# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; services.nginx.enable = true; services.nginx.virtualHosts."www.oid.foundation" = { useACMEHost = "oid.foundation"; forceSSL = true; globalRedirect = "oid.foundation"; }; services.nginx.virtualHosts."oid.foundation" = { enableACME = true; forceSSL = true; root = "/var/www/oid.foundation"; }; services.nginx.virtualHosts."fediversity.eu" = { useACMEHost = "www.fediversity.eu"; forceSSL = true; globalRedirect = "www.fediversity.eu"; locations."/.well-known/matrix/client" = { extraConfig = '' return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; default_type application/json; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; ''; }; locations."/.well-known/matrix/server" = { extraConfig = '' return 200 '{"m.server": "matrix.fediversity.eu:443"}'; default_type application/json; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; ''; }; }; services.nginx.virtualHosts."www.fediversity.eu" = { enableACME = true; forceSSL = true; root = "/var/www/www.fediversity.eu/fediversity.eu/public"; locations."/.well-known/matrix/client" = { extraConfig = '' return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; default_type application/json; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; ''; }; locations."/.well-known/matrix/server" = { extraConfig = '' return 200 '{"m.server": "matrix.fediversity.eu:443"}'; default_type application/json; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; ''; }; }; security.acme = { acceptTerms = true; defaults.email = "beheer@procolix.com"; certs."www.fediversity.eu".extraDomainNames = [ "fediversity.eu" ]; certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ]; }; networking = { hostName = "vm02117"; domain = "procolix.com"; interfaces = { eth0 = { ipv4 = { addresses = [ { address = "185.206.232.106"; prefixLength = 24; } ]; }; ipv6 = { addresses = [ { address = "2a00:51c0:12:1201::106"; prefixLength = 64; } ]; }; }; }; defaultGateway = { address = "185.206.232.1"; interface = "eth0"; }; defaultGateway6 = { address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; nameservers = [ "95.215.185.6" "95.215.185.7" ]; firewall.enable = false; nftables = { enable = true; ruleset = '' #!/usr/sbin/nft -f flush ruleset ########### define usefull variables here ##################### define wan = eth0 define ssh_allow = { 83.161.147.127/32, # host801 ipv4 95.215.185.92/32, # host088 ipv4 95.215.185.211/32, # host089 ipv4 95.215.185.34/32, # nagios2 ipv4 95.215.185.181/32, # ansible.procolix.com 95.215.185.235, # ansible-hq 185.206.232.76, # vpn4 } define snmp_allow = { 95.215.185.31/32, # cacti ipv4 } define nrpe_allow = { 95.215.185.34/32, # nagios2 ipv4 } ########### here starts the automated bit ##################### table inet filter { chain input { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept ct state invalid drop # Limit ping requests. ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop # loopback interface iifname lo accept # icmp ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept # open tcp ports: sshd (22) ip saddr $ssh_allow tcp dport {ssh} accept # open tcp ports: snmp (161) ip saddr $snmp_allow udp dport {snmp} accept # open tcp ports: nrpe (5666) ip saddr $nrpe_allow tcp dport {nrpe} accept # open tcp ports: http (80,443) tcp dport {http,https} accept } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } } table ip nat { chain postrouting { } chain prerouting { } } ''; }; }; # Set your time zone. time.timeZone = "Europe/Amsterdam"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.procolix = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" ]; packages = with pkgs; [ ]; }; # $ nix search wget environment.systemPackages = with pkgs; [ (pkgs.vim_configurable.customize { name = "vim"; vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { start = [ vim-nix ]; # load plugin on startup }; vimrcConfig.customRC = '' " your custom vimrc set nocompatible set backspace=indent,eol,start " Turn on syntax highlighting by default syntax on " ... ''; }) wget git hugo go nodejs ]; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; # Enable xe-guest-utilities services.xe-guest-utilities.enable = true; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. system.copySystemConfiguration = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.11"; # Did you read the comment? }