First commit

2024-09-09 10:48:56 +02:00 · 2024-09-09 10:48:56 +02:00 · 3c39c5aaa4
commit 3c39c5aaa4
9 changed files with 784 additions and 0 deletions
--- a/services/default.nix
+++ b/services/default.nix
@ -0,0 +1,7 @@
+{ inputs, ... }:
+{
+  imports = [
+    ./nginx
+    ./minimalConfig
+  ];
+}
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@ -0,0 +1,121 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    settings.trusted-users = [ "@wheel" ];
+  };
+
+  networking = {
+    hostName = "${config.services.vm.hostname}";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 9002 ];
+    };
+  };
+
+  time.timeZone = "Europe/Paris";
+  console.keyMap = "fr";
+  i18n.defaultLocale = "fr_FR.UTF-8";
+  environment.sessionVariables = rec {
+    TERM  = "xterm-256color";
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+  users = {
+    users.tbarnouin = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner"
+      ];
+      initialPassword = "test";
+    };
+    users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner"
+      ];
+    };
+  };
+
+  programs = {
+    zsh = {
+      enable = true;
+      shellAliases = {
+        ll = "ls -l";
+        lla = "ls -lah";
+      };
+      ohMyZsh = {
+        enable = true;
+        plugins = [ "git" ];
+        theme = "bira";
+      };
+    };
+    tmux = {
+      enable = true;
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+  environment = {
+    localBinInPath = true;
+      systemPackages = with pkgs; [
+        vim
+        bash
+        wget
+        curl
+        git
+        htop
+        tree
+        dig
+        ncdu
+        nmap
+        iperf3
+        netcat-openbsd
+      ];
+    };
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+      hostKeys = [
+        {
+          path = "/var/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+    fail2ban = {
+      enable = true;
+      ignoreIP = [ "192.168.122.0/24" ];
+    };
+    rsyslogd = {
+      enable = true;
+    };
+    prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "24.05";
+    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /var/ssh";
+  };
+}
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -0,0 +1,130 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vm_nginx;
+in
+{
+  options.services.vm_nginx = {
+    enable = lib.mkEnableOption "Enable minimal config";
+  };
+  config = lib.mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "theo.barnouin@le43.eu";
+    };
+    services = {
+      fail2ban = {
+        jails = {
+          nginx-http-auth = ''
+            enabled  = true
+            port     = http,https
+            logpath  = /var/log/nginx/*.log
+            backend  = polling
+            journalmatch =
+          '';
+          nginx-botsearch = ''
+            enabled  = true
+            port     = http,https
+            logpath  = /var/log/nginx/*.log
+            backend  = polling
+            journalmatch =
+          '';
+          nginx-bad-request = ''
+            enabled  = true
+            port     = http,https
+            logpath  = /var/log/nginx/*.log
+            backend  = polling
+            journalmatch =
+          '';
+        };
+      };
+      nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        clientMaxBodySize = "10000m";
+        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+        appendHttpConfig = ''
+          # Add HSTS header with preloading to HTTPS requests.
+          # Adding this header to HTTP requests is discouraged
+          map $scheme $hsts_header {
+              https   "max-age=31536000; includeSubdomains; preload";
+          }
+          add_header Strict-Transport-Security $hsts_header;
+    
+          # Enable CSP for your services.
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    
+          # Minimize information leaked to other domains
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+    
+          # Disable embedding as a frame
+          add_header X-Frame-Options DENY;
+    
+          # Prevent injection of code in other mime types (XSS Attacks)
+          add_header X-Content-Type-Options nosniff;
+          client_body_buffer_size 400M;
+        '';
+        user = "tbarnouin";
+        logError = "syslog:server=unix:/dev/log";
+        commonHttpConfig = ''
+          access_log syslog:server=unix:/dev/log;
+        '';
+        virtualHosts."logs.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.20:3000";
+            proxyWebsockets = true;
+            recommendedProxySettings = true;
+          };
+        };
+        virtualHosts."play.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.42:8096";
+            recommendedProxySettings = true;
+          };
+        };
+        virtualHosts."cloud.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.44";
+            proxyWebsockets = true;
+            recommendedProxySettings = true;
+          };
+        };
+        virtualHosts."collabora.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.46:9980";
+            proxyWebsockets = true;
+            recommendedProxySettings = true;
+          };
+        };
+        virtualHosts."git.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.14:3000";
+            recommendedProxySettings = true;
+          };
+        };
+        virtualHosts."authentik.le43.eu" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.1.41";
+            recommendedProxySettings = true;
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}