From 6174f3650cf42aaf008012e828d5a1f8e2ce037f Mon Sep 17 00:00:00 2001 From: Leander Scherer Date: Thu, 8 Jan 2026 02:48:11 +0100 Subject: refactor(modules): separate nixos/home-manager modules, use standard option conventions --- modules/hosts/server/default.nix | 29 ++++++ modules/hosts/server/fail2ban/default.nix | 31 ++++++ modules/hosts/server/nextcloud/default.nix | 156 +++++++++++++++++++++++++++++ modules/hosts/server/nginx/default.nix | 56 +++++++++++ modules/hosts/server/openssh/default.nix | 53 ++++++++++ modules/hosts/server/site/default.nix | 32 ++++++ 6 files changed, 357 insertions(+) create mode 100644 modules/hosts/server/default.nix create mode 100644 modules/hosts/server/fail2ban/default.nix create mode 100644 modules/hosts/server/nextcloud/default.nix create mode 100644 modules/hosts/server/nginx/default.nix create mode 100644 modules/hosts/server/openssh/default.nix create mode 100644 modules/hosts/server/site/default.nix (limited to 'modules/hosts/server') diff --git a/modules/hosts/server/default.nix b/modules/hosts/server/default.nix new file mode 100644 index 0000000..ca3ca4f --- /dev/null +++ b/modules/hosts/server/default.nix @@ -0,0 +1,29 @@ +{ + lib, + ... +}: +let + inherit (lib) mkOption types; +in +{ + options.nx.server = { + enable = mkOption { + description = "Set this host as server"; + type = types.bool; + default = false; + }; + timeZone = mkOption { + description = "Time Zone of the server"; + type = types.str; + default = "Europe/Berlin"; + }; + }; + + imports = [ + ./openssh + ./nginx + ./fail2ban + ./nextcloud + ./site + ]; +} diff --git a/modules/hosts/server/fail2ban/default.nix b/modules/hosts/server/fail2ban/default.nix new file mode 100644 index 0000000..09fcdf2 --- /dev/null +++ b/modules/hosts/server/fail2ban/default.nix @@ -0,0 +1,31 @@ +{ + config, + pkgs, + options, + lib, + ... +}: +let + cfg = config.nx.server.fail2ban; + inherit (lib) mkOption types mkIf; +in +{ + options.nx.server.fail2ban = { + enable = mkOption { + description = "Setup fail2ban service"; + type = types.bool; + default = false; + }; + bantime = mkOption { + description = "default bantime"; + type = types.str; + default = "1h"; + }; + }; + config = mkIf cfg.enable { + services.fail2ban = { + enable = true; + bantime = cfg.bantime; + }; + }; +} diff --git a/modules/hosts/server/nextcloud/default.nix b/modules/hosts/server/nextcloud/default.nix new file mode 100644 index 0000000..a527de2 --- /dev/null +++ b/modules/hosts/server/nextcloud/default.nix @@ -0,0 +1,156 @@ +{ + pkgs, + config, + username, + options, + lib, + ... +}: +let + cfg = config.nx.server.nextcloud; + inherit (lib) mkOption types mkIf; +in +{ + options.nx.server.nextcloud = { + enable = mkOption { + description = "Setup nextcloud server"; + type = types.bool; + default = false; + }; + adminUser = mkOption { + description = "Admin user"; + type = types.str; + default = "schererleander"; + }; + adminPassFile = mkOption { + description = "Admin user key file"; + type = types.str; + default = "/etc/nextcloud-admin-pass"; + }; + hostName = mkOption { + description = "Nextcloud hostname"; + type = types.str; + default = "cloud.schererleander.de"; + }; + backup = mkOption { + description = "enable borgbase backups"; + type = types.bool; + default = true; + }; + jail = mkOption { + description = "setup fail2ban jail"; + type = types.bool; + default = config.nx.server.fail2ban.enable; + }; + }; + + config = mkIf cfg.enable { + services.nextcloud = { + enable = true; + package = pkgs.nextcloud32; + hostName = cfg.hostName; + https = true; + database.createLocally = true; + maxUploadSize = "16G"; + config = { + dbtype = "mysql"; + adminuser = cfg.adminUser; + adminpassFile = cfg.adminPassFile; + }; + settings = { + maintenance_window_start = 2; # 02:00 + default_phone_region = "de"; + overwriteProtocol = "https"; + trusted_domains = [ cfg.hostName ]; + logtimezone = config.nx.server.timeZone; + log_type = "file"; + }; + phpOptions."opcache.interned_strings_buffer" = "64"; + }; + + services.nginx.virtualHosts = mkIf ((config.nx.server.nginx or { }).enable or false) { + "${cfg.hostName}" = { + forceSSL = true; + sslCertificate = config.nx.server.nginx.sslCertificate; + sslCertificateKey = config.nx.server.nginx.sslCertificateKey; + }; + }; + + services.borgbackup.jobs.nextcloud = mkIf cfg.backup { + paths = [ + "/var/lib/nextcloud" + "/var/lib/backup/nextcloud/db" + ]; + repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo"; + encryption.mode = "none"; + environment = { + BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-nextcloud -o StrictHostKeyChecking=accept-new"; + TMPDIR = "/var/tmp"; + }; + compression = "auto,lzma"; + startAt = "daily"; + readWritePaths = [ + "/var/lib/backup" + "/var/lib/nextcloud" + ]; + preHook = '' + set -euo pipefail + INSTALL="${pkgs.coreutils}/bin/install" + FIND="${pkgs.findutils}/bin/find" + MYSQLDUMP="${pkgs.mariadb.client}/bin/mysql-dump" + GZIP="${pkgs.gzip}/bin/gzip" + OCC="${lib.getExe config.services.nextcloud.occ}" + + # This command requires write access to /var/lib/backup. + $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db + + trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT + + $OCC maintenance:mode --on + + # Make a consistent database dump without locking the site. + $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \ + | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz + + # Delete local dump files older than 14 days. + $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true + ''; + postHook = '' + set -euo pipefail + ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true + ''; + }; + + services.fail2ban = mkIf cfg.jail { + jails = { + nextcloud = { + enabled = true; + settings = { + backend = "systemd"; + journalmatch = "SYSLOG_IDENTIFIER=Nextcloud"; + # END modification to work with syslog instead of logile + port = 443; + protocol = "tcp"; + filter = "nextcloud"; + maxretry = 3; + bantime = 86400; + findtime = 43200; + }; + }; + }; + }; + + environment.etc = mkIf cfg.jail { + # Adapted failregex for syslogs + "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault ( + pkgs.lib.mkAfter '' + [Definition] + _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) + failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. + datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" + '' + ); + }; + }; +} diff --git a/modules/hosts/server/nginx/default.nix b/modules/hosts/server/nginx/default.nix new file mode 100644 index 0000000..438ab49 --- /dev/null +++ b/modules/hosts/server/nginx/default.nix @@ -0,0 +1,56 @@ +{ + config, + lib, + ... +}: +let + cfg = config.nx.server.nginx; + inherit (lib) mkOption types mkIf; +in +{ + options.nx.server.nginx = { + enable = mkOption { + description = "Setup nginx reverse proxy"; + type = types.bool; + default = true; + }; + hostName = mkOption { + description = "url of server"; + type = types.str; + default = "schererleander.de"; + }; + sslCertificate = mkOption { + description = "ssl certificate to use"; + type = types.nullOr types.str; + default = "/etc/ssl/${cfg.hostName}/fullchain.pem"; + }; + sslCertificateKey = mkOption { + description = "ssl certificate key to use"; + type = types.nullOr types.str; + default = "/etc/ssl/${cfg.hostName}/privkey.key"; + }; + }; + config = mkIf cfg.enable { + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always; + add_header 'Referrer-Policy' 'same-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/modules/hosts/server/openssh/default.nix b/modules/hosts/server/openssh/default.nix new file mode 100644 index 0000000..fbb15db --- /dev/null +++ b/modules/hosts/server/openssh/default.nix @@ -0,0 +1,53 @@ +{ + config, + username, + lib, + ... +}: +let + cfg = config.nx.server.openssh; + inherit (lib) mkOption types mkIf; +in +{ + options.nx.server.openssh = { + enable = mkOption { + description = "Setup openssh for server"; + type = types.bool; + default = false; + }; + port = mkOption { + description = "Port for openssh"; + type = types.port; + default = 8693; + }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + ports = [ cfg.port ]; + settings = { + PasswordAuthentication = false; + AllowUsers = [ username ]; + X11Forwarding = false; + PermitRootLogin = "yes"; + }; + }; + networking.firewall.allowedTCPPorts = [ cfg.port ]; + + services.fail2ban = { + jails = { + sshd = { + enabled = true; + settings = { + port = 8693; + backend = "systemd"; + maxretry = 4; + findtime = "10m"; + bantime = "1h"; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/server/site/default.nix b/modules/hosts/server/site/default.nix new file mode 100644 index 0000000..24807d3 --- /dev/null +++ b/modules/hosts/server/site/default.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + inputs, + ... +}: +let + cfg = config.nx.server.site; + inherit (lib) mkOption types mkIf; +in +{ + imports = [ + inputs.site.nixosModules.default + ]; + + options.nx.server.site = { + enable = mkOption { + description = "Setup personal website"; + type = types.bool; + default = false; + }; + }; + + config = mkIf cfg.enable { + services.site = { + enable = true; + domain = "schererleander.de"; + sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem"; + sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key"; + }; + }; +} -- cgit v1.3.1