maxwell/configuration.nix

539 lines
14 KiB
Nix
Raw Normal View History

2020-10-20 01:11:28 +02:00
{ config, lib, pkgs, ... }:
{
imports = [
./hardware.nix
./variables.nix
./packages.nix
./jobs.nix
./matrix.nix
2021-02-17 18:06:00 +01:00
./email.nix
2020-10-20 01:11:28 +02:00
./magnetico.nix
./nameserver.nix
./custom
./secrets
2023-07-11 22:05:57 +02:00
./fish.nix
./neovim.nix
2020-10-20 01:11:28 +02:00
];
### State
# Stateful things to do before updating:
2022-08-10 05:04:54 +02:00
# 1. Postgres migration (https://www.postgresql.org/docs/current/upgrading.html)
# 2. Matrix Synapse migration (https://matrix-org.github.io/synapse/latest/upgrade.html)
2023-07-11 12:45:29 +02:00
system.stateVersion = "23.05";
2022-08-10 05:04:54 +02:00
2024-06-30 22:41:18 +02:00
nixpkgs.source = builtins.fetchTarball
{ url = "https://github.com/NixOS/nixpkgs/archive/66c7fa70cd1a.tar.gz";
sha256 = "12a69mm612h2yxqkmak06km38hnxijnj6n76lrcl235j8c8zf8y0";
};
2020-10-20 01:11:28 +02:00
boot.kernelPackages = pkgs.linuxPackages_latest;
2023-07-10 23:48:50 +02:00
boot.tmp.useTmpfs = true;
2020-10-20 01:11:28 +02:00
boot.kernel.sysctl = {
# avoid OOM hangs
"vm.admin_reserve_kbytes" = 262144;
};
time.timeZone = "Europe/Rome";
i18n.defaultLocale = "en_US.UTF-8";
systemd.enableEmergencyMode = false;
2023-07-10 23:48:50 +02:00
systemd.oomd.enable = false;
2020-10-20 01:11:28 +02:00
networking = {
hostName = "maxwell";
firewall.allowedTCPPorts = [
2024-07-04 11:21:51 +02:00
53 # dns
2020-11-13 08:49:13 +01:00
443 80 # reverse proxy
2021-02-17 18:06:00 +01:00
993 # imaps server
25 465 # smtp(s) server
2020-10-20 01:11:28 +02:00
18080 # monero p2p
2021-12-21 00:31:10 +01:00
22000 # syncthing transfer
2020-10-20 01:11:28 +02:00
64738 # mumble server
];
firewall.allowedUDPPorts = [
2024-07-06 15:01:36 +02:00
500 # ipsec
2024-07-04 11:21:51 +02:00
53 # dns
2020-10-20 01:11:28 +02:00
21027 # syncthing discovery
64738 # mumble server
];
nftables.enable = true;
firewall.extraInputRules = ''
meta l4proto esp counter accept comment "allow ipsec"
'';
2020-10-20 01:11:28 +02:00
usePredictableInterfaceNames = false;
nameservers = [ "127.0.0.1" ];
2023-08-15 16:21:59 +02:00
# ensure hostname work without DNS
hosts = with config.var;
{ ${ipv4LanAddress} = [ hostname ];
${ipv6Address} = [ hostname ];
};
2020-10-20 01:11:28 +02:00
};
# Only declarative users and no password logins
users.mutableUsers = false;
users.users ={
# Only needed for local (read emergency) shell access
2023-12-15 00:26:06 +01:00
root.hashedPasswordFile = config.secrets.passwords.root;
2020-10-20 01:11:28 +02:00
# Admin
rnhmjoj = {
uid = 1000;
extraGroups = [ "wheel" ];
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = [ config.secrets.publicKeys.rnhmjoj ];
};
# Admin
fazo = {
extraGroups = [ "wheel" ];
isNormalUser = true;
2022-08-10 05:04:54 +02:00
openssh.authorizedKeys.keyFiles = [ config.secrets.publicKeys.fazo ];
2020-10-20 01:11:28 +02:00
};
2021-12-21 00:34:45 +01:00
# User
2020-10-20 01:11:28 +02:00
meme = {
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = [ config.secrets.publicKeys.meme ];
};
# Hosts the cactalogo
giu = {
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles = with config.secrets.publicKeys;
[ rnhmjoj giu ];
};
# Needed to perform remote builds on Maxwell
builder = {
description = "Remote Nix builds user";
isNormalUser = true;
2022-11-05 18:57:07 +01:00
openssh.authorizedKeys.keyFiles = with config.secrets.publicKeys; [
rnhmjoj-builder
giu-builder
];
2020-10-20 01:11:28 +02:00
};
# Use "git" instead of the default name to make
# SSH operation handier, example:
# git clone git@maxwell:user/repo
git = {
2021-12-21 00:31:10 +01:00
group = "git";
2020-10-20 01:11:28 +02:00
description = "Git server user";
home = "/var/lib/gitea";
2021-06-17 19:06:04 +02:00
isSystemUser = true;
2020-10-20 01:11:28 +02:00
useDefaultShell = true;
};
};
2021-12-21 00:31:10 +01:00
users.groups.git = { };
2020-10-20 01:11:28 +02:00
# Generate Diffie-Hellman parameters
# for TLS applications, like nginx.
security.dhparams = {
enable = true;
params.nginx = 2048; # prime modulus bits
};
security.sudo = {
enable = true;
# Users don't have a password
wheelNeedsPassword = false;
};
2020-11-13 08:49:13 +01:00
security.pam.loginLimits = [
2021-02-18 11:44:33 +01:00
# Limit user process to stop fork bombs
2020-10-20 01:11:28 +02:00
{ domain = "@users";
2020-11-13 08:49:13 +01:00
type = "hard";
2020-10-20 01:11:28 +02:00
item = "nproc";
value = "400";
}
2021-02-18 11:44:33 +01:00
# Disable core dumping
{ domain = "*";
type = "soft";
item = "core";
value = "0";
}
2020-10-20 01:11:28 +02:00
];
2020-11-13 08:49:13 +01:00
2020-10-20 01:11:28 +02:00
### ACME certificates
security.acme = with config.var; {
2022-08-10 05:04:54 +02:00
defaults.email = "rnhmjoj@inventati.org";
2020-10-20 01:11:28 +02:00
acceptTerms = true;
certs."${hostname}" = {
group = "maxwell-ydns-eu";
};
certs."riot.${hostname}" = {
group = "riot-maxwell-ydns-eu";
};
};
# Allow read access to ACME certificate
# to specific (service) users.
users.groups."maxwell-ydns-eu".members = [ "murmur" "nginx" ];
2020-10-20 01:11:28 +02:00
users.groups."riot-maxwell-ydns-eu".members = [ "nginx" ];
services.openssh = {
enable = true;
2023-07-10 23:48:50 +02:00
settings.PermitRootLogin = "no";
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
2020-10-20 01:11:28 +02:00
};
# Traceroute easter egg
services.fakeroute = {
enable = true;
route = [
"89.111.117.32" "99.97.110.110" "111.116.32.104" "105.100.101.46"
"32.73.32.115" "101.101.32.121" "111.117.46.32" "84.104.101.114"
"101.32.105.115" "32.110.111.32" "108.105.102.101" "32.105.110.32"
"116.104.101.32" "118.111.105.100" "46.32.79.110" "108.121.32.100"
"101.97.116.104" ];
};
### Mumble server
services.murmur = {
enable = true;
registerHostname = config.var.hostname;
registerName = "Maxwell Mumble";
2021-09-29 17:20:23 +02:00
registerPassword = "$REG_PASSWORD";
password = "$JOIN_PASSWORD";
2020-10-20 01:11:28 +02:00
users = 10;
2021-09-29 17:20:23 +02:00
environmentFile = config.secrets.environments.murmur;
2021-12-21 00:31:10 +01:00
sslCert = "/var/lib/acme/${config.var.hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${config.var.hostname}/key.pem";
2020-10-20 01:11:28 +02:00
};
### Syncthing node
services.syncthing = {
enable = true;
};
### Monero node with local RPC
services.monero = {
enable = true;
mining = {
enable = false;
threads = 4;
address = config.secrets.monero.address;
};
limits = {
upload = 250;
download = 625;
threads = 4;
};
rpc.user = config.secrets.monero.user;
rpc.password = config.secrets.monero.password;
};
### URL shortner
2020-10-26 00:47:39 +01:00
services.breve = with config.secrets; {
2020-10-20 01:11:28 +02:00
enable = true;
hostname = "localhost";
baseUrl = "https://brve.bit/";
port = 2000;
2020-10-26 00:47:39 +01:00
certificate = certs.breve.crt;
key = certs.breve.key;
2020-10-20 01:11:28 +02:00
};
### Git server
services.gitea = with config.var; {
enable = true;
appName = "Maxwell git server";
user = "git";
database.user = "git";
settings = {
2023-07-10 23:48:50 +02:00
server.ROOT_URL = "https://${hostname}/git/";
server.domain = hostname;
2023-02-25 01:24:08 +01:00
session.COOKIE_SECURE = true;
log.LEVEL = "Error";
service.DISABLE_REGISTRATION = false;
2022-10-05 02:30:55 +02:00
# increase cookie expiration time
2020-10-20 01:11:28 +02:00
security.LOGIN_REMEMBER_DAYS = 365;
2022-10-05 02:30:55 +02:00
# file upload size (MB)
attachment.MAX_SIZE = 10;
# new users can only create PR/issues
2021-05-28 19:45:03 +02:00
service.DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
2022-10-05 02:30:55 +02:00
repository.MAX_CREATION_LIMIT = 0;
# somewhat limit spam
service.EMAIL_DOMAIN_BLOCKLIST = "gmail.com";
2022-10-05 02:30:55 +02:00
# allow the notify webhook to use matrix
webhook.ALLOWED_HOST_LIST = "maxwell.ydns.eu";
2020-10-20 01:11:28 +02:00
};
};
### Searx instance
services.searx = {
enable = true;
2021-09-29 17:20:23 +02:00
environmentFile = config.secrets.environments.searx;
package = pkgs.searxng;
2020-11-13 08:49:29 +01:00
# Use nginx+uWSGI
runInUwsgi = true;
uwsgiConfig = {
disable-logging = true;
2021-06-18 18:20:05 +02:00
# serve using the uwsgi protocol
2020-11-13 08:49:29 +01:00
socket = "/run/searx/uwsgi.sock";
chmod-socket = "660";
2021-06-18 18:20:05 +02:00
# use /searx as url "mountpoint"
mount = "/srx=searx.webapp:application";
2020-11-13 08:49:29 +01:00
module = "";
2021-06-18 18:20:05 +02:00
manage-script-name = true;
# caching
cache2 = lib.concatStringsSep ","
[ "name=searxcache"
"items=2000"
"blocks=2000"
"blocksize=4096"
"bitmap=1"
];
2020-11-13 08:49:29 +01:00
};
2020-10-27 14:05:37 +01:00
settings =
{ general.instance_name = "searxwell";
2021-06-18 18:20:05 +02:00
server.base_url = "https://${config.var.hostname}/";
server.secret_key = "@SEARX_SECRET@";
2020-10-27 14:05:37 +01:00
# Replace DOI links with Sci-Hub
2021-06-18 18:20:05 +02:00
default_doi_resolver = "sci-hub.st";
## Use authenticated APIs for some services
engines = [
{ name = "wolframalpha";
api_key = "@WOLFRAM_API_KEY@";
}
{ name = "youtube";
api_key = "@YOUTUBE_API_KEY@";
}
];
2020-10-27 14:05:37 +01:00
};
2020-10-20 01:11:28 +02:00
};
2020-11-13 08:49:29 +01:00
# Allow nginx access to the uwsgi socket
users.groups."searx".members = [ "nginx" ];
2020-10-20 01:11:28 +02:00
### Reverse Proxy
services.nginx =
with config.var;
let
disableLog = ''
error_log syslog:server=unix:/dev/log crit;
access_log off;
'';
enableSTS = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
'';
in
2022-03-17 17:29:44 +01:00
rec {
2020-10-20 01:11:28 +02:00
enable = true;
enableReload = true;
2021-09-30 02:29:05 +02:00
recommendedTlsSettings = true;
2020-10-20 01:11:28 +02:00
recommendedGzipSettings = true;
recommendedProxySettings = true;
# Large enough to allow file uploads.
clientMaxBodySize = "1000M";
sslDhparam = "${config.security.dhparams.path}/nginx.pem";
# Maxwell
2020-11-13 08:49:13 +01:00
virtualHosts."${hostname}" = {
2023-09-11 15:09:10 +02:00
enableACME = true;
forceSSL = true;
default = true;
2020-10-20 01:11:28 +02:00
extraConfig = disableLog + enableSTS;
# Returns IP address
2022-02-18 12:12:04 +01:00
locations."/ip".extraConfig = ''
default_type text/plain;
return 200 $remote_addr;
'';
2020-10-20 01:11:28 +02:00
2020-11-13 08:49:13 +01:00
# Asjon code coverage reports
2020-10-20 01:11:28 +02:00
locations."/asjon/report/" = {
index = "index.html";
2021-09-30 02:24:39 +02:00
alias = "/run/nginx/static/asjon/";
2020-10-20 01:11:28 +02:00
};
# Searx instance
2020-11-13 08:49:29 +01:00
locations."/srx/".extraConfig =
''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:/run/searx/uwsgi.sock;
2020-10-20 01:11:28 +02:00
'';
locations."/srx/static/".alias = "${config.services.searx.package}/share/static/";
2020-11-13 08:49:29 +01:00
2020-10-20 01:11:28 +02:00
# Git server
2020-11-13 08:49:13 +01:00
locations."/git/".proxyPass = "http://localhost:3000/";
2020-10-20 01:11:28 +02:00
# Syncthing
locations."/sync/".proxyPass = "http://localhost:8384/";
2021-02-17 18:06:00 +01:00
# User static files
locations."/~rnhmjoj/" = {
2021-09-30 02:24:39 +02:00
alias = "/run/nginx/static/rnhmjoj/";
2021-02-17 18:06:00 +01:00
extraConfig = "charset UTF-8;";
};
2021-04-02 19:20:32 +02:00
locations."/~giu/" = {
2021-09-30 02:24:39 +02:00
alias = "/run/nginx/static/giu/";
2021-04-02 19:20:32 +02:00
extraConfig = "charset UTF-8;";
};
2020-10-20 01:11:28 +02:00
};
# Breve URL shortner
2020-10-26 00:47:39 +01:00
virtualHosts."brve.bit" = with config.secrets; {
2020-10-20 01:11:28 +02:00
forceSSL = true;
2020-10-26 00:47:39 +01:00
sslCertificate = certs.breve.crt;
sslCertificateKey = certs.breve.key;
2020-10-20 01:11:28 +02:00
locations."/" = {
proxyPass = "https://localhost:2000";
extraConfig = "proxy_ssl_verify off;";
};
extraConfig = disableLog;
};
# The Cactalogue
virtualHosts."cacta.bit" = {
2021-09-30 02:24:39 +02:00
root = "/run/nginx/static/cactalogue";
2020-10-20 01:11:28 +02:00
extraConfig = disableLog;
};
2022-03-17 17:29:44 +01:00
virtualHosts."cacta.eurofusion.eu" = virtualHosts."cacta.bit";
2020-10-20 01:11:28 +02:00
};
2021-09-30 02:24:39 +02:00
# Bind mount directories for Nginx
# This avoids giving nginx traversal permission
systemd.mounts =
let bindNginx = from: to:
{ what = from;
where = "/run/nginx/static/" + to;
type = "none";
options = "bind";
wantedBy = [ "nginx.service" ];
};
in [ (bindNginx "/home/rnhmjoj/www" "rnhmjoj")
(bindNginx "/home/giu/www" "giu")
(bindNginx "/home/giu/cactalogue" "cactalogue")
(bindNginx "/var/lib/asjon/tree/report" "asjon")
];
2020-10-20 01:11:28 +02:00
2024-07-06 15:01:36 +02:00
### IPsec mesh
environment.etc."ipsec.d/mesh.secrets".source = config.secrets.passwords.mesh;
services.libreswan.enable = true;
services.libreswan.connections.mesh =
''
leftid=@wes
left=2a01:e11:1001:53ea::1
rightid=@maxwell
right=2001:470:c8e8:0:230:48ff:fefa:91e1
authby=secret
type=transport
auto=ondemand
failureshunt=drop
negotiationshunt=hold
'';
2020-10-20 01:11:28 +02:00
### Misc. services
services.asjon.enable = true;
# Needed for the Asjon memory module
2022-08-08 16:32:30 +02:00
services.redis.servers."asjon" =
{ enable = true;
user = "asjon";
};
2020-10-20 01:11:28 +02:00
# Emergency SSH access via tor
services.tor =
{ enable = true;
client.enable = false;
relay.onionServices.emergency-access.map = [ 22 ];
};
2020-10-20 01:11:28 +02:00
### Program configuration
programs = {
2022-08-10 17:15:16 +02:00
fuse.userAllowOther = true;
2020-10-20 01:11:28 +02:00
fish.enable = true;
tmux = {
enable = true;
newSession = true;
baseIndex = 1;
escapeTime = 0;
historyLimit = 4096;
keyMode = "vi";
terminal = "screen-256color";
customPaneNavigationAndResize = true;
extraConfig = ''
set -g mouse on
# bindings
bind | split-window -h
bind - split-window -v
bind : command-prompt
bind -n C-k clear-history
# colors
set -g pane-border-style fg=brightblack
set -g pane-active-border fg=green
set -g message-style fg=white,bg=black
set -g status-style fg=brightblue,bg=black
setw -g mode-style fg=black,bg=cyan
# status line
set -g status on
set -g status-justify left
set -g status-left ""
set -g status-right-length 60
set -g status-right '#[fg=yellow]#(cut -d\ -f 1-3 /proc/loadavg) | #[fg=brightgreen]%a %H:%M'
setw -g window-status-format "#[fg=black#,bg=brightblack] #I #[fg=blue#,bg=black] #W "
setw -g window-status-current-format "#[fg=white#,bg=cyan] #I #[fg=black#,bg=brightblack] #W "
'';
};
};
2023-02-25 01:24:08 +01:00
nix.settings = {
2020-10-20 01:11:28 +02:00
# Can connect to the Nix daemon
# and upload/run code as root!
2023-02-25 01:24:08 +01:00
trusted-users = [ "builder" "rnhmjoj" ];
2020-10-20 01:11:28 +02:00
# Use at most half the cores
2023-02-25 01:24:08 +01:00
cores = 8;
max-jobs = 16;
# Always keep at least 256MiB free
min-free = 268435456;
2020-10-20 01:11:28 +02:00
};
environment.sessionVariables = {
2023-07-11 12:45:44 +02:00
PATH = [ "$HOME/bin" ];
XDG_CONFIG_HOME = "$HOME/etc";
XDG_DATA_HOME = "$HOME/var/lib";
XDG_CACHE_HOME = "$HOME/var/cache";
2022-08-11 02:47:58 +02:00
SYSTEMD_COLORS = "16";
2020-10-20 01:11:28 +02:00
};
}