diff --git a/config/networking.nix b/config/common/networking.nix similarity index 64% rename from config/networking.nix rename to config/common/networking.nix index 30f4f2d..4e49eaa 100644 --- a/config/networking.nix +++ b/config/common/networking.nix @@ -1,11 +1,8 @@ { config, ... }: { networking = { - hostName = "web02"; domain = "kyouma.net"; useHostResolvConf = false; dhcpcd.enable = false; - firewall.allowedTCPPorts = [ 80 443 ]; - firewall.allowedUDPPorts = [ 80 443 ]; }; systemd.network.enable = true; @@ -17,15 +14,13 @@ ''; }; - systemd.network.networks."98-eth0" = { - matchConfig.Name = "eth0"; + systemd.network.networks."98-eth-default" = { + matchConfig.Tyoe = "ether"; + matchConfig.Name = "e*"; networkConfig = { DHCP = "ipv4"; IPv6AcceptRA = false; }; - address = [ - "2a0f:be01:0:100::1312/128" - ]; routes = [ { routeConfig.Gateway = "fe80::1"; } ]; diff --git a/config/openssh.nix b/config/common/openssh.nix similarity index 100% rename from config/openssh.nix rename to config/common/openssh.nix diff --git a/config/hosts/web02/configuration.nix b/config/hosts/web02/configuration.nix new file mode 100644 index 0000000..8709556 --- /dev/null +++ b/config/hosts/web02/configuration.nix @@ -0,0 +1,152 @@ +{ pkgs, lib, ... }: +let + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; + ''; + virtHostCfg = { + forceSSL = true; + http3 = true; + quic = true; + }; + createHost = builtins.mapAttrs (vhostName: vhostCfg: + with lib; let + mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg + then { + useACMEHost = vhostCfg.redirectTo; + globalRedirect = vhostCfg.redirectTo; + } else ( + optionalAttrs !(builtins.hasAttr "useACMEHost" vhostCfg) { + enableACME = true; + }); + extraCfg = if builtins.hasAttr "extraConfig" vhostCfg + then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; } + else { inherit extraConfig; }; + in + virtHostCfg // mkRedirect // extraCfg // + (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]) + ); +in { + networking = { + hostName = "web02"; + firewall.allowedTCPPort = [ 80 443 ]; + firewall.allowedUDPPort = [ 443 ]; + }; + systemd.network.networks."98-eth-default" = { + address = [ + "2a0f:be01:0:100::1312/128" + ]; + }; + users.users."lg" = { + isSystemUser = true; + createHome = true; + home = "/var/www/lg.kyouma.net"; + group = "lg"; + }; + users.groups."lg" = {}; + services.phpfpm.pools."lg" = { + user = "lg"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + services.nginx = { + package = pkgs.nginxQuic; + enable = true; + + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + sslProtocols = "TLSv1.3"; + clientMaxBodySize = "0"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + ${extraConfig} + ''; + + virtualHosts = createHost { + "miau.zip" = { root = "/var/www/kyouma.net"; }; + "www.miau.zip" = { redirectTo = "miau.zip"; }; + "kyouma.net" = { root = "/var/www/kyouma.net"; }; + "www.kyouma.net" = { redirectTo = "kyouma.net"; }; + "emily.cat" = { root = "/var/www/emily.cat/_site"; }; + "www.emily.cat" = { redirectTo = "kyouma.net"; }; + "www.cocaine.trade" = { redirectTo = "cocaine.trade"; }; + + "redirect" = { + default = true; + reuseport = true; + useACMEHost = "kyouma.net"; + extraConfig = '' + return 403; + ''; + }; + "cocaine.trade" = { + root = "/var/www/cocaine.trade"; + extraConfig = ''error_page 404 /404.html;''; + locations."/" = { + index = "index.html"; + tryFiles = "$uri $uri.html =404"; + }; + locations."= /".extraConfig = ''rewrite ^ /index.html last;''; + }; + "files.cocaine.trade" = { + useACMEHost = "cocaine.trade"; + root = "/mnt/basti/files.cocaine.trade"; + locations."/".extraConfig = '' + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + ''; + }; + "lg.kyouma.net" = { + root = "/var/www/lg.kyouma.net"; + useACMEHost = "kyouma.net"; + locations."/".tryFiles = "$uri /$uri /index.php$is_args$args"; + locations."~ \\.php$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket}; + fastcgi_index index.php; + fastcgi_buffering on; + fastcgi_buffer_size 1k; + fastcgi_buffers 128 1k; + include ${pkgs.nginxQuic}/conf/fastcgi_params; + include ${pkgs.nginxQuic}/conf/fastcgi.conf; + ''; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults = { + keyType = "ec384"; + email = "noc@kyouma.net"; + }; + certs = { + "miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; }; + "kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; }; + "emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; }; + "cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; }; + }; + }; +} diff --git a/config/lxc.nix b/config/lxc.nix new file mode 100644 index 0000000..269f092 --- /dev/null +++ b/config/lxc.nix @@ -0,0 +1,19 @@ +{ config, pkgs, lib, modulesPath, ... }: + +with lib; { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ]; + proxmoxLXC = { + manageNetwork = true; + manageHostName = true; + }; + + time.timeZone = mkDefault "Europe/Berlin"; + + system.autoUpgrade.enable = true; + system.stateVersion = "23.05"; + nix.optimise.automatic = true; + nix.gc.automatic = true; + nix.gc.options = "--delete-older-than 2d"; +} diff --git a/config/nginx.nix b/config/nginx.nix deleted file mode 100644 index aa69795..0000000 --- a/config/nginx.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ pkgs, lib, ... }: -let - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; - ''; - virtHostCfg = { - forceSSL = true; - http3 = true; - quic = true; - }; - mkRedirect = domain: virtHostCfg // { - useACMEHost = domain; - globalRedirect = domain; - inherit extraConfig; - }; - mkHost = webroot: virtHostCfg // { - enableACME = true; - root = webroot; - inherit extraConfig; - }; -in { - services.nginx = { - package = pkgs.nginxQuic; - enable = true; - - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - sslProtocols = "TLSv1.3"; - clientMaxBodySize = "0"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - ${extraConfig} - ''; - - virtualHosts."redirect" = virtHostCfg // { - serverName = null; - default = true; - reuseport = true; - useACMEHost = "miau.zip"; - extraConfig = '' - return 403; - ${extraConfig} - ''; - }; - - virtualHosts = { - "miau.zip" = (mkHost "/var/www/kyouma.net"); - "www.miau.zip" = (mkRedirect "miau.zip"); - }; - }; - security.acme = { - acceptTerms = true; - defaults = { - keyType = "ec384"; - email = "noc@kyouma.net"; - }; - certs."miau.zip" = { - extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; - }; - }; -} diff --git a/configuration.nix b/configuration.nix index 8bc1e2f..c1184d2 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,15 +2,10 @@ with lib; { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./config/networking.nix - ./config/nginx.nix - ./config/openssh.nix + ./config/common/networking.nix + ./config/common/openssh.nix + ./config/hosts/web02/configuration.nix ]; - proxmoxLXC = { - manageNetwork = true; - manageHostName = true; - }; environment.systemPackages = with pkgs; [ vim @@ -18,14 +13,5 @@ with lib; { users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCQN+h27GP95p6+1wH8E5Tq5h1Ua/PUW4Xd8JPAo0Wy root@web01" ]; - - time.timeZone = mkDefault "CET"; - - system.autoUpgrade.enable = true; - system.stateVersion = "23.05"; - nix.optimise.automatic = true; - nix.gc.automatic = true; - nix.gc.options = "--delete-older-than 2d"; } diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c94fed5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,11 @@ +{ + description = "nixfiles"; + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-hardware.url = "github:nixos/nixos-hardware"; + }; + + outputs = { self, nixpkgs, nixos-hardware, ... }@attrs: { + + }; +} diff --git a/test.nix b/test.nix new file mode 100644 index 0000000..a402fc6 --- /dev/null +++ b/test.nix @@ -0,0 +1,48 @@ +let + extraConfig = '' + add_header Referrer-Policy "same-origin" always; + ''; + func = builtins.mapAttrs (vhostName: vhostCfg: + let + def = { + forceSSL = true; + http3 = true; + quic = true; + }; + conf = if builtins.hasAttr "redirectTo" vhostCfg + then { + useACMEHost = vhostCfg.redirectTo; + globalRedirect = vhostCfg.redirectTo; + } + else if builtins.hasAttr "ACMEHost" vhostCfg + then { + useACMEHost = vhostCfg.ACMEHost; + root = vhostCfg.webroot; + } + else { + enableACME = true; + root = vhostCfg.webroot; + }; + otherCfg = (builtins.removeAttrs vhostCfg [ "redirectTo" "ACMEHost" "webroot" "extraConfig" ] // ( + if builtins.hasAttr "extraConfig" vhostCfg + then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; } + else { inherit extraConfig; } + )); + in + conf // def // otherCfg + ); +in { + test = func { + "www.miau.zip" = { + redirectTo = "miau.zip"; + }; + "miau.zip" = { + ACMEHost = "miau.zip"; + webroot = "/skgj"; + locations."/".extraConfig = "fsfs"; + extraConfig = '' + skfdsjf + ''; + }; + }; +}