nixos/nodes/knazarovcom/configuration.nix

{ config, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
    ];

  boot.loader.grub.enable = true;
  networking.hostName = "knazarovcom";
  boot.loader.grub.device = "/dev/vda";


  users.users.knazarov = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira"];
  };

  environment.systemPackages = with pkgs; [
    vim
    sops
    goaccess
  ];

  services.openssh.enable = true;
  services.openssh.settings = {
    PermitRootLogin = "no";
    PasswordAuthentication = false;
  };

  security.pam.enableSSHAgentAuth = true;
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [ "@wheel" ];

  services.nginx = {
    enable = true;
    commonHttpConfig = ''
      map $http_user_agent $limit_bots {
        default 0;
        ~*(AhrefsBot|PetalBot|bingbot|gptbot|ZoominfoBot|BLEXBot|Bytespider) 1;
        ~*(DecompilationBot|Amazonbot|Barkrowler|SeznamBot|SemrushBot) 1;
        ~*(MJ12bot) 1;
      }
    '';
    virtualHosts = {
      "knazarov.com" = {
        enableACME = true;
        forceSSL = true;
        root = "${pkgs.knazarovcom}/srv/knazarov.com";

        locations."/.well-known/matrix/server" = {
          extraConfig = ''
            default_type application/json;
            return 200 '{ "m.server": "matrix.knazarov.com:443" }';
          '';
        };
        locations."/.well-known/matrix/client" = {
          extraConfig = ''
            default_type application/json;
            return 200 '{ "m.homeserver": { "base_url": "https://matrix.knazarov.com" } }';
            add_header "Access-Control-Allow-Origin" *;
          '';
        };
        locations."/" = {
          extraConfig = ''
            if ($limit_bots = 1) {
              return 403;
            }
          '';
        };
      };
      "vmatveeva.com" = {
        enableACME = true;
        forceSSL = true;
        root = "${pkgs.vmatveevacom}/srv/vmatveeva.com";
        locations."/" = {
          extraConfig = ''
            if ($limit_bots = 1) {
              return 403;
            }
          '';
        };
      };
      "matrix.knazarov.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/_matrix" = {
          proxyPass = "http://127.0.0.1:8008";
        };
      };
    };
  };
  security.acme.acceptTerms = true;
  security.acme.certs = {
    "knazarov.com".email = "mail@knazarov.com";
    "vmatveeva.com".email = "mail@knazarov.com";
    "matrix.knazarov.com".email = "mail@knazarov.com";
  };

  services.dendrite = {
    enable = true;
    environmentFile = config.sops.secrets.matrix_registration_secret.path;
    settings = {
      global = {
        server_name = "knazarov.com";
        private_key = config.sops.secrets.matrix_key.path;
        jetstream = {
          storage_path = "/var/lib/dendrite/nats";
        };
      };
      client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
    };
  };

  systemd.services.dendrite = {
    serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    example_key = {};
    matrix_key = {
      mode = "0440";
      group = config.users.groups.keys.name;
    };
    matrix_registration_secret = {
      mode = "0440";
      group = config.users.groups.keys.name;
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];

  system.stateVersion = "23.05";
}
Initial release of my NixOS configuration 2023-07-30 16:18:49 +00:00			`{ config, pkgs, ... }:`

			`{`
			`imports =`
			`[`
			`./hardware-configuration.nix`
			`];`

			`boot.loader.grub.enable = true;`
			`networking.hostName = "knazarovcom";`
			`boot.loader.grub.device = "/dev/vda";`


			`users.users.knazarov = {`
			`isNormalUser = true;`
			`extraGroups = [ "wheel" ];`
			`openssh.authorizedKeys.keys = [`
			`"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework"`
			`"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira"];`
			`};`

			`environment.systemPackages = with pkgs; [`
			`vim`
			`sops`
			`goaccess`
			`];`

			`services.openssh.enable = true;`
			`services.openssh.settings = {`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = false;`
			`};`

			`security.pam.enableSSHAgentAuth = true;`
			`security.sudo.wheelNeedsPassword = false;`
			`nix.settings.trusted-users = [ "@wheel" ];`

			`services.nginx = {`
			`enable = true;`
Block some of the bots on my website 2023-08-15 16:07:16 +00:00			`commonHttpConfig = ''`
			`map $http_user_agent $limit_bots {`
			`default 0;`
			`~*(AhrefsBot\|PetalBot\|bingbot\|gptbot\|ZoominfoBot\|BLEXBot\|Bytespider) 1;`
Tune PipeWire settings, and block some of the bots on my site 2023-08-17 17:33:56 +00:00			`~*(DecompilationBot\|Amazonbot\|Barkrowler\|SeznamBot\|SemrushBot) 1;`
			`~*(MJ12bot) 1;`
Block some of the bots on my website 2023-08-15 16:07:16 +00:00			`}`
			`'';`
Initial release of my NixOS configuration 2023-07-30 16:18:49 +00:00			`virtualHosts = {`
			`"knazarov.com" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`root = "${pkgs.knazarovcom}/srv/knazarov.com";`

			`locations."/.well-known/matrix/server" = {`
			`extraConfig = ''`
			`default_type application/json;`
			`return 200 '{ "m.server": "matrix.knazarov.com:443" }';`
			`'';`
			`};`
			`locations."/.well-known/matrix/client" = {`
			`extraConfig = ''`
			`default_type application/json;`
			`return 200 '{ "m.homeserver": { "base_url": "https://matrix.knazarov.com" } }';`
			`add_header "Access-Control-Allow-Origin" *;`
			`'';`
			`};`
Block some of the bots on my website 2023-08-15 16:07:16 +00:00			`locations."/" = {`
			`extraConfig = ''`
			`if ($limit_bots = 1) {`
			`return 403;`
			`}`
			`'';`
			`};`
Initial release of my NixOS configuration 2023-07-30 16:18:49 +00:00			`};`
			`"vmatveeva.com" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`root = "${pkgs.vmatveevacom}/srv/vmatveeva.com";`
Block some of the bots on my website 2023-08-15 16:07:16 +00:00			`locations."/" = {`
			`extraConfig = ''`
			`if ($limit_bots = 1) {`
			`return 403;`
			`}`
			`'';`
			`};`
Initial release of my NixOS configuration 2023-07-30 16:18:49 +00:00			`};`
			`"matrix.knazarov.com" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/_matrix" = {`
			`proxyPass = "http://127.0.0.1:8008";`
			`};`
			`};`
			`};`
			`};`
			`security.acme.acceptTerms = true;`
			`security.acme.certs = {`
			`"knazarov.com".email = "mail@knazarov.com";`
			`"vmatveeva.com".email = "mail@knazarov.com";`
			`"matrix.knazarov.com".email = "mail@knazarov.com";`
			`};`

			`services.dendrite = {`
			`enable = true;`
			`environmentFile = config.sops.secrets.matrix_registration_secret.path;`
			`settings = {`
			`global = {`
			`server_name = "knazarov.com";`
			`private_key = config.sops.secrets.matrix_key.path;`
			`jetstream = {`
			`storage_path = "/var/lib/dendrite/nats";`
			`};`
			`};`
			`client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";`
			`};`
			`};`

			`systemd.services.dendrite = {`
			`serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
			`};`

			`sops.defaultSopsFile = ./secrets.yaml;`
			`sops.secrets = {`
			`example_key = {};`
			`matrix_key = {`
			`mode = "0440";`
			`group = config.users.groups.keys.name;`
			`};`
			`matrix_registration_secret = {`
			`mode = "0440";`
			`group = config.users.groups.keys.name;`
			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`# networking.firewall.allowedUDPPorts = [ ... ];`

			`system.stateVersion = "23.05";`
			`}`