diff options
| author | sils <sils@sils.li> | 2023-04-11 10:55:18 +0200 |
|---|---|---|
| committer | sils <sils@sils.li> | 2023-04-11 10:55:18 +0200 |
| commit | 5a6dd9797b67c08d58236956fbb43b7fe57f5730 (patch) | |
| tree | 27418564bc75d03c66c0e5cf5209f0b66e625998 /system | |
| parent | Fix(services): Remove Minecraft (diff) | |
| parent | Chore(flake): Update (diff) | |
| download | nixos-server-5a6dd9797b67c08d58236956fbb43b7fe57f5730.zip | |
Merge pull request 'server1_develop' (#22) from server1_develop into server1
Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/22
Reviewed-by: sils <sils@sils.li>
Diffstat (limited to '')
| -rw-r--r-- | hosts/server1/hardware.nix (renamed from system/system/hardware.nix) | 4 | ||||
| -rw-r--r-- | system/default.nix | 8 | ||||
| -rw-r--r-- | system/file_system_layouts/default.nix (renamed from system/system/fileSystemLayouts.nix) | 4 | ||||
| -rw-r--r-- | system/mail/default.nix | 50 | ||||
| -rw-r--r-- | system/packages/default.nix (renamed from system/system/packages.nix) | 0 | ||||
| -rw-r--r-- | system/services/acme/default.nix | 30 | ||||
| -rw-r--r-- | system/services/default.nix | 12 | ||||
| -rw-r--r-- | system/services/fail2ban/default.nix | 30 | ||||
| -rw-r--r-- | system/services/firewall/default.nix | 11 | ||||
| -rw-r--r-- | system/services/minecraft/default.nix (renamed from services/services/minecraft.nix) | 0 | ||||
| -rw-r--r-- | system/services/nginx/default.nix | 15 | ||||
| -rw-r--r-- | system/services/nix/default.nix (renamed from services/services/nix.nix) | 0 | ||||
| -rw-r--r-- | system/services/opensshd/default.nix (renamed from services/services/opensshd.nix) | 1 | ||||
| -rw-r--r-- | system/services/rust-motd/default.nix (renamed from services/services/rust-motd.nix) | 28 | ||||
| -rw-r--r-- | system/users/default.nix (renamed from system/system/users.nix) | 7 |
15 files changed, 180 insertions, 20 deletions
diff --git a/system/system/hardware.nix b/hosts/server1/hardware.nix index c4c7dc9..9fabafe 100644 --- a/system/system/hardware.nix +++ b/hosts/server1/hardware.nix @@ -4,6 +4,6 @@ (modulesPath + "/profiles/headless.nix") ]; boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; } diff --git a/system/default.nix b/system/default.nix index 2af4982..d67ada2 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,8 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./packages + ./services + ./users ]; } diff --git a/system/system/fileSystemLayouts.nix b/system/file_system_layouts/default.nix index 9d03a05..31b0b0b 100644 --- a/system/system/fileSystemLayouts.nix +++ b/system/file_system_layouts/default.nix @@ -40,6 +40,10 @@ in { device = "/srv/nix-config"; options = ["bind"]; }; + "/var/lib/acme" = { + device = "/srv/acme"; + options = ["bind"]; + }; }; }; } diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..b1da088 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,50 @@ +# vim: ts=2 +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + useFsLayout = true; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; + }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = true; + + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; +} diff --git a/system/system/packages.nix b/system/packages/default.nix index 4d33c6e..4d33c6e 100644 --- a/system/system/packages.nix +++ b/system/packages/default.nix diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..6e5cb3c --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,12 @@ +{config, ...}: { + imports = [ + ./acme +# ./firewall + #./minecraft + ./nginx + ./nix + ./opensshd + ./rust-motd + ./fail2ban + ]; +} diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix new file mode 100644 index 0000000..5aee097 --- /dev/null +++ b/system/services/fail2ban/default.nix @@ -0,0 +1,30 @@ +# vim: ts=2 +{...}: { + services.fail2ban = { + enable = true; + maxretry = 2; # ban after 2 failures + daemonConfig = '' + [Definition] + logtarget = SYSLOG + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid + dbfile = /srv/fail2ban/fail2ban.sqlite3 + ''; + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + }; + }; +} diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} diff --git a/services/services/minecraft.nix b/system/services/minecraft/default.nix index 754c974..754c974 100644 --- a/services/services/minecraft.nix +++ b/system/services/minecraft/default.nix diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/system/services/nginx/default.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} diff --git a/services/services/nix.nix b/system/services/nix/default.nix index bd562ec..bd562ec 100644 --- a/services/services/nix.nix +++ b/system/services/nix/default.nix diff --git a/services/services/opensshd.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/services/services/opensshd.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/services/services/rust-motd.nix b/system/services/rust-motd/default.nix index 21bc1cd..1a41b32 100644 --- a/services/services/rust-motd.nix +++ b/system/services/rust-motd/default.nix @@ -3,6 +3,15 @@ pkgs, ... }: { + systemd.services.rust-motd = { + path = builtins.attrValues { + inherit + (pkgs) + bash + fail2ban # Needed for rust-motd fail2ban integration + ; + }; + }; programs.rust-motd = { enable = true; enableMotdInSSHD = true; @@ -45,17 +54,20 @@ # [user_service_status] # gpg-agent = "gpg-agent" - #s_s_l_certs = { - # sort_method = "manual" - # - # certs = { - # CertName1 = "/path/to/cert1.pem" - # CertName2 = "/path/to/cert2.pem" - # } - #}; + s_s_l_certs = { + sort_method = "manual"; + + certs = { + "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem"; + "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem"; + }; + }; filesystems = { root = "/"; + persistent = "/srv"; + store = "/nix"; + boot = "/boot"; }; memory = { diff --git a/system/system/users.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/system/users.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" |