264 lines
7.9 KiB
Nix
264 lines
7.9 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
boot.loader.grub.enable = true;
|
|
networking.hostName = "knazarovcom";
|
|
boot.loader.grub.device = "/dev/vda";
|
|
|
|
users.users.knazarov = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework"
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira"
|
|
];
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ vim sops goaccess ];
|
|
|
|
services.openssh.enable = true;
|
|
services.openssh.settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
|
|
security.pam.enableSSHAgentAuth = true;
|
|
security.pam.sshAgentAuth.enable = true;
|
|
security.sudo.wheelNeedsPassword = false;
|
|
nix.settings.trusted-users = [ "@wheel" ];
|
|
|
|
users.users.nginx.extraGroups = [ "turnserver" ];
|
|
|
|
# Good list of bots: https://www.sci.news/robots.txt
|
|
services.nginx = {
|
|
enable = true;
|
|
clientMaxBodySize = "1024m";
|
|
commonHttpConfig = ''
|
|
map $http_user_agent $limit_bots {
|
|
default 0;
|
|
~*(AhrefsBot|PetalBot|bingbot|gptbot|ZoominfoBot|BLEXBot|Bytespider) 1;
|
|
~*(DecompilationBot|Amazonbot|Barkrowler|SeznamBot|SemrushBot) 1;
|
|
~*(MJ12bot|IonCrawl|webprosbot|Sogou|paloaltonetworks|CensysInspect) 1;
|
|
~*(DotBot|ev-crawler|InternetMeasurement|CheckMarkNetwork|panscient) 1;
|
|
~*(gdnplus|PunkMap|pdrlabs|SurdotlyBot|researchscan|serpstatbot) 1;
|
|
~*(MegaIndex|DongleEmulatorBot|TinyTestBot|meta-externalagent) 1;
|
|
}
|
|
'';
|
|
virtualHosts = {
|
|
"www.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
globalRedirect = "knazarov.com";
|
|
};
|
|
"knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
root = "${pkgs.knazarovcom}/srv/knazarov.com";
|
|
|
|
locations."/.well-known/matrix/server" = {
|
|
extraConfig = ''
|
|
default_type application/json;
|
|
return 200 '{ "m.server": "matrix.knazarov.com:443" }';
|
|
'';
|
|
};
|
|
locations."/.well-known/matrix/client" = {
|
|
extraConfig = ''
|
|
default_type application/json;
|
|
return 200 '{ "m.homeserver": { "base_url": "https://matrix.knazarov.com" }, "org.matrix.msc3575.proxy": { "url": "https://syncv3.knazarov.com" } }';
|
|
add_header "Access-Control-Allow-Origin" *;
|
|
'';
|
|
};
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
if ($limit_bots = 1) {
|
|
return 403;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
"vmatveeva.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
root = "${pkgs.vmatveevacom}/srv/vmatveeva.com";
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
if ($limit_bots = 1) {
|
|
return 403;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
"matrix.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/_matrix" = { proxyPass = "http://127.0.0.1:8008"; };
|
|
};
|
|
"syncv3.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
|
|
proxyPass = "http://127.0.0.1:8009";
|
|
extraConfig = ''
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
'';
|
|
};
|
|
|
|
locations."/client/" = {
|
|
proxyPass = "http://127.0.0.1:8009";
|
|
extraConfig = ''
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
'';
|
|
};
|
|
};
|
|
"git.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
|
|
};
|
|
"turn.knazarov.com" = { enableACME = true; };
|
|
"headscale.knazarov.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8080";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Host $server_name;
|
|
proxy_buffering off;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
security.acme.acceptTerms = true;
|
|
security.acme.certs = {
|
|
"www.knazarov.com".email = "mail@knazarov.com";
|
|
"knazarov.com".email = "mail@knazarov.com";
|
|
"vmatveeva.com".email = "mail@knazarov.com";
|
|
"matrix.knazarov.com".email = "mail@knazarov.com";
|
|
"syncv3.knazarov.com".email = "mail@knazarov.com";
|
|
"git.knazarov.com".email = "mail@knazarov.com";
|
|
"turn.knazarov.com" = {
|
|
email = "mail@knazarov.com";
|
|
postRun = "systemctl restart coturn.service";
|
|
group = "turnserver";
|
|
};
|
|
"headscale.knazarov.com".email = "mail@knazarov.com";
|
|
};
|
|
|
|
services.forgejo = {
|
|
enable = true;
|
|
package = pkgs.forgejo;
|
|
settings = {
|
|
service = { DISABLE_REGISTRATION = true; };
|
|
server = {
|
|
ROOT_URL = "https://git.knazarov.com/";
|
|
LANDING_PAGE = "explore";
|
|
};
|
|
federation = {
|
|
ENABLED = "true";
|
|
|
|
};
|
|
};
|
|
};
|
|
|
|
services.dendrite = {
|
|
enable = true;
|
|
environmentFile = config.sops.secrets.matrix_registration_secret.path;
|
|
settings = {
|
|
global = {
|
|
server_name = "knazarov.com";
|
|
private_key = config.sops.secrets.matrix_key.path;
|
|
jetstream = { storage_path = "/var/lib/dendrite/nats"; };
|
|
};
|
|
client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
|
|
client_api.turn = {
|
|
turn_user_lifetime = "5m";
|
|
turn_uris = [
|
|
"turn:${config.services.coturn.realm}:3478?transport=udp"
|
|
"turn:${config.services.coturn.realm}:3478?transport=tcp"
|
|
];
|
|
turn_shared_secret = "$COTURN_AUTH_SECRET";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.dendrite = {
|
|
serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
|
|
};
|
|
|
|
services.coturn = rec {
|
|
enable = true;
|
|
no-cli = true;
|
|
no-tcp-relay = true;
|
|
min-port = 49000;
|
|
max-port = 50000;
|
|
use-auth-secret = true;
|
|
static-auth-secret-file = config.sops.secrets.coturn_auth_secret.path;
|
|
realm = "turn.knazarov.com";
|
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
extraConfig = ''
|
|
# for debugging
|
|
verbose
|
|
'';
|
|
};
|
|
|
|
services.headscale = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
server_url = "https://headscale.knazarov.com:443";
|
|
dns.base_domain = "nest";
|
|
};
|
|
};
|
|
|
|
sops.defaultSopsFile = ./secrets.yaml;
|
|
sops.secrets = {
|
|
example_key = { };
|
|
matrix_key = {
|
|
mode = "0440";
|
|
group = config.users.groups.keys.name;
|
|
};
|
|
matrix_registration_secret = {
|
|
mode = "0440";
|
|
group = config.users.groups.keys.name;
|
|
};
|
|
coturn_auth_secret = {
|
|
mode = "0440";
|
|
group = config.users.groups.turnserver.name;
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
3478
|
|
5349 # coturn
|
|
];
|
|
allowedUDPPorts = [
|
|
3478
|
|
5349 # coturn
|
|
];
|
|
allowedUDPPortRanges = [{
|
|
from = config.services.coturn.min-port;
|
|
to = config.services.coturn.max-port;
|
|
}];
|
|
};
|
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|