fricklerhandwerk/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

add nixos server config from the server running the fediversity.eu website

Browse source
This commit is contained in:
Kevin Muller 2024-11-07 13:41:33 +01:00
parent c6cc92f5dc
commit 35d78bac22
2 changed files with 291 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

257
server/configuration.nix Normal file
View file

@ -0,0 +1,257 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
services.nginx.enable = true;
services.nginx.virtualHosts."www.oid.foundation" = {
useACMEHost = "oid.foundation";
forceSSL = true;
globalRedirect = "oid.foundation";
};
services.nginx.virtualHosts."oid.foundation" = {
enableACME = true;
forceSSL = true;
root = "/var/www/oid.foundation";
};
services.nginx.virtualHosts."fediversity.eu" = {
useACMEHost = "www.fediversity.eu";
forceSSL = true;
globalRedirect = "www.fediversity.eu";
locations."/.well-known/matrix/client" = {
extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
};
services.nginx.virtualHosts."www.fediversity.eu" = {
enableACME = true;
forceSSL = true;
root = "/var/www/www.fediversity.eu/fediversity.eu/public";
locations."/.well-known/matrix/client" = {
extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
};
security.acme = {
acceptTerms = true;
defaults.email = "beheer@procolix.com";
certs."www.fediversity.eu".extraDomainNames = [ "fediversity.eu" ];
certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ];
};
networking = {
hostName = "vm02117";
domain = "procolix.com";
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
address = "185.206.232.106";
prefixLength = 24;
}
];
};
ipv6 = {
addresses = [
{
address = "2a00:51c0:12:1201::106";
prefixLength = 64;
}
];
};
};
};
defaultGateway = {
address = "185.206.232.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2a00:51c0:12:1201::1";
interface = "eth0";
};
nameservers = [ "95.215.185.6" "95.215.185.7" ];
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
#!/usr/sbin/nft -f
flush ruleset
########### define usefull variables here #####################
define wan = eth0
define ssh_allow = {
83.161.147.127/32, # host801 ipv4
95.215.185.92/32, # host088 ipv4
95.215.185.211/32, # host089 ipv4
95.215.185.34/32, # nagios2 ipv4
95.215.185.181/32, # ansible.procolix.com
95.215.185.235, # ansible-hq
185.206.232.76, # vpn4
}
define snmp_allow = {
95.215.185.31/32, # cacti ipv4
}
define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4
}
########### here starts the automated bit #####################
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# established/related connections
ct state established,related accept
ct state invalid drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface
iifname lo accept
# icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22)
ip saddr $ssh_allow tcp dport {ssh} accept
# open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443)
tcp dport {http,https} accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain postrouting {
}
chain prerouting {
}
}
'';
};
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Define a user account. Don't forget to set a password with passwd.
users.users.procolix = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
];
packages = with pkgs; [
];
};
# $ nix search wget
environment.systemPackages = with pkgs; [
(pkgs.vim_configurable.customize {
name = "vim";
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix ]; # load plugin on startup
};
vimrcConfig.customRC = ''
" your custom vimrc
set nocompatible
set backspace=indent,eol,start
" Turn on syntax highlighting by default
syntax on
" ...
'';
})
wget
git
hugo
go
nodejs
];
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Enable xe-guest-utilities
services.xe-guest-utilities.enable = true;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.11"; # Did you read the comment?
}

34
server/hardware-configuration.nix Normal file
View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5aa392a8-c9ba-4181-976f-b3b30db350a1";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FC6D-610F";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enX0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}