Lander Van den Bulcke
86347a68de
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
134 lines
2.8 KiB
Nix
134 lines
2.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
modulesPath,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(modulesPath + "/installer/scan/not-detected.nix")
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
];
|
|
|
|
boot = {
|
|
loader.grub = {
|
|
devices = [ "/dev/sda" ];
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true;
|
|
};
|
|
|
|
initrd.kernelModules = [ "virtio_gpu" ];
|
|
|
|
kernelParams = [ "console=tty" ];
|
|
};
|
|
|
|
time.timeZone = lib.mkDefault "Europe/Berlin";
|
|
|
|
networking = {
|
|
useNetworkd = true;
|
|
};
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
|
|
networks = {
|
|
"30-wan" = {
|
|
matchConfig.Name = "enp1s0";
|
|
networkConfig.DHCP = "ipv4";
|
|
routes = [
|
|
{ Gateway = "fe80::1"; }
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
extraConfig = ''
|
|
PrintLastLog no
|
|
'';
|
|
};
|
|
|
|
environment.etc = {
|
|
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
|
|
[Definition]
|
|
failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
|
|
'';
|
|
|
|
"fail2ban/filter.d/postfix-bruteforce.conf".text = ''
|
|
[Definition]
|
|
failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
|
|
journalmatch = _SYSTEMD_UNIT=postfix.service
|
|
'';
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
|
|
ignoreIP = [
|
|
"100.64.0.0/24" # tailnet
|
|
];
|
|
|
|
maxretry = 3;
|
|
bantime = "2h";
|
|
|
|
extraPackages = [ pkgs.ipset ];
|
|
banaction = "iptables-ipset-proto6-allports";
|
|
};
|
|
|
|
sops.secrets.tailscale-authkey = {
|
|
owner = "root";
|
|
group = "root";
|
|
sopsFile = ./common.yaml;
|
|
};
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
openFirewall = false;
|
|
extraUpFlags = [
|
|
"--login-server=https://headscale.escapeangle.com"
|
|
];
|
|
authKeyFile = config.sops.secrets.tailscale-authkey.path;
|
|
};
|
|
|
|
programs.zsh.enable = true;
|
|
environment.pathsToLink = [ "/share/zsh" ];
|
|
environment.shells = [ pkgs.zsh ];
|
|
environment.enableAllTerminfo = true;
|
|
|
|
users.users.lander = {
|
|
isNormalUser = true;
|
|
shell = pkgs.zsh;
|
|
extraGroups = [
|
|
"wheel"
|
|
];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
|
|
];
|
|
};
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
|
|
];
|
|
|
|
security.acme.defaults.email = "landervandenbulcke@gmail.com";
|
|
security.acme.acceptTerms = true;
|
|
|
|
nix = {
|
|
settings = {
|
|
trusted-users = [ "lander" ];
|
|
accept-flake-config = true;
|
|
auto-optimise-store = true;
|
|
};
|
|
|
|
package = pkgs.nixVersions.stable;
|
|
extraOptions = ''experimental-features = nix-command flakes'';
|
|
|
|
gc = {
|
|
automatic = true;
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
};
|
|
}
|