diff options
| -rw-r--r-- | machines/srv3/.configuration.nix.swp | bin | 0 -> 24576 bytes | |||
| -rw-r--r-- | machines/srv3/baby-yoda.png | bin | 0 -> 957567 bytes | |||
| -rw-r--r-- | machines/srv3/baby-yoda.png.comp | bin | 0 -> 7710 bytes | |||
| -rw-r--r-- | machines/srv3/cgit.nix | 101 | ||||
| -rw-r--r-- | machines/srv3/configuration.nix | 200 | ||||
| -rw-r--r-- | machines/srv3/coreruleset.nix | 21 | ||||
| -rw-r--r-- | machines/srv3/default.nix | 6 | ||||
| -rw-r--r-- | machines/srv3/hardware-configuration.nix | 39 | ||||
| -rw-r--r-- | machines/srv3/noip.nix | 17 | ||||
| -rw-r--r-- | machines/srv3/yggdrasil.nix | 12 |
10 files changed, 396 insertions, 0 deletions
diff --git a/machines/srv3/.configuration.nix.swp b/machines/srv3/.configuration.nix.swp new file mode 100644 index 0000000..9555fb3 --- /dev/null +++ b/machines/srv3/.configuration.nix.swp Binary files differdiff --git a/machines/srv3/baby-yoda.png b/machines/srv3/baby-yoda.png new file mode 100644 index 0000000..42a200c --- /dev/null +++ b/machines/srv3/baby-yoda.png Binary files differdiff --git a/machines/srv3/baby-yoda.png.comp b/machines/srv3/baby-yoda.png.comp new file mode 100644 index 0000000..26eb247 --- /dev/null +++ b/machines/srv3/baby-yoda.png.comp Binary files differdiff --git a/machines/srv3/cgit.nix b/machines/srv3/cgit.nix new file mode 100644 index 0000000..2e8ced3 --- /dev/null +++ b/machines/srv3/cgit.nix @@ -0,0 +1,101 @@ +{ pkgs, ...}: +let + cgitHostname = "git.niedzwiedzinski.cyou"; + + mirror = pkgs.writeScriptBin "mirror" '' + #!/bin/sh + + name=`echo "$1" | rev | cut -d'/' -f1 | rev` + + cd /srv/git + sudo -u git ${pkgs.git}/bin/git clone --mirror $1 $name + sudo -u git /run/current-system/sw/bin/chmod -R g+w $name + ''; + + newrepo = pkgs.writeScriptBin "newrepo" '' + #!/bin/sh + + [ -z $1 ] && echo "Pass repo name" && exit 1 + + sudo -u git git init --bare /srv/git/$1 + sudo -u git /run/current-system/sw/bin/chmod -R g+w /srv/git/$1 + ''; + +in +{ + environment.systemPackages = [ newrepo mirror ]; + systemd.services.git-fetch = { + script = '' + #!/bin/sh + cd /srv/git + for f in `find . -name HEAD`; do + cd ''${f%HEAD} + ${pkgs.git}/bin/git fetch + cd /srv/git + done + ''; + serviceConfig = { + Type = "oneshot"; + User = "git"; + }; + }; + systemd.timers.git-fetch = { + partOf = [ "git-fetch.service" ]; + wantedBy = ["timers.target" ]; + timerConfig = { + OnCalendar = "hourly"; + Unit = "git-fetch.service"; + }; + }; + services.nginx.virtualHosts."${cgitHostname}".locations."=/mylogo.png" = { + alias = "${./baby-yoda.png.comp}"; + }; + services.cgit.gitN = { + enable = true; + package = pkgs.cgit-pink; + scanPath = "/srv/git"; + nginx.virtualHost = cgitHostname; + settings = { + about-filter = let formatScript = pkgs.writeScriptBin "about-format.sh" '' + #!/bin/sh + ${pkgs.coreutils}/bin/cat << EOF + <style> + .md blockquote { + background: #eee; + font-style: italic; + padding: 0 1em; + } + </style> + <div class="md"> + EOF + ${pkgs.coreutils}/bin/cat /dev/stdin | ${pkgs.lowdown}/bin/lowdown + echo '</div>' + ''; + in "${formatScript}/bin/about-format.sh"; + cache-size = "1000"; + root-title = cgitHostname; + root-desc = "Personal git server, because I can"; + readme = ":README.md"; + snapshots = "tar.gz zip"; + clone-prefix = "https://${cgitHostname}"; + section-from-path = "1"; + logo = "/mylogo.png"; + }; + }; + + users = { + groups = { git = {}; }; + users = { + git = { + isSystemUser = true; + group = "git"; + description = "git user"; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqlCe4ovKa/Gwl5xmgu9nvVPmFXMgwdeLRYW7Gg7RWx pniedzwiedzinski19@gmail.com" + ]; + }; + }; + }; +} diff --git a/machines/srv3/configuration.nix b/machines/srv3/configuration.nix new file mode 100644 index 0000000..f2ee31d --- /dev/null +++ b/machines/srv3/configuration.nix @@ -0,0 +1,200 @@ +{ config, lib, pkgs, ... }: +let + crs = pkgs.callPackage ./coreruleset.nix { }; + + www = "/srv/www"; + +in + { + imports = + [ + ./hardware-configuration.nix + ./cgit.nix + ./noip.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + + + networking = { + useDHCP = false; + interfaces.enp1s0 = { + useDHCP = true; + ipv4.addresses = [{ + address = "192.168.1.136"; + prefixLength = 24; + }]; + }; + hostName = "srv3"; + extraHosts = '' + 192.168.1.136 srv3.niedzwiedzinski.cyou git.niedzwiedzinski.cyou tmp.niedzwiedzinski.cyou zhr.niedzwiedzinski.cyou help.niedzwiedzinski.cyou niedzwiedzinski.cyou pics.niedzwiedzinski.cyou + 192.168.1.144 srv2.niedzwiedzinski.cyou + '' + lib.readFile ( pkgs.fetchurl { + url = "https://raw.githubusercontent.com/StevenBlack/hosts/d2be343994aacdec74865ff8d159cf6e46359adf/alternates/fakenews-gambling-porn/hosts"; + sha256 = "1la5rd0znc25q8yd1iwbx22zzqi6941vyzmgar32jx568j856s8j"; + } ); + }; + + services.dnsmasq = { + enable = true; + settings = { + server = [ "1.1.1.1" "8.8.8.8" ]; + #address=/.srv1.niedzwiedzinski.cyou/192.168.1.136 + address="/.srv2.niedzwiedzinski.cyou/192.168.1.144"; + }; + }; + + time.timeZone = "Europe/Warsaw"; + i18n.defaultLocale = "en_US.UTF-8"; # Less confusing locale than polish one + console.keyMap = "pl"; + + nix.gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + nix.optimise.automatic = true; + system.autoUpgrade = { + enable = true; + allowReboot = true; + }; + + environment.systemPackages = with pkgs; [ + curl wget htop git + vim lm_sensors + ]; + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + services.sshguard = { + enable = true; + whitelist = [ + "192.168.0.0/18" + ]; + }; + + services.nginx.enable = true; + services.nginx.additionalModules = with pkgs.nginxModules; [ modsecurity ]; + services.nginx.appendHttpConfig = '' + modsecurity on; + # modsecurity_rules ' + # SecRuleEngine On + # Include ${crs}/crs-setup.conf; + # Include ${crs}/rules/*.conf; + # '; + charset utf-8; + source_charset utf-8; + ''; + services.nginx.virtualHosts = { + "srv3.niedzwiedzinski.cyou" = let + modsec_config = builtins.toFile "modsecurity_rules.conf" '' + SecRuleEngine On + SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403" + ''; + in { + enableACME = true; + forceSSL = true; + extraConfig = '' + location ~ /*.md { + types { } default_type "text/markdown; charset=utf-8"; + } + modsecurity_rules_file ${modsec_config}; + ''; + root = "${www}/srv3.niedzwiedzinski.cyou"; + }; + "pics.srv3.niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + root = "${www}/pics.niedzwiedzinski.cyou"; + }; + "pics.niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + root = "${www}/pics.niedzwiedzinski.cyou"; + }; + "rss.srv3.niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + modsecurity_rules ' + SecRuleEngine On + SecRule ARGS:u "@rx life[-_]*hack(s)?" "id:1234,deny,status:403" + '; + ''; + }; + "tmp.niedzwiedzinski.cyou" = { + enableACME = true; + addSSL = true; + root = "${www}/tmp.niedzwiedzinski.cyou"; + extraConfig = '' + modsecurity_rules ' + SecRuleEngine On + SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403" + Include ${crs}/crs-setup.conf + Include ${crs}/all-rules.conf + '; + ''; + }; + "niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + root = "${www}/niedzwiedzinski.cyou"; + }; + "zhr.niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + root = "${www}/zhr.niedzwiedzinski.cyou"; + extraConfig = '' + location /rozkazy/ { + autoindex on; + } + ''; + }; + "help.niedzwiedzinski.cyou" = { + enableACME = true; + forceSSL = true; + root = "${www}/niedzwiedzinski.cyou/help"; + }; + }; + security.acme.defaults.email = "pniedzwiedzinski19@gmail.com"; + security.acme.acceptTerms = true; + + networking.firewall.allowedTCPPorts = [ 53 80 443 config.services.molly-brown.settings.Port ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.molly-brown = { + hostName = "niedzwiedzinski.cyou"; + enable = true; + certPath = "/var/lib/acme/niedzwiedzinski.cyou/cert.pem"; + keyPath = "/var/lib/acme/niedzwiedzinski.cyou/key.pem"; + docBase = "${www}/niedzwiedzinski.cyou"; + }; + + systemd = { + services.molly-brown.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."niedzwiedzinski.cyou".group ]; + }; + + services.rss-bridge = { + enable = true; + virtualHost = "rss.srv3.niedzwiedzinski.cyou"; + whitelist = [ + "Instagram" + "Soundcloud" + "Facebook" + ]; + }; + + users = { + users = { + pn = { + description = "patryk"; + isNormalUser = true; + extraGroups = [ "wheel" "git" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqlCe4ovKa/Gwl5xmgu9nvVPmFXMgwdeLRYW7Gg7RWx pniedzwiedzinski19@gmail.com" + ]; + }; + }; + }; +} diff --git a/machines/srv3/coreruleset.nix b/machines/srv3/coreruleset.nix new file mode 100644 index 0000000..c52c898 --- /dev/null +++ b/machines/srv3/coreruleset.nix @@ -0,0 +1,21 @@ +{ stdenv, fetchFromGitHub }: +stdenv.mkDerivation { + pname = "coreruleset"; + version = "3.3.0"; + + src = fetchFromGitHub { + owner = "coreruleset"; + repo = "coreruleset"; + rev = "v3.3.0"; + sha256 = "sha256:10z1051iwna5x8b8cl29frs5nx3s6ip7hc4mjkgh7vkck8ly4pjm"; + }; + + installPhase = '' + mkdir $out + cp crs-setup.conf.example $out/crs-setup.conf + cp -r rules $out + for f in rules/*.conf; do + echo "Include \"$out/$f\"" >> $out/all-rules.conf + done + ''; +} diff --git a/machines/srv3/default.nix b/machines/srv3/default.nix new file mode 100644 index 0000000..cd4010f --- /dev/null +++ b/machines/srv3/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ]; +} diff --git a/machines/srv3/hardware-configuration.nix b/machines/srv3/hardware-configuration.nix new file mode 100644 index 0000000..ced039c --- /dev/null +++ b/machines/srv3/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/6be0c826-51c9-40dd-9210-6d79f329e6e6"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B286-49E0"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/fb2864f9-5274-42ff-b34e-9b04a13d2576"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/srv3/noip.nix b/machines/srv3/noip.nix new file mode 100644 index 0000000..0ff7002 --- /dev/null +++ b/machines/srv3/noip.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + systemd = { + services.noip = { + enable = true; + wantedBy = [ "multi-user.target" ]; + aliases = [ "noip2.service" ]; + after = [ "network.target" "syslog.target" ]; + serviceConfig = { + User = "root"; + ExecStart = "${pkgs.noip}/bin/noip2 -c /etc/noip2.conf"; + Restart = "always"; + Type = "forking"; + }; + }; + }; +} diff --git a/machines/srv3/yggdrasil.nix b/machines/srv3/yggdrasil.nix new file mode 100644 index 0000000..0d0291f --- /dev/null +++ b/machines/srv3/yggdrasil.nix @@ -0,0 +1,12 @@ +{ + services.yggdrasil = { + enable = true; + persistentKeys = true; + config = { + Peers = [ + "tcp://51.75.44.73:50001" + "tcp://176.223.130.120:22632" + ]; + }; + }; +} |
