120 lines
3.2 KiB
Nix
120 lines
3.2 KiB
Nix
{ config, pkgs, modulesPath, ... }:
|
|
|
|
{
|
|
imports = [
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
./modules/caddy.nix
|
|
./modules/forgejo.nix
|
|
./modules/mail.nix
|
|
./modules/searx.nix
|
|
./modules/matrix.nix
|
|
./modules/monitoring.nix
|
|
./modules/ntfy.nix
|
|
./modules/uptime-kuma.nix
|
|
# mymx module is imported via flake input in flake.nix
|
|
];
|
|
|
|
# Agenix secrets
|
|
age.secrets = {
|
|
forgejo-db.file = ./secrets/forgejo-db.age;
|
|
stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; };
|
|
searx-env.file = ./secrets/searx-env.age;
|
|
tailscale-key.file = ./secrets/tailscale-key.age;
|
|
grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; };
|
|
matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; };
|
|
ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age;
|
|
mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; };
|
|
};
|
|
|
|
# Bootloader
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.efiSupport = true;
|
|
boot.loader.grub.efiInstallAsRemovable = true;
|
|
|
|
# Networking
|
|
networking.hostName = "extremist-software";
|
|
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
|
|
|
|
# Tailscale
|
|
services.tailscale.enable = true;
|
|
# We assume the user will authenticate manually or via a one-time key service
|
|
# For now, let's enable it and allow the user to run `tailscale up` or provision via key
|
|
|
|
# Users
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"
|
|
];
|
|
|
|
# SSH - Secure it
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
settings.PermitRootLogin = "prohibit-password";
|
|
hostKeys = [{
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}];
|
|
};
|
|
|
|
# Fail2ban
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 5;
|
|
bantime = "1h";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "168h";
|
|
overalljails = true;
|
|
};
|
|
ignoreIP = [
|
|
"100.64.0.0/10"
|
|
"127.0.0.0/8"
|
|
];
|
|
jails.sshd.settings = {
|
|
backend = "systemd";
|
|
maxretry = 3;
|
|
};
|
|
};
|
|
|
|
# nh (yet another nix helper)
|
|
programs.nh = {
|
|
enable = true;
|
|
clean.enable = true;
|
|
clean.extraArgs = "--keep 2";
|
|
};
|
|
|
|
# Automatic upgrades
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
dates = "04:00";
|
|
allowReboot = false;
|
|
};
|
|
|
|
# System
|
|
system.stateVersion = "24.05";
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
services.postgresql.package = pkgs.postgresql_15;
|
|
nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.)
|
|
|
|
# Time
|
|
time.timeZone = "UTC";
|
|
|
|
# ZRAM for limited RAM
|
|
zramSwap.enable = true;
|
|
zramSwap.memoryPercent = 50;
|
|
|
|
services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path;
|
|
|
|
# MyMX
|
|
services.jetpham-website.enable = true;
|
|
|
|
services.mymx = {
|
|
enable = true;
|
|
webhookSecretFile = config.age.secrets.mymx-webhook.path;
|
|
};
|
|
|
|
# Allow Tailscale traffic
|
|
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
|
# Required for Tailscale subnet routing and exit nodes, and often helpful for connectivity
|
|
networking.firewall.checkReversePath = "loose";
|
|
}
|