ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

reconfigure photon

Browse Source
This commit is contained in:
Dennis Wuitz 2023-12-27 10:03:13 +01:00
parent b6c85d89dd
commit 78e428f3f3
10 changed files with 325 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -6,7 +6,7 @@ keys:
# Generate AGE keys from SSH keys with: # Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'ssh some.ssh.wavelens.io cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' # nix-shell -p ssh-to-age --run 'ssh some.ssh.wavelens.io cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &photon age1rjlc6vwnz2lcrpshtd9rldlxels6l2utwmnmf3prus8drfefeywq5ljrdg - &photon age13aqs2mx66dmnyd74sygnwavufv6a4pwnvcqj4ud4l94jk0tjgu6ss57slw
# update keys by executing: sops updatekeys secrets.yaml # update keys by executing: sops updatekeys secrets.yaml
creation_rules: creation_rules:

34
flake.nix
View File

@ -30,13 +30,16 @@
src = builtins.filterSource (path: type: type == "directory" || lib.hasSuffix ".nix" (baseNameOf path)) ./.; src = builtins.filterSource (path: type: type == "directory" || lib.hasSuffix ".nix" (baseNameOf path)) ./.;
ls = dir: lib.attrNames (builtins.readDir (src + "/${dir}")); ls = dir: lib.attrNames (builtins.readDir (src + "/${dir}"));
fileList = dir: map (file: ./. + "/${dir}/${file}") (ls dir); fileList = dir: map (file: ./. + "/${dir}/${file}") (ls dir);
in { in
nixosConfigurations = let {
constructSystem = { nixosConfigurations =
hostname, let
system ? "x86_64-linux", constructSystem =
modules ? [], { hostname
users ? ["dennis"], , system ? "x86_64-linux"
, modules ? [ ]
, users ? [ "dennis" ]
,
}: lib.nixosSystem { }: lib.nixosSystem {
inherit system; inherit system;
@ -50,7 +53,8 @@
./systems/${hostname}/configuration.nix ./systems/${hostname}/configuration.nix
{ config.networking.hostName = "${hostname}"; } { config.networking.hostName = "${hostname}"; }
] ++ modules ++ fileList "modules" ] ++ modules ++ fileList "modules"
++ map(user: { config, lib, pkgs, ... }@args: { ++ map
(user: { config, lib, pkgs, ... }@args: {
users.users.${user} = import ./users/${user} (args // { name = "${user}"; }); users.users.${user} = import ./users/${user} (args // { name = "${user}"; });
boot.initrd.network.ssh.authorizedKeys = config.users.users.${user}.openssh.authorizedKeys.keys; boot.initrd.network.ssh.authorizedKeys = config.users.users.${user}.openssh.authorizedKeys.keys;
sops = { sops = {
@ -59,10 +63,12 @@
neededForUsers = true; neededForUsers = true;
}; };
}; };
}) users })
++ map(user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users; users
++ map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users;
}; };
in { in
{
photon = constructSystem { photon = constructSystem {
hostname = "photon"; hostname = "photon";
users = [ users = [
@ -80,7 +86,8 @@
}; };
}; };
devShell = lib.mapAttrs (system: sopsPkgs: devShell = lib.mapAttrs
(system: sopsPkgs:
with nixpkgs.legacyPackages.${system}; with nixpkgs.legacyPackages.${system};
mkShell { mkShell {
sopsPGPKeyDirs = [ "./keys" ]; sopsPGPKeyDirs = [ "./keys" ];
@ -89,6 +96,7 @@
sopsPkgs.sops-import-keys-hook sopsPkgs.sops-import-keys-hook
]; ];
} }
) sops-nix.packages; )
sops-nix.packages;
}; };
} }

10
modules/backup.nix
View File

@ -9,22 +9,22 @@ in
paths = lib.mkOption { paths = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
default = []; default = [ ];
description = "Extra paths to include in backup."; description = "Extra paths to include in backup.";
}; };
exclude = lib.mkOption { exclude = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
default = []; default = [ ];
description = "Extra paths to exclude in backup."; description = "Extra paths to exclude in backup.";
}; };
}; };
config = { config = {
assertions = [ { assertions = [{
assertion = cfg.paths != [ ] -> cfg.enable; assertion = cfg.paths != [ ] -> cfg.enable;
message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!"; message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!";
} ]; }];
services = { services = {
postgresqlBackup = { postgresqlBackup = {
@ -55,7 +55,7 @@ in
"/var/lib/nixos/" "/var/lib/nixos/"
] ++ cfg.paths ] ++ cfg.paths
++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/"
++ lib.optional (config.security.acme.certs != {}) "/var/lib/acme/" ++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/"
++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"; ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/";
pruneOpts = [ pruneOpts = [
"--group-by host" "--group-by host"

192
modules/website.nix Normal file
View File

@ -0,0 +1,192 @@
{ config, pkgs, lib, ... }:
let
eachSite = config.services.staticpage.sites;
siteOpts = { lib, name, config, ... }:
{
options = {
package = lib.mkPackageOption pkgs "page" { };
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
};
};
in
{
options.services.staticpage = {
enable = lib.mkEnableOption "staticpage";
sites = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule siteOpts);
default = { };
description = lib.mdDoc "Specification of one or more Staticpages sites to serve";
};
};
config = lib.mkIf (eachSite != { }) (lib.mkMerge [{
services.nginx = {
virtualHosts = lib.mkMerge [
(lib.mapAttrs'
(name: cfg: {
name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}";
value = {
root = "/var/lib/www/${cfg.root}";
forceSSL = true;
enableACME = true;
serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ];
locations."= /favicon.ico" = {
extraConfig = ''
log_not_found off;
access_log off;
'';
};
locations."= /robots.txt" = {
extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
};
locations."~* ^/.well-known/" = {
extraConfig = ''
allow all;
'';
};
locations."~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = ''
try_files $uri @rewrite;
expires max;
log_not_found off;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
'';
};
} // lib.optionalAttrs cfg.usePHP {
locations."~ '\.php$|^/update.php'" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket};
fastcgi_index index.php;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
'';
};
locations."~ \..*/.*\.php$" = {
extraConfig = ''
return 403;
'';
};
locations."~ ^/sites/.*/private/" = {
extraConfig = ''
return 403;
'';
};
locations."~ ^/sites/[^/]+/files/.*\.php$" = {
extraConfig = ''
deny all;
'';
};
locations."/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';
};
locations."@rewrite" = {
extraConfig = ''
rewrite ^ /index.php;
'';
};
locations."~ /vendor/.*\.php$" = {
extraConfig = ''
deny all;
return 404;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
'';
};
locations."~ ^(/[a-z\-]+)?/system/files/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';
};
} // lib.optionalAttrs (!cfg.usePHP) {
locations."/" = {
extraConfig = ''
index index.html;
try_files $uri $uri/ $uri.html =404;
'';
};
};
})
(lib.filterAttrs (n: v: v.configureNginx) eachSite))
];
};
services.phpfpm.pools = lib.mkMerge [
(lib.mapAttrs
(name: cfg: {
user = "nginx";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
})
(lib.filterAttrs (n: v: v.usePHP) eachSite))
];
}]);
}

12
systems/configuration.nix
View File

@ -1,4 +1,4 @@
{ pkgs, ... }: { lib, pkgs, ... }:
{ {
i18n = { i18n = {
defaultLocale = "en_US.utf8"; defaultLocale = "en_US.utf8";
@ -7,6 +7,9 @@
boot = { boot = {
default = true; default = true;
kernel.sysctl = {
"net.ipv6.conf.ens3.accept_ra" = 1;
};
}; };
home-manager = { home-manager = {
@ -14,7 +17,12 @@
useUserPackages = true; useUserPackages = true;
}; };
networking.firewall.allowedTCPPorts = [ 22 ]; networking = {
firewall = {
enable = lib.mkDefault true;
allowedTCPPorts = [ 22 ];
};
};
services = { services = {
openssh = { openssh = {

2
systems/palatine-hill/configuration.nix
View File

@ -6,6 +6,8 @@
boot = { boot = {
zfs.extraPools = [ "ZFS-primary" ]; zfs.extraPools = [ "ZFS-primary" ];
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
filesystem = "zfs";
useSystemdBoot = true;
}; };
virtualisation = { virtualisation = {

52
users/alice/secrets.yaml
View File

@ -9,42 +9,42 @@ sops:
- recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej - recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubjhKaWVMdTRVaFM0OXBR YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnlZNmFXVVFaSks5R0ds
NGdSQTYxRG5rYk11SHRsR01IbnUwb1gvc1FZCmtXVGxTYVozOXFmalE1MXdETmJ3 SWtXTitBY1BmWHltVkxtanpaMkt5S1N4ZzBRCkpkQ2Z2Sld0U3BnVXIyZFNEUHdn
Z3Y1Q0pqd0xYSHdGWExqdkh2YjhscUkKLS0tIE9Ub1Mybk90bXVDcnFBTUpFeXpK RDBaMklHZXk1VTk2ZUIxMGQrbkJZZ0kKLS0tIGVDQ2cxQ2d1TWptSUZCOW9BanlJ
aUQvdCtHVi9DYzk2dk5rM1g4M2FOSGsKxtWFgL9S6cdQ91pJurSD/i/3f2tWsjIT UzNxS0I4NEdGcTNNdUcwamZTRDBXcVEKgin2jqp4tEBnKYnQF5Ki2Btt/+lP3zEJ
Tqw9JoTErhO8aY12LgX6iXHpCQnHvsknN4XL1DZllBNzKJ5XLrJBHA== FlcK7rU3pe8AijwWx3Ybgzv/10/YOzDn6dL6MYwtB80ZFe6NOavBlQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1rjlc6vwnz2lcrpshtd9rldlxels6l2utwmnmf3prus8drfefeywq5ljrdg - recipient: age13aqs2mx66dmnyd74sygnwavufv6a4pwnvcqj4ud4l94jk0tjgu6ss57slw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bEVmeVdXcUZEc3VjZzJU YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUTN1UHlpeXBxYWtUQis0
Z2JsTHM0dzRleXJwRWxNei9aUC9oQWh0T1ZvCkdyWENHa1NXZHJNS25DZ1JWMFkv MDZFc3BPai9xWmVVWkRxdjNYNlo2R3IzbUNjCncyRlczNTdXcnpMMkxzdU5BTEs3
cWhrQVUxYUpYVmhYeEV0NzBrY2ZuVVkKLS0tIFU0R2JlNkhtN2dmcmZxUExXRitW NDVGb3ROL2xaWUthUDA5Y3V2c0Z4a1UKLS0tIEJYSHN3eEFBQ2JkK2tJZld5Y3Fz
SXV2OEI1QlIxVjRUVGJQZ3doSUllRk0KAd5xczxDAGqYf+e91UbtOc4A0dlf7Fir aVZVTnBGNGpadFdVOFlTdkZ3TDJmSjAKF1d47FC7hCdLbqfzqK5LqB3xfMCpEU8R
hYEfG1Bcn7Sb5lab6DoNrj+KMh2ZnB/Kl6uVAtZ6Rscfs6N6s9KFhQ== XThuRWwRHWKqmG19K5GMaHMZp9sYVMW8dVPh/LG/3gbiMploUDmK0w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-27T08:22:15Z" lastmodified: "2023-12-27T08:22:15Z"
mac: ENC[AES256_GCM,data:kYrqx4qv7C8seyenaIDBPLaYog/LNTVd8qfFqUW2vsP7P6v8GMyQSCzi8UN22WXBnlZq0K5Fria4ZknIYB3ImqKuvdFfP40E6wK4IRAJhlLwukDAdNdMxS39ZcYiMud3mjPWyDKkoxx3ldBzdQSelAPVpQourWsiauVkM9clKNw=,iv:hoDUPBsDEjflZn+TK47u5jXWktFl5zj8CtBBC2PUFrs=,tag:JyLcTHZXyIzc6gwKzwtAzQ==,type:str] mac: ENC[AES256_GCM,data:kYrqx4qv7C8seyenaIDBPLaYog/LNTVd8qfFqUW2vsP7P6v8GMyQSCzi8UN22WXBnlZq0K5Fria4ZknIYB3ImqKuvdFfP40E6wK4IRAJhlLwukDAdNdMxS39ZcYiMud3mjPWyDKkoxx3ldBzdQSelAPVpQourWsiauVkM9clKNw=,iv:hoDUPBsDEjflZn+TK47u5jXWktFl5zj8CtBBC2PUFrs=,tag:JyLcTHZXyIzc6gwKzwtAzQ==,type:str]
pgp: pgp:
- created_at: "2023-12-27T07:38:50Z" - created_at: "2023-12-28T18:03:08Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA84hNUGIgI/nAQ//TBHE0gHfS4c7EbDRCQbPEL0XwZje06yW+ZNMHUWJWAwX hQIMA84hNUGIgI/nAQ/+OTWLMMznF7u83v2fDUjvRtG6Zf5dR1wsJjeYUFZzxQoF
knxFPGXnlVyUF30ghkd1rCaQXrdtawg1Gml+Wpc9mG+IK7VTPM/O3Mb9QsWlvNiA wJwKPbOPNP4HuEIbvXANFfuuUEZNwq+czUPSPqjmeEjf3DfE/JcIzQ8J6AP7Q2b4
K8esjZMQ0Aq53Mb16OQolk3WuZ1toogkirzex+KMhpFvXDcEfOmV+MI1HosBv7Y1 OstgK5MGKo9/IXrIDUK2fRuwGaXKyq/TG2fP10ljTlXzMlfm9OZA71QPZYBpwtSe
UJP+9vcAimuMAgG2nLF8NLGKeWARfL8sRE9Lz6RrYrljAzPH4KdVRhN8ye11ZYul 1lR3gDIpha1yYTQP0STsnusvQkbNyKHNiIwjmkitjgdkreLPqhXlfwievcYcwOCp
odNKRi0/gjdC2+zUfhJnDN4h+mxxybKfTFSaXIQgN5oVlR1wpxpsSAf8lNyEztIo 8UKAqAWJIQVZfHAZJzDWcmnWPK+wR2/pjNKklgYLcSn961o5GMu+6Z64pP3c9BXh
fB9M8K0g18h9Q1r0SASaxt3QA7CkXyu/oclvu2Qoa3P4z0GCQKur+6ednV28pzYG GRogv1f3bvH1aDcP+cB0eaQCyDLFkWKbRgBWubyCGJbJFovzpHNmcYkrlwNmGXoe
tlMjuKl3InrTvtowc8ehYWNsmIkiLFQc9j0/ZEGTnmtMU/EDgQqA++oKK8iI0Gbl 9yrUICQB52gMOSSNCIM39T/yWLOV9O/ga20BUwaoR4duvFNrxktmJXGBGMCfhR2p
FY1058k5VfI95b2dOenJ1FOAzX4krlJFveZr0Bo7RIWJA1L5zSohu5wpVJj3vmVu y74vVhm54Lqw5hwW54eLq14qQzOGhDIyeuuboFGm2BAYgdp4gUmOqTDMWS8Vt1lU
ss2t3qOLSog3YcAEP5bibejPxojb/DAmhoZTK6RumRA9r2ZVu4ZnqDsIPS7SzxS6 oKJOEeT83h2cxXnb0hJ6IWLyEns37+/aB4LWIvnQOgq8yaYEVI4JksKsM+cLVQVZ
y9Bm8SDHrzEzQlRWQKYYI5jieEXfUAKOJwV2xOZOlgZ1tVJZEzHH+FW0ro1zaLJt V3FKWZBTNvCZd6jiWjZdfd3q+Q9QbSQEg1DrKwNXQuF9DMrxg+3xyzQVMYpRbGKr
zk5BoqpHgTQLQYcSLyODvrFR/8Menx85PHty5fChbipekWx08IbSHwqhbxd8phzS pfB6u1CB6jw/NdajgCyHLJN44QELfcWhqriLWP7uEz9jl8di5g5NCP0l+agJjNzS
XgECotBGOy1Da7RtHHuZsJ+PBnk9oY/dZJz7Rn3UMLEgNd2DF1X0fD/PUvzZiGtL XgEaZapnHWm3E2v+1IQ8xrMdTl9t/cRLtIG71Y+rz3DH6jtixNv9pZn7BNqdeKlR
U0CANiRypGLxDEVXcguMDDz//2UltjiuKZ6AXJ8Hij7GshBp0Wjpmc9W+MzvCqM= K1wloUtBbLjgHwDvPIGiUB+dcrHPo2OQTVO5bgax8mAyKuPDKQBLjLsWn2+H6eI=
=jZCc =8fVd
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82 fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

14
users/default.nix
View File

@ -1,10 +1,10 @@
{ { lib
lib, , config
config, , pkgs
pkgs, , name
name, , publicKeys ? [ ]
publicKeys ? [], , defaultShell ? "zsh"
defaultShell ? "zsh", ,
}: }:
{ {