nftable-migration
1{
2 globals,
3 lib,
4 libx,
5 pkgs,
6 ...
7}:
8let
9 # TODO: migrate this out of here
10 nginxExtraConfig = ''
11 expires 31d;
12 add_header Cache-Control "public, max-age=604800, immutable";
13 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
14 add_header X-Content-Type-Options "nosniff";
15 add_header X-Frame-Options "SAMEORIGIN";
16 add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr";
17 add_header X-XSS-Protection "1; mode=block";
18 '';
19
20 nginx = pkgs.nginxMainline.override (_old: {
21 modules = with pkgs.nginxModules; [
22 fancyindex
23 ];
24 });
25
26 filesWWW = {
27 enableACME = true;
28 forceSSL = true;
29 root = "/var/www/dl.sbr.pm";
30 locations."/" = {
31 index = "index.html";
32 extraConfig = ''
33 fancyindex on;
34 fancyindex_localtime on;
35 fancyindex_exact_size off;
36 fancyindex_header "/.fancyindex/header.html";
37 fancyindex_footer "/.fancyindex/footer.html";
38 # fancyindex_ignore "examplefile.html";
39 fancyindex_ignore "README.md";
40 fancyindex_ignore "HEADER.md";
41 fancyindex_ignore ".fancyindex";
42 fancyindex_name_length 255;
43 '';
44 };
45 locations."/private" = {
46 extraConfig = ''
47 auth_basic "Restricted";
48 auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd;
49 '';
50 };
51 extraConfig = nginxExtraConfig;
52 };
53in
54{
55 imports = [
56 ../common/services/prometheus-exporters-node.nix
57 # ../common/services/syncthing.nix
58 ];
59
60 # TODO make it an option ? (otherwise I'll add it for all)
61 users.users.vincent.linger = true;
62 services.openssh = {
63 listenAddresses = [
64 {
65 addr = builtins.head globals.machines.kerkouane.net.vpn.ips;
66 port = 22;
67 }
68 ];
69 openFirewall = lib.mkForce false;
70 settings = {
71 PasswordAuthentication = false;
72 PermitRootLogin = "without-password";
73 };
74 };
75
76 services.wireguard.server = {
77 enable = true;
78 ips = libx.wg-ips globals.machines.kerkouane.net.vpn.ips;
79 peers = libx.generateWireguardPeers globals.machines;
80 };
81
82 services.gosmee = {
83 enable = true;
84 public-url = "https://webhook.sbr.pm";
85 };
86
87 services.ntfy-sh = {
88 enable = true;
89 settings = {
90 base-url = "https://ntfy.sbr.pm";
91 upstream-base-url = "https://ntfy.sh";
92 listen-http = "localhost:8111";
93 behind-proxy = true;
94 enable-login = true;
95 auth-default-access = "deny-all";
96 };
97 };
98
99 # Should probably move to hardware.nix
100 networking.firewall.allowPing = true;
101 networking.firewall.allowedTCPPorts = [
102 80
103 443
104 ];
105 services.nginx = {
106 enable = true;
107 statusPage = true;
108 package = nginx;
109 recommendedGzipSettings = true;
110 recommendedTlsSettings = true;
111 recommendedOptimisation = true;
112 virtualHosts."dl.sbr.pm" = filesWWW;
113 virtualHosts."files.sbr.pm" = filesWWW;
114 virtualHosts."ntfy.sbr.pm" = {
115 enableACME = true;
116 forceSSL = true;
117
118 locations."/" = {
119 proxyPass = "http://127.0.0.1:8111";
120 proxyWebsockets = true;
121 # basicAuthFile = config.secrets.ntfy_password.decrypted;
122 };
123 };
124 virtualHosts."paste.sbr.pm" = {
125 enableACME = true;
126 forceSSL = true;
127 root = "/var/www/paste.sbr.pm";
128 locations."/" = {
129 index = "index.html";
130 };
131 extraConfig = nginxExtraConfig;
132 };
133 virtualHosts."go.sbr.pm" = {
134 enableACME = true;
135 forceSSL = true;
136 locations."/" = {
137 proxyPass = "http://127.0.0.1:8080";
138 };
139 extraConfig = nginxExtraConfig;
140 };
141 virtualHosts."whoami.sbr.pm" = {
142 enableACME = true;
143 forceSSL = true;
144 locations."/" = {
145 proxyPass = "http://10.100.0.8:80";
146 extraConfig = ''
147 proxy_set_header Host $host;
148 proxy_set_header X-Forwarded-For $remote_addr;
149 '';
150 };
151 };
152 virtualHosts."webhook.sbr.pm" = {
153 enableACME = true;
154 forceSSL = true;
155 locations."/" = {
156 proxyPass = "http://127.0.0.1:3333";
157 extraConfig = ''
158 proxy_buffering off;
159 proxy_cache off;
160 proxy_set_header Host $host;
161 proxy_set_header X-Forwarded-For $remote_addr;
162 proxy_set_header Connection "";
163 proxy_http_version 1.1;
164 chunked_transfer_encoding off;
165 '';
166 };
167 };
168 virtualHosts."sbr.pm" = {
169 enableACME = true;
170 forceSSL = true;
171 root = "/var/www/sbr.pm";
172 locations."/" = {
173 index = "index.html";
174 };
175 extraConfig = nginxExtraConfig;
176 };
177 virtualHosts."sbr.systems" = {
178 enableACME = true;
179 forceSSL = true;
180 root = "/var/www/sbr.systems";
181 locations."/" = {
182 index = "index.html";
183 };
184 extraConfig = nginxExtraConfig;
185 };
186 virtualHosts."vincent.demeester.fr" = {
187 enableACME = true;
188 forceSSL = true;
189 root = "/var/www/vincent.demeester.fr";
190 locations."/" = {
191 index = "index.html";
192 extraConfig = ''
193 default_type text/html;
194 try_files $uri $uri.html $uri/ = 404;
195 fancyindex on;
196 fancyindex_localtime on;
197 fancyindex_exact_size off;
198 fancyindex_header "/assets/.fancyindex/header.html";
199 fancyindex_footer "/assets/.fancyindex/footer.html";
200 # fancyindex_ignore "examplefile.html";
201 fancyindex_ignore "README.md";
202 fancyindex_ignore "HEADER.md";
203 fancyindex_ignore ".fancyindex";
204 fancyindex_name_length 255;
205 '';
206 };
207 extraConfig = nginxExtraConfig;
208 };
209 };
210 services.prometheus.exporters.nginx = {
211 enable = true;
212 port = 9001;
213 };
214 services.govanityurl = {
215 enable = true;
216 user = "nginx";
217 host = "go.sbr.pm";
218 config = ''
219 paths:
220 /lord:
221 repo: https://github.com/vdemeester/lord
222 /ape:
223 repo: https://git.sr.ht/~vdemeester/ape
224 /nr:
225 repo: https://git.sr.ht/~vdemeester/nr
226 /ram:
227 repo: https://git.sr.ht/~vdemeester/ram
228 /sec:
229 repo: https://git.sr.ht/~vdemeester/sec
230 '';
231 };
232 security.acme = {
233 acceptTerms = true;
234 defaults.email = "vincent@sbr.pm";
235 };
236}