system-manager-wakasu
1{
2 globals,
3 lib,
4 libx,
5 pkgs,
6 ...
7}:
8let
9 # TODO: migrate this out of here
10 nginxExtraConfig = ''
11 expires 31d;
12 add_header Cache-Control "public, max-age=604800, immutable";
13 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
14 add_header X-Content-Type-Options "nosniff";
15 add_header X-Frame-Options "SAMEORIGIN";
16 add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr";
17 add_header X-XSS-Protection "1; mode=block";
18 '';
19
20 nginx = pkgs.nginxMainline.override (_old: {
21 modules = with pkgs.nginxModules; [
22 fancyindex
23 ];
24 });
25
26 filesWWW = {
27 enableACME = true;
28 forceSSL = true;
29 root = "/var/www/dl.sbr.pm";
30 locations."/" = {
31 index = "index.html";
32 extraConfig = ''
33 fancyindex on;
34 fancyindex_localtime on;
35 fancyindex_exact_size off;
36 fancyindex_header "/.fancyindex/header.html";
37 fancyindex_footer "/.fancyindex/footer.html";
38 # fancyindex_ignore "examplefile.html";
39 fancyindex_ignore "README.md";
40 fancyindex_ignore "HEADER.md";
41 fancyindex_ignore ".fancyindex";
42 fancyindex_name_length 255;
43 '';
44 };
45 locations."/private" = {
46 extraConfig = ''
47 auth_basic "Restricted";
48 auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd;
49 '';
50 };
51 extraConfig = nginxExtraConfig;
52 };
53in
54{
55 imports = [
56 ../common/services/prometheus-exporters-node.nix
57 # ../common/services/syncthing.nix
58 ];
59
60 # TODO make it an option ? (otherwise I'll add it for all)
61 users.users.vincent.linger = true;
62 services.openssh = {
63 listenAddresses = [
64 {
65 addr = builtins.head globals.machines.kerkouane.net.vpn.ips;
66 port = 22;
67 }
68 ];
69 openFirewall = lib.mkForce false;
70 passwordAuthentication = false;
71 permitRootLogin = "without-password";
72 };
73
74 services.wireguard.server = {
75 enable = true;
76 ips = libx.wg-ips globals.machines.kerkouane.net.vpn.ips;
77 peers = libx.generateWireguardPeers globals.machines;
78 };
79
80 services.gosmee = {
81 enable = true;
82 public-url = "https://webhook.sbr.pm";
83 };
84
85 services.ntfy-sh = {
86 enable = true;
87 settings = {
88 base-url = "https://ntfy.sbr.pm";
89 upstream-base-url = "https://ntfy.sh";
90 listen-http = "localhost:8111";
91 behind-proxy = true;
92 enable-login = true;
93 auth-default-access = "deny-all";
94 };
95 };
96
97 # Should probably move to hardware.nix
98 networking.firewall.allowPing = true;
99 networking.firewall.allowedTCPPorts = [
100 80
101 443
102 ];
103 services.nginx = {
104 enable = true;
105 statusPage = true;
106 package = nginx;
107 recommendedGzipSettings = true;
108 recommendedTlsSettings = true;
109 recommendedOptimisation = true;
110 virtualHosts."dl.sbr.pm" = filesWWW;
111 virtualHosts."files.sbr.pm" = filesWWW;
112 virtualHosts."ntfy.sbr.pm" = {
113 enableACME = true;
114 forceSSL = true;
115
116 locations."/" = {
117 proxyPass = "http://127.0.0.1:8111";
118 proxyWebsockets = true;
119 # basicAuthFile = config.secrets.ntfy_password.decrypted;
120 };
121 };
122 virtualHosts."paste.sbr.pm" = {
123 enableACME = true;
124 forceSSL = true;
125 root = "/var/www/paste.sbr.pm";
126 locations."/" = {
127 index = "index.html";
128 };
129 extraConfig = nginxExtraConfig;
130 };
131 virtualHosts."go.sbr.pm" = {
132 enableACME = true;
133 forceSSL = true;
134 locations."/" = {
135 proxyPass = "http://127.0.0.1:8080";
136 };
137 extraConfig = nginxExtraConfig;
138 };
139 virtualHosts."whoami.sbr.pm" = {
140 enableACME = true;
141 forceSSL = true;
142 locations."/" = {
143 proxyPass = "http://10.100.0.8:80";
144 extraConfig = ''
145 proxy_set_header Host $host;
146 proxy_set_header X-Forwarded-For $remote_addr;
147 '';
148 };
149 };
150 virtualHosts."webhook.sbr.pm" = {
151 enableACME = true;
152 forceSSL = true;
153 locations."/" = {
154 proxyPass = "http://127.0.0.1:3333";
155 extraConfig = ''
156 proxy_buffering off;
157 proxy_cache off;
158 proxy_set_header Host $host;
159 proxy_set_header X-Forwarded-For $remote_addr;
160 proxy_set_header Connection "";
161 proxy_http_version 1.1;
162 chunked_transfer_encoding off;
163 '';
164 };
165 };
166 virtualHosts."sbr.pm" = {
167 enableACME = true;
168 forceSSL = true;
169 root = "/var/www/sbr.pm";
170 locations."/" = {
171 index = "index.html";
172 };
173 extraConfig = nginxExtraConfig;
174 };
175 virtualHosts."sbr.systems" = {
176 enableACME = true;
177 forceSSL = true;
178 root = "/var/www/sbr.systems";
179 locations."/" = {
180 index = "index.html";
181 };
182 extraConfig = nginxExtraConfig;
183 };
184 virtualHosts."vincent.demeester.fr" = {
185 enableACME = true;
186 forceSSL = true;
187 root = "/var/www/vincent.demeester.fr";
188 locations."/" = {
189 index = "index.html";
190 extraConfig = ''
191 default_type text/html;
192 try_files $uri $uri.html $uri/ = 404;
193 fancyindex on;
194 fancyindex_localtime on;
195 fancyindex_exact_size off;
196 fancyindex_header "/assets/.fancyindex/header.html";
197 fancyindex_footer "/assets/.fancyindex/footer.html";
198 # fancyindex_ignore "examplefile.html";
199 fancyindex_ignore "README.md";
200 fancyindex_ignore "HEADER.md";
201 fancyindex_ignore ".fancyindex";
202 fancyindex_name_length 255;
203 '';
204 };
205 extraConfig = nginxExtraConfig;
206 };
207 };
208 services.prometheus.exporters.nginx = {
209 enable = true;
210 port = 9001;
211 };
212 services.govanityurl = {
213 enable = true;
214 user = "nginx";
215 host = "go.sbr.pm";
216 config = ''
217 paths:
218 /lord:
219 repo: https://github.com/vdemeester/lord
220 /ape:
221 repo: https://git.sr.ht/~vdemeester/ape
222 /nr:
223 repo: https://git.sr.ht/~vdemeester/nr
224 /ram:
225 repo: https://git.sr.ht/~vdemeester/ram
226 /sec:
227 repo: https://git.sr.ht/~vdemeester/sec
228 '';
229 };
230 security.pam.enableSSHAgentAuth = true;
231 security.acme = {
232 acceptTerms = true;
233 email = "vincent@sbr.pm";
234 };
235}