595311-0:0";
+    };
+  };
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a4660ab9-09b8-45c2-a3fd-5f46300df9ff";
+      fsType = "btrfs";
+      options = [ "compress=zstd" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D70C-F6A7";
+      fsType = "vfat";
+    };
+
+  fileSystems."/hdd" =
+    { device = "/dev/disk/by-uuid/24388265-a28d-4876-bc15-ad753de1ea2b";
+      fsType = "btrfs";
+      options = [ "compress=zstd" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nixos/networking.nix
+++ b/nixos/networking.nix
@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  networking = {
+    hostName = "comfycamp";
+
+    dhcpcd.enable = true;
+    defaultGateway = "192.168.0.1";
+    nameservers = [ "1.1.1.1" ];
+
+    firewall = {
+      # TODO: enable me
+      enable = false;
+      allowedTCPPorts = [ 22 80 443 1900 7359 30000 30025 30465 30993 ];
+      allowedUDPPorts = [ 30000 1900 7359 ];
+
+      # Kubernetes
+      trustedInterfaces = [ "lo" "flannel.1" "cni0" ];
+    };
+
+    wireless.enable = false;
+  };
+}
--- a/nixos/programs/acme.nix
+++ b/nixos/programs/acme.nix
@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  # Настройки сервиса для получения wildcard сертификатов.
+
+  # В /var/lib/secrets/certs.txt находится логин и пароль от reg.ru.
+  # REGRU_USERNAME=xxx
+  # REGRU_PASSWORD=xxx
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "ordinarydev@protonmail.com";
+
+    certs = {
+      "comfycamp.space" = {
+        dnsProvider = "regru";
+        domain = "comfycamp.space";
+        extraDomainNames = [ "*.comfycamp.space" ];
+        dnsPropagationCheck = true;
+        credentialsFile = "/var/lib/secrets/certs.txt";
+      };
+      "0ch.space" = {
+        dnsProvider = "regru";
+        domain = "0ch.space";
+        extraDomainNames = [ "*.0ch.space" ];
+        dnsPropagationCheck = true;
+        credentialsFile = "/var/lib/secrets/certs.txt";
+      };
+    };
+  };
+}
--- a/nixos/programs/bash.nix
+++ b/nixos/programs/bash.nix
@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    bash
+  ];
+  programs.bash = {
+    shellAliases = {
+      ll = "ls -l";
+      vi = "nvim";
+      vim = "nvim";
+      kubectl = "sudo k3s kubectl";
+    };
+  };
+}
--- a/nixos/programs/nginx.nix
+++ b/nixos/programs/nginx.nix
@ -0,0 +1,36 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header Content-Security-Policy "frame-ancestors 'self' https://*.comfycamp.space;";
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      add_header X-XSS-Protection "1; mode=block";
+    '';
+
+    virtualHosts = {
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];  
+}
--- a/nixos/time.nix
+++ b/nixos/time.nix
@ -0,0 +1,8 @@
+{ config, ... }:
+{
+  # Часовой пояс
+  time.timeZone = "Asia/Yekaterinburg";
+
+  # Включить NTP.
+  services.timesyncd.enable = true;
+}
--- a/nixos/users.nix
+++ b/nixos/users.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.lumin = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    packages = with pkgs; [];
+    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbC39+hMx+JsowHuhI7tQDaG907iVJIY84ztLxdt/2DgPRBVNNhf0k/I/oB7lrLLuMzJnAgEEjBYHbeQqkhjmOE8J+rowXnRBY6uOAK1v12bqwRwCk8nnb4neGiv+TeIQ8uAdySjh5G+mdPbHYTfzw9th24KEQ++oHL2YUZ4kD/C1E337OvJz969qUPQsCOx31Qqo2GTiubJ4Tx4pqo5oBpNQGM1fPbs1/h+K4HV3pgTpEFLIIDe+yvjPJoCibCAYyU0fUf7Ji8kJWQT92eH58fH+VL7epfAfsaSwiqmMVJU7ORVOPYkZdpdXF87rakEydgdIVcTcttuRjKWoO4EDMYq/b1M9t+fa2lCTA+7TIBlrvjQzGUwrXIdvwBCKRiupZF/Jkz+YH104+sxc1DwxGe+BWzGTuH89ArElGQGpPoh01O7rlzaY1GpecM+ljpd3ra8hE+eJ212rBLVnANZhf/9AYEwnw2cBSi9n1xhJ05VqCHUELPfgiwANP/hLCxLM= lumin@thinkpad" ];
+  };
+
+  users.users.maddy = {
+    isNormalUser = true;
+    extraGroups = [ "acme" ];
+  };
+}
--- a/readme.md
+++ b/readme.md
@ -0,0 +1,20 @@
+# Nixos
+
+Настройки сервера.
+
+## Обновление системы
+
+```bash
+sudo nixos-rebuild --flake .#comfycamp switch
+```
+
+Перед установкой требуется заполнить файл /var/lib/secrets/certs.txt:
+```bash
+REGRU_USERNAME=xxx
+REGRU_PASSWORD=xxx
+```
+Он должен быть доступен пользователю `acme`.
+
+Нужно проверить ID пользователя `maddy` и ID группы `acme`,
+они используются сервисом `maddy` для доступа к сертификатам.
+При необходимости отредактировать `maddy.deployment.yml`.