diff options
Diffstat (limited to 'modules/nixos/server')
| -rw-r--r-- | modules/nixos/server/nextcloud/default.nix | 138 | ||||
| -rw-r--r-- | modules/nixos/server/nginx/default.nix | 42 | ||||
| -rw-r--r-- | modules/nixos/server/openssh/default.nix | 44 | ||||
| -rw-r--r-- | modules/nixos/server/site/default.nix | 28 |
4 files changed, 0 insertions, 252 deletions
diff --git a/modules/nixos/server/nextcloud/default.nix b/modules/nixos/server/nextcloud/default.nix deleted file mode 100644 index ccaad46..0000000 --- a/modules/nixos/server/nextcloud/default.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -let - inherit (lib) mkEnableOption mkIf; - cfg = config.nx.server.nextcloud; -in -{ - options.nx.server.nextcloud = { - enable = mkEnableOption "Nextcloud server"; - }; - - config = mkIf cfg.enable { - services.nextcloud = { - enable = true; - package = pkgs.nextcloud32; - hostName = "cloud.schererleander.de"; - https = true; - database.createLocally = true; - maxUploadSize = "16G"; - config = { - dbtype = "mysql"; - adminuser = "schererleander"; - adminpassFile = config.sops.secrets."nextcloud-admin-pass".path; - }; - secrets = { - secret = config.sops.secrets."nextcloud-secret".path; - }; - settings = { - maintenance_window_start = 2; # 02:00 - default_phone_region = "de"; - overwriteProtocol = "https"; - trusted_domains = [ "cloud.schererleander.de" ]; - logtimezone = config.time.timeZone; - log_type = "file"; - # Disable mail functionality for single-user instance - mail_smtpmode = "null"; - }; - phpOptions."opcache.interned_strings_buffer" = "64"; - }; - - services.nginx.virtualHosts = { - "cloud.schererleander.de" = { - forceSSL = true; - sslCertificate = config.sops.secrets."cert_fullchain".path; - sslCertificateKey = config.sops.secrets."cert_private".path; - }; - }; - - services.borgbackup.jobs.nextcloud = { - paths = [ - "/var/lib/nextcloud" - "/var/lib/backup/nextcloud/db" - ]; - repo = "$BORG_REPO"; - encryption.mode = "none"; - user = "root"; - group = "root"; - environment = { - BORG_RSH = "ssh -i ${ - config.sops.secrets."borgbase_ssh_key".path - } -o StrictHostKeyChecking=accept-new"; - TMPDIR = "/var/tmp"; - }; - compression = "auto,lzma"; - startAt = "daily"; - readWritePaths = [ - "/var/lib/backup" - "/var/lib/nextcloud" - ]; - preHook = '' - set -euo pipefail - - export BORG_REPO="$(cat ${config.sops.secrets."borg_repo".path})" - - INSTALL="${pkgs.coreutils}/bin/install" - FIND="${pkgs.findutils}/bin/find" - MYSQLDUMP="${pkgs.mariadb.client}/bin/mariadb-dump" - GZIP="${pkgs.gzip}/bin/gzip" - OCC="${lib.getExe config.services.nextcloud.occ}" - - # This command requires write access to /var/lib/backup. - $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db - - trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT - - $OCC maintenance:mode --on - - # Make a consistent database dump without locking the site. - $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \ - | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz - - # Delete local dump files older than 14 days. - $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true - ''; - postHook = '' - set -euo pipefail - ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true - ''; - }; - - services.fail2ban = { - enable = true; - bantime = lib.mkDefault "1h"; - jails = { - nextcloud = { - enabled = true; - settings = { - backend = "systemd"; - journalmatch = "SYSLOG_IDENTIFIER=Nextcloud"; - # END modification to work with syslog instead of logile - port = 443; - protocol = "tcp"; - filter = "nextcloud"; - maxretry = 3; - findtime = 43200; - }; - }; - }; - }; - - environment.etc = { - # Adapted failregex for syslogs - "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault ( - pkgs.lib.mkAfter '' - [Definition] - _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) - failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: - ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. - datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" - '' - ); - }; - }; -} diff --git a/modules/nixos/server/nginx/default.nix b/modules/nixos/server/nginx/default.nix deleted file mode 100644 index d960d33..0000000 --- a/modules/nixos/server/nginx/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - config, - lib, - ... -}: -let - inherit (lib) - mkEnableOption - mkIf - ; - cfg = config.nx.server.nginx; -in -{ - options.nx.server.nginx = { - enable = mkEnableOption "nginx reverse proxy" // { - default = true; - }; - }; - config = mkIf cfg.enable { - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; - add_header 'Referrer-Policy' 'same-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; -} diff --git a/modules/nixos/server/openssh/default.nix b/modules/nixos/server/openssh/default.nix deleted file mode 100644 index 0972e66..0000000 --- a/modules/nixos/server/openssh/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - ... -}: - -let - inherit (lib) mkEnableOption mkIf mkDefault; - cfg = config.nx.server.openssh; -in -{ - options.nx.server.openssh = { - enable = mkEnableOption "OpenSSH server"; - }; - - config = mkIf cfg.enable { - services.openssh = { - enable = true; - ports = [ 8693 ]; - settings = { - PasswordAuthentication = false; - X11Forwarding = false; - PermitRootLogin = "yes"; - }; - }; - networking.firewall.allowedTCPPorts = [ 8693 ]; - - services.fail2ban = { - enable = true; - bantime = lib.mkDefault "1h"; - jails = { - sshd = { - enabled = true; - settings = { - port = 8693; - backend = "systemd"; - maxretry = 4; - findtime = "10m"; - }; - }; - }; - }; - }; -} diff --git a/modules/nixos/server/site/default.nix b/modules/nixos/server/site/default.nix deleted file mode 100644 index c1d472b..0000000 --- a/modules/nixos/server/site/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - config, - lib, - inputs, - ... -}: -let - inherit (lib) mkEnableOption mkIf; - cfg = config.nx.server.site; -in -{ - imports = [ - inputs.site.nixosModules.default - ]; - - options.nx.server.site = { - enable = mkEnableOption "personal website"; - }; - - config = mkIf cfg.enable { - services.site = { - enable = true; - domain = "schererleander.de"; - sslCertificate = config.sops.secrets."cert_fullchain".path; - sslCertificateKey = config.sops.secrets."cert_private".path; - }; - }; -} |