From 6174f3650cf42aaf008012e828d5a1f8e2ce037f Mon Sep 17 00:00:00 2001 From: Leander Scherer Date: Thu, 8 Jan 2026 02:48:11 +0100 Subject: refactor(modules): separate nixos/home-manager modules, use standard option conventions --- hosts/sachiel/configuration.nix | 214 ++-------------------------------------- 1 file changed, 6 insertions(+), 208 deletions(-) (limited to 'hosts/sachiel/configuration.nix') diff --git a/hosts/sachiel/configuration.nix b/hosts/sachiel/configuration.nix index 0537569..3944006 100644 --- a/hosts/sachiel/configuration.nix +++ b/hosts/sachiel/configuration.nix @@ -1,8 +1,6 @@ { pkgs, host, - lib, - config, username, ... }: @@ -66,212 +64,12 @@ }; }; - services.fail2ban = { - enable = true; - bantime = "1h"; - jails = { - sshd = { - enabled = true; - settings = { - port = 8693; - backend = "systemd"; - maxretry = 4; - findtime = "10m"; - bantime = "1h"; - }; - }; - nextcloud = { - enabled = true; - settings = { - # START modification to work with syslog instead of logile - backend = "systemd"; - journalmatch = "SYSLOG_IDENTIFIER=Nextcloud"; - # END modification to work with syslog instead of logile - port = 443; - protocol = "tcp"; - filter = "nextcloud"; - maxretry = 3; - bantime = 86400; - findtime = 43200; - }; - }; - }; - }; - - environment.etc = { - # Adapted failregex for syslogs - "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault ( - pkgs.lib.mkAfter '' - [Definition] - _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) - failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: - ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. - datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" - '' - ); - }; - - services.openssh = { - enable = true; - ports = [ 8693 ]; - settings = { - PasswordAuthentication = false; - AllowUsers = [ username ]; - X11Forwarding = false; - PermitRootLogin = "no"; - }; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "leander@schererleander.de"; - }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; - add_header 'Referrer-Policy' 'same-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - - #virtualHosts."bitwarden.schererleander.de" = { - # forceSSL = true; - # sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem"; - # sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key"; - # locations."/" = { - # proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; - # }; - #}; - - virtualHosts."cloud.schererleander.de" = { - forceSSL = true; - sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem"; - sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key"; - }; - }; - - services.site = { - enable = true; - domain = "schererleander.de"; - sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem"; - sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key"; - }; - - # services.vaultwarden = { - # enable = true; - # environmentFile = "/var/lib/vaultwarden.env"; - # backupDir = "/var/backup/vaultwarden"; - # config = { - # DOMAIN = "https://bitwarden.schererleander.de"; - # SIGNUPS_ALLOWED = true; - # ROCKET_ADDRESS = "127.0.0.1"; - # ROCKET_PORT = 8222; - # ROCKET_LOG = "critical"; - # KDF = "PBKDF2"; - # KDFIterations = 600000; - # }; - # }; - # - # services.borgbackup.jobs.vaultwarden = { - # paths = [ "/var/backup/vaultwarden" ]; - # repo = "t7e4d4f9@t7e4d4f9.repo.borgbase.com:repo"; - # encryption.mode = "none"; - # environment.BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-vaultwarden -o StrictHostKeyChecking=accept-new"; - # compression = "auto,lzma"; - # startAt = "daily"; - # }; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud32; - hostName = "cloud.schererleander.de"; - https = true; - database.createLocally = true; - maxUploadSize = "16G"; - config = { - dbtype = "mysql"; - adminuser = "schererleander"; - adminpassFile = "/etc/nextcloud-admin-pass"; - }; - settings = { - maintenance_window_start = 2; # 02:00 - default_phone_region = "de"; - overwriteProtocol = "https"; - trusted_domains = [ "cloud.schererleander.de" ]; - logtimezone = "Europe/Berlin"; - log_type = "file"; - }; - phpOptions."opcache.interned_strings_buffer" = "64"; - }; - - services.borgbackup.jobs.nextcloud = { - paths = [ - "/var/lib/nextcloud" - "/var/lib/backup/nextcloud/db" - ]; - repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo"; - encryption.mode = "none"; - environment = { - BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-nextcloud -o StrictHostKeyChecking=accept-new"; - TMPDIR = "/var/tmp"; - }; - compression = "auto,lzma"; - startAt = "daily"; - readWritePaths = [ - "/var/lib/backup" - "/var/lib/nextcloud" - ]; - preHook = '' - set -euo pipefail - INSTALL="${pkgs.coreutils}/bin/install" - FIND="${pkgs.findutils}/bin/find" - MYSQLDUMP="${pkgs.mariadb.client}/bin/mysql-dump" - GZIP="${pkgs.gzip}/bin/gzip" - OCC="${lib.getExe config.services.nextcloud.occ}" - - # This command requires write access to /var/lib/backup. - $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db - - trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT - - $OCC maintenance:mode --on - - # Make a consistent database dump without locking the site. - $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \ - | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz - - # Delete local dump files older than 14 days. - $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true - ''; - postHook = '' - set -euo pipefail - ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true - ''; - }; - - security.auditd.enable = true; - security.audit = { - enable = true; - rules = [ "-a exit,always -F arch=b64 -S execve" ]; - }; - - networking.firewall = { - allowPing = false; - allowedTCPPorts = [ - 80 - 443 - 8693 - ]; + nx.server = { + openssh.enable = true; + fail2ban.enable = true; + nginx.enable = true; + nextcloud.enable = true; + site.enable = true; }; nixpkgs.config.allowUnfree = true; -- cgit v1.3.1