From 4dca4b43b5c86c67bf4073dcf5a59e86e67f7b31 Mon Sep 17 00:00:00 2001
From: emily <ek@kyouma.net>
Date: Tue, 28 Nov 2023 08:19:49 +0100
Subject: [PATCH] first commit uwu

---
 README.md             |  0
 config/networking.nix | 33 ++++++++++++++++++++
 config/nginx.nix      | 71 +++++++++++++++++++++++++++++++++++++++++++
 config/openssh.nix    | 57 ++++++++++++++++++++++++++++++++++
 configuration.nix     | 31 +++++++++++++++++++
 5 files changed, 192 insertions(+)
 create mode 100644 README.md
 create mode 100644 config/networking.nix
 create mode 100644 config/nginx.nix
 create mode 100644 config/openssh.nix
 create mode 100644 configuration.nix

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/config/networking.nix b/config/networking.nix
new file mode 100644
index 0000000..30f4f2d
--- /dev/null
+++ b/config/networking.nix
@@ -0,0 +1,33 @@
+{ config, ... }: {
+  networking = {
+    hostName = "web02";
+    domain = "kyouma.net";
+    useHostResolvConf = false;
+    dhcpcd.enable = false;
+    firewall.allowedTCPPorts = [ 80 443 ];
+    firewall.allowedUDPPorts = [ 80 443 ];
+  };
+  systemd.network.enable = true;
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    extraConfig = ''
+      DNS = [2a0f:be01::1] 
+    '';
+  };
+
+  systemd.network.networks."98-eth0" = {
+    matchConfig.Name = "eth0";
+    networkConfig = {
+      DHCP = "ipv4";
+      IPv6AcceptRA = false;
+    };
+    address = [
+      "2a0f:be01:0:100::1312/128" 
+    ];
+    routes = [
+      { routeConfig.Gateway = "fe80::1"; }
+    ];
+  };
+}
diff --git a/config/nginx.nix b/config/nginx.nix
new file mode 100644
index 0000000..aa69795
--- /dev/null
+++ b/config/nginx.nix
@@ -0,0 +1,71 @@
+{ pkgs, lib, ... }: 
+let 
+  extraConfig = ''
+    add_header Strict-Transport-Security 	$hsts_header;
+    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    add_header X-Content-Type-Options 	"nosniff" always;
+    add_header X-XSS-Protection 		"1; mode=block" always;
+    add_header X-Frame-Options 		"SAMEORIGIN" always;
+    add_header Referrer-Policy 		"same-origin" always;
+  '';
+  virtHostCfg = {
+    forceSSL = true;
+    http3 = true;
+    quic = true; 
+  };
+  mkRedirect = domain: virtHostCfg // {
+    useACMEHost = domain;
+    globalRedirect = domain;
+    inherit extraConfig;
+  };
+  mkHost = webroot: virtHostCfg // {
+    enableACME = true;
+    root = webroot;
+    inherit extraConfig;
+  };
+in { 
+  services.nginx = {
+    package = pkgs.nginxQuic;
+    enable = true;
+    
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    sslProtocols = "TLSv1.3";
+    clientMaxBodySize = "0";
+    
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      ${extraConfig}
+    '';
+
+    virtualHosts."redirect" = virtHostCfg // {
+      serverName = null;
+      default = true;
+      reuseport = true;
+      useACMEHost = "miau.zip";
+      extraConfig = ''
+        return 403;
+        ${extraConfig}
+      '';
+    };
+
+    virtualHosts = {
+      "miau.zip" = (mkHost "/var/www/kyouma.net");
+      "www.miau.zip" = (mkRedirect "miau.zip");
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      keyType = "ec384";
+      email = "noc@kyouma.net";
+    };
+    certs."miau.zip" = {
+      extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
+    };
+  };
+}
diff --git a/config/openssh.nix b/config/openssh.nix
new file mode 100644
index 0000000..5f0debc
--- /dev/null
+++ b/config/openssh.nix
@@ -0,0 +1,57 @@
+{ lib, ...}:
+
+with lib;
+let
+  ciphers = [
+    "chacha20-poly1305@openssh.com"
+    "aes256-gcm@openssh.com"
+    "aes128-gcm@openssh.com"
+  ];
+
+  sigAlgorithms = [
+    "ssh-ed25519-cert-v01@openssh.com"
+    "ssh-ed25519"
+  ];
+
+  kexAlgorithms = [
+    "sntrup761x25519-sha512@openssh.com"
+    "curve25519-sha256"
+    "curve25519-sha256@libssh.org"
+  ];
+
+  macs = [
+    "umac-128-etm@openssh.com"
+    "hmac-sha2-512-etm@openssh.com"
+    "hmac-sha2-256-etm@openssh.com"
+  ];
+in {
+  programs.ssh = {
+    inherit ciphers kexAlgorithms macs;
+    hostKeyAlgorithms = sigAlgorithms;
+    pubkeyAcceptedKeyTypes = sigAlgorithms;
+  };
+
+  services.openssh = {
+    hostKeys = mkDefault [
+      { type = "ed25519"; path = "/etc/keys/ssh_host_ed25519_key"; }
+    ];
+
+    settings = {
+      PermitRootLogin = "prohibit-password";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      AuthenticationMethods = "publickey";
+
+      Ciphers = ciphers;
+      Macs = macs;
+
+      KexAlgorithms = kexAlgorithms; 
+      HostKeyAlgorithms = concatStringsSep "," sigAlgorithms;
+      PubkeyAcceptedAlgorithms = concatStringsSep "," sigAlgorithms;
+
+      # Remove stale Unix sockets when forwarding
+      StreamLocalBindUnlink = true;
+    };
+  };
+}
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..8bc1e2f
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+with lib; {
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ./config/networking.nix
+    ./config/nginx.nix
+    ./config/openssh.nix
+  ];
+  proxmoxLXC = {
+    manageNetwork = true;
+    manageHostName = true;
+  };
+   
+  environment.systemPackages = with pkgs; [
+    vim
+  ];
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCQN+h27GP95p6+1wH8E5Tq5h1Ua/PUW4Xd8JPAo0Wy root@web01"
+  ];
+
+  time.timeZone = mkDefault "CET";
+
+  system.autoUpgrade.enable = true;
+  system.stateVersion = "23.05";
+  nix.optimise.automatic = true;
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 2d";
+}