diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/default.nix | 9 | ||||
| -rw-r--r-- | system/file_system_layouts/default.nix (renamed from system/system/fileSystemLayouts.nix) | 0 | ||||
| -rw-r--r-- | system/hardware/default.nix (renamed from system/system/hardware.nix) | 0 | ||||
| -rw-r--r-- | system/mail/default.nix | 51 | ||||
| -rw-r--r-- | system/packages/default.nix (renamed from system/system/packages.nix) | 0 | ||||
| -rw-r--r-- | system/services/acme/default.nix | 30 | ||||
| -rw-r--r-- | system/services/default.nix | 11 | ||||
| -rw-r--r-- | system/services/firewall/default.nix | 11 | ||||
| -rw-r--r-- | system/services/minecraft/default.nix | 26 | ||||
| -rw-r--r-- | system/services/nginx/default.nix | 15 | ||||
| -rw-r--r-- | system/services/nix/default.nix | 18 | ||||
| -rw-r--r-- | system/services/opensshd/default.nix | 17 | ||||
| -rw-r--r-- | system/services/rust-motd/default.nix | 79 | ||||
| -rw-r--r-- | system/users/default.nix (renamed from system/system/users.nix) | 7 |
14 files changed, 265 insertions, 9 deletions
diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/system/fileSystemLayouts.nix b/system/file_system_layouts/default.nix index 9d03a05..9d03a05 100644 --- a/system/system/fileSystemLayouts.nix +++ b/system/file_system_layouts/default.nix diff --git a/system/system/hardware.nix b/system/hardware/default.nix index c4c7dc9..c4c7dc9 100644 --- a/system/system/hardware.nix +++ b/system/hardware/default.nix diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..7102958 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,51 @@ +# vim: ts=2 +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + useFsLayout = true; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; + }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = false; # handled below + + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + +} diff --git a/system/system/packages.nix b/system/packages/default.nix index 4d33c6e..4d33c6e 100644 --- a/system/system/packages.nix +++ b/system/packages/default.nix diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..f36cb29 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,11 @@ +{config, ...}: { + imports = [ + ./acme + ./firewall + #./minecraft + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix new file mode 100644 index 0000000..754c974 --- /dev/null +++ b/system/services/minecraft/default.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + users = { + groups.minecraft = {}; + users.minecraft = { + isSystemUser = true; + group = "minecraft"; + }; + }; + systemd.services.minecraft = { + wantedBy = ["multi-user.target"]; + after = "network.target"; + description = "Minecraft Server"; + serviceConfig = { + WorkingDirectory = "/srv/minecraft"; + User = "minecraft"; + Group = "minecraft"; + Restart = "always"; + ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; + SyslogIdentifier = "minecraft-server"; + }; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/system/services/nginx/default.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix new file mode 100644 index 0000000..bd562ec --- /dev/null +++ b/system/services/nix/default.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: { + nix = { + # gc = { + # automatic = true; + # dates = "daily"; + # options = "--delete-older-than 3"; + # }; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; +} diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix new file mode 100644 index 0000000..75c5aef --- /dev/null +++ b/system/services/opensshd/default.nix @@ -0,0 +1,17 @@ +{ + config, + pkg, + ... +}: { + services.openssh = { + enable = true; + passwordAuthentication = false; + hostKeys = [ + { + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + }; +} diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix new file mode 100644 index 0000000..21bc1cd --- /dev/null +++ b/system/services/rust-motd/default.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + ... +}: { + programs.rust-motd = { + enable = true; + enableMotdInSSHD = true; + refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) + settings = { + global = { + progress_full_character = "="; + progress_empty_character = "-"; + progress_prefix = "["; + progress_suffix = "]"; + time_format = "%Y-%m-%d %H:%M:%S"; + }; + + banner = { + color = "red"; + command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; + # if you don't want a dependency on figlet, you can generate your + # banner however you want, put it in a file, and then use something like: + # command = "cat banner.txt" + }; + + # [weather] + # url = "https://wttr.in/New+York,New+York?0" + # proxy = "http://proxy:8080" + + # [service_status] + # Accounts = "accounts-daemon" + # Cron = "cron" + + # [docker_status] + # Local containers MUST start with a slash + # https://github.com/moby/moby/issues/6705 + #"/nextcloud-nextcloud-1" = "Nextcloud" + #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" + + uptime = { + prefix = "Uptime:"; + }; + + # [user_service_status] + # gpg-agent = "gpg-agent" + + #s_s_l_certs = { + # sort_method = "manual" + # + # certs = { + # CertName1 = "/path/to/cert1.pem" + # CertName2 = "/path/to/cert2.pem" + # } + #}; + + filesystems = { + root = "/"; + }; + + memory = { + swap_pos = "beside"; # or "below" or "none" + }; + + fail2_ban = { + jails = ["sshd"]; #, "anotherjail"] + }; + + last_login = { + sils = 2; + soispha = 2; + nightingale = 2; + }; + + last_run = { + }; + }; + }; +} diff --git a/system/system/users.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/system/users.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" |