From 35d78bac22da6991faa70f37ab260eb0b0ab92ed Mon Sep 17 00:00:00 2001 From: kevin Date: Thu, 7 Nov 2024 13:41:33 +0100 Subject: [PATCH] add nixos server config from the server running the fediversity.eu website --- server/configuration.nix | 257 ++++++++++++++++++++++++++++++ server/hardware-configuration.nix | 34 ++++ 2 files changed, 291 insertions(+) create mode 100644 server/configuration.nix create mode 100644 server/hardware-configuration.nix diff --git a/server/configuration.nix b/server/configuration.nix new file mode 100644 index 00000000..fd263e17 --- /dev/null +++ b/server/configuration.nix @@ -0,0 +1,257 @@ + +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + services.nginx.enable = true; + services.nginx.virtualHosts."www.oid.foundation" = { + useACMEHost = "oid.foundation"; + forceSSL = true; + globalRedirect = "oid.foundation"; + }; + services.nginx.virtualHosts."oid.foundation" = { + enableACME = true; + forceSSL = true; + root = "/var/www/oid.foundation"; + + }; + services.nginx.virtualHosts."fediversity.eu" = { + useACMEHost = "www.fediversity.eu"; + forceSSL = true; + globalRedirect = "www.fediversity.eu"; + locations."/.well-known/matrix/client" = { + extraConfig = '' + return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; + ''; + }; + locations."/.well-known/matrix/server" = { + extraConfig = '' + return 200 '{"m.server": "matrix.fediversity.eu:443"}'; + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; + ''; + }; + }; + services.nginx.virtualHosts."www.fediversity.eu" = { + enableACME = true; + forceSSL = true; + root = "/var/www/www.fediversity.eu/fediversity.eu/public"; + locations."/.well-known/matrix/client" = { + extraConfig = '' + return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; + ''; + }; + locations."/.well-known/matrix/server" = { + extraConfig = '' + return 200 '{"m.server": "matrix.fediversity.eu:443"}'; + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; + ''; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "beheer@procolix.com"; + certs."www.fediversity.eu".extraDomainNames = [ "fediversity.eu" ]; + certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ]; + }; + + networking = { + hostName = "vm02117"; + domain = "procolix.com"; + interfaces = { + eth0 = { + ipv4 = { + addresses = [ + { + address = "185.206.232.106"; + prefixLength = 24; + } + ]; + }; + ipv6 = { + addresses = [ + { + address = "2a00:51c0:12:1201::106"; + prefixLength = 64; + } + ]; + }; + }; + }; + defaultGateway = { + address = "185.206.232.1"; + interface = "eth0"; + }; + defaultGateway6 = { + address = "2a00:51c0:12:1201::1"; + interface = "eth0"; + }; + nameservers = [ "95.215.185.6" "95.215.185.7" ]; + firewall.enable = false; + nftables = { + enable = true; + ruleset = '' + #!/usr/sbin/nft -f + + flush ruleset + + ########### define usefull variables here ##################### + define wan = eth0 + define ssh_allow = { + 83.161.147.127/32, # host801 ipv4 + 95.215.185.92/32, # host088 ipv4 + 95.215.185.211/32, # host089 ipv4 + 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.181/32, # ansible.procolix.com + 95.215.185.235, # ansible-hq + 185.206.232.76, # vpn4 + } + define snmp_allow = { + 95.215.185.31/32, # cacti ipv4 + } + define nrpe_allow = { + 95.215.185.34/32, # nagios2 ipv4 + } + + ########### here starts the automated bit ##################### + table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + + # established/related connections + ct state established,related accept + ct state invalid drop + + # Limit ping requests. + ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop + + # loopback interface + iifname lo accept + + # icmp + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept + # Without the nd-* ones ipv6 will not work. + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept + + # open tcp ports: sshd (22) + ip saddr $ssh_allow tcp dport {ssh} accept + + # open tcp ports: snmp (161) + ip saddr $snmp_allow udp dport {snmp} accept + + # open tcp ports: nrpe (5666) + ip saddr $nrpe_allow tcp dport {nrpe} accept + + # open tcp ports: http (80,443) + tcp dport {http,https} accept + } + chain forward { + type filter hook forward priority 0; + } + chain output { + type filter hook output priority 0; + } + } + + table ip nat { + chain postrouting { + } + chain prerouting { + } + } + ''; + }; + }; + + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.procolix = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" + ]; + packages = with pkgs; [ + ]; + }; + + # $ nix search wget + environment.systemPackages = with pkgs; [ + (pkgs.vim_configurable.customize { + name = "vim"; + vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { + start = [ vim-nix ]; # load plugin on startup + }; + vimrcConfig.customRC = '' + " your custom vimrc + set nocompatible + set backspace=indent,eol,start + " Turn on syntax highlighting by default + syntax on + " ... + ''; + }) + wget + git + hugo + go + nodejs + ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Enable xe-guest-utilities + services.xe-guest-utilities.enable = true; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? + +} + diff --git a/server/hardware-configuration.nix b/server/hardware-configuration.nix new file mode 100644 index 00000000..c14f4759 --- /dev/null +++ b/server/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5aa392a8-c9ba-4181-976f-b3b30db350a1"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/FC6D-610F"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enX0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}