2023-05-11 05:33:08 +07:00
|
|
|
{ lib
|
|
|
|
, pkgs
|
|
|
|
, config
|
|
|
|
, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.server;
|
|
|
|
|
2023-10-26 06:49:55 +07:00
|
|
|
hostedDomains =
|
2023-07-28 09:59:47 +07:00
|
|
|
builtins.concatLists
|
|
|
|
(builtins.attrValues
|
|
|
|
(builtins.mapAttrs
|
|
|
|
(k: v: [ k ] ++ v.serverAliases)
|
|
|
|
config.services.nginx.virtualHosts));
|
2023-05-11 05:33:08 +07:00
|
|
|
in {
|
|
|
|
imports = [
|
|
|
|
./options.nix
|
2023-10-26 06:49:55 +07:00
|
|
|
./akkoma.nix
|
|
|
|
./certspotter.nix
|
2023-05-11 05:33:08 +07:00
|
|
|
./fdroid.nix
|
2023-10-26 06:49:55 +07:00
|
|
|
./files.nix
|
2023-07-28 09:59:47 +07:00
|
|
|
./home.nix
|
2023-08-28 00:46:51 +07:00
|
|
|
./keycloak.nix
|
2023-10-26 06:49:55 +07:00
|
|
|
./mailserver.nix
|
|
|
|
./matrix.nix
|
|
|
|
./mumble.nix
|
|
|
|
./searxng.nix
|
2023-05-11 05:33:08 +07:00
|
|
|
];
|
|
|
|
|
|
|
|
system.stateVersion = "22.11";
|
2023-06-24 13:07:42 +07:00
|
|
|
impermanence.directories = [
|
2023-07-28 09:59:47 +07:00
|
|
|
{ directory = /var/www; }
|
|
|
|
{ directory = /secrets; mode = "0755"; }
|
2023-06-24 13:07:42 +07:00
|
|
|
];
|
2023-05-11 05:33:08 +07:00
|
|
|
networking.useDHCP = true;
|
|
|
|
networking.firewall = {
|
|
|
|
enable = true;
|
2023-06-24 13:07:42 +07:00
|
|
|
allowedTCPPorts = lib.mkMerge [
|
|
|
|
[
|
|
|
|
# ssh
|
|
|
|
22
|
|
|
|
# http/s
|
|
|
|
80 443
|
|
|
|
]
|
|
|
|
(lib.mkIf config.services.unbound.enable [
|
|
|
|
# dns
|
|
|
|
53 853
|
|
|
|
])
|
2023-05-11 05:33:08 +07:00
|
|
|
];
|
2023-06-24 13:07:42 +07:00
|
|
|
allowedUDPPorts = lib.mkIf config.services.unbound.enable [
|
2023-05-11 05:33:08 +07:00
|
|
|
# dns
|
|
|
|
53 853
|
2023-07-28 09:59:47 +07:00
|
|
|
# quic
|
|
|
|
443
|
2023-05-11 05:33:08 +07:00
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
# UNBOUND
|
2023-06-24 13:07:42 +07:00
|
|
|
users.users.${config.common.mainUsername}.extraGroups = lib.mkIf config.services.unbound.enable [ config.services.unbound.group ];
|
2023-05-17 06:29:03 +07:00
|
|
|
|
2023-07-28 09:59:47 +07:00
|
|
|
networking.resolvconf.extraConfig = lib.mkIf config.services.unbound.enable ''
|
|
|
|
name_servers="127.0.0.1 ::1"
|
|
|
|
'';
|
2023-05-11 05:33:08 +07:00
|
|
|
services.unbound = {
|
2023-06-24 09:49:57 +07:00
|
|
|
enable = false;
|
2023-05-11 05:33:08 +07:00
|
|
|
package = pkgs.unbound-with-systemd.override {
|
2023-06-24 07:12:11 +07:00
|
|
|
stdenv = pkgs.ccacheStdenv;
|
2023-05-11 05:33:08 +07:00
|
|
|
withPythonModule = true;
|
2023-06-24 09:49:57 +07:00
|
|
|
python = pkgs.python3;
|
2023-05-11 05:33:08 +07:00
|
|
|
};
|
|
|
|
localControlSocketPath = "/run/unbound/unbound.ctl";
|
|
|
|
resolveLocalQueries = false;
|
|
|
|
settings = {
|
|
|
|
server = {
|
|
|
|
interface = [ "0.0.0.0" "::" ];
|
2023-07-28 09:59:47 +07:00
|
|
|
access-control = [ "0.0.0.0/0 allow" "::/0 allow" ];
|
2023-05-11 05:33:08 +07:00
|
|
|
aggressive-nsec = true;
|
|
|
|
do-ip6 = true;
|
|
|
|
};
|
|
|
|
remote-control.control-enable = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
# just in case
|
2023-10-26 06:49:55 +07:00
|
|
|
networking.hosts."127.0.0.1" = hostedDomains;
|
|
|
|
networking.hosts."::1" = hostedDomains;
|
2023-05-11 05:33:08 +07:00
|
|
|
|
|
|
|
services.postgresql.enable = true;
|
|
|
|
services.postgresql.package = pkgs.postgresql_13;
|
|
|
|
|
|
|
|
# SSH
|
2023-07-28 09:59:47 +07:00
|
|
|
services.openssh.enable = true;
|
2023-05-13 20:32:35 +07:00
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
|
|
|
ignoreIP = lib.optionals (cfg.lanCidrV4 != "0.0.0.0/0") [ cfg.lanCidrV4 ]
|
|
|
|
++ (lib.optionals (cfg.lanCidrV6 != "::/0") [ cfg.lanCidrV6 ]);
|
2023-06-24 09:49:57 +07:00
|
|
|
maxretry = 10;
|
2023-05-13 20:32:35 +07:00
|
|
|
jails.dovecot = ''
|
|
|
|
enabled = true
|
|
|
|
filter = dovecot
|
|
|
|
'';
|
2023-05-11 05:33:08 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
# NGINX
|
|
|
|
services.nginx.enable = true;
|
2023-07-28 09:59:47 +07:00
|
|
|
services.nginx.enableReload = true;
|
|
|
|
services.nginx.package = pkgs.nginxQuic;
|
|
|
|
/* DNS over TLS
|
2023-05-11 05:33:08 +07:00
|
|
|
services.nginx.streamConfig =
|
2023-10-17 20:25:03 +07:00
|
|
|
let
|
|
|
|
inherit (config.security.acme.certs."${cfg.domainName}") directory;
|
|
|
|
in ''
|
|
|
|
upstream dns {
|
|
|
|
zone dns 64k;
|
|
|
|
server 127.0.0.1:53;
|
|
|
|
}
|
|
|
|
server {
|
|
|
|
listen 853 ssl;
|
|
|
|
ssl_certificate ${directory}/fullchain.pem;
|
|
|
|
ssl_certificate_key ${directory}/key.pem;
|
|
|
|
ssl_trusted_certificate ${directory}/chain.pem;
|
|
|
|
proxy_pass dns;
|
|
|
|
}
|
|
|
|
'';*/
|
|
|
|
services.nginx.commonHttpConfig = ''
|
|
|
|
log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';
|
|
|
|
|
|
|
|
${lib.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};") (lib.splitString "\n" ''
|
|
|
|
${builtins.readFile (builtins.fetchurl {
|
2023-07-28 09:59:47 +07:00
|
|
|
url = "https://www.cloudflare.com/ips-v4";
|
|
|
|
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
2023-10-17 20:25:03 +07:00
|
|
|
})}
|
|
|
|
${builtins.readFile (builtins.fetchurl {
|
2023-07-28 09:59:47 +07:00
|
|
|
url = "https://www.cloudflare.com/ips-v6";
|
|
|
|
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
2023-10-17 20:25:03 +07:00
|
|
|
})}'')}
|
|
|
|
real_ip_header CF-Connecting-IP;
|
2023-07-28 09:59:47 +07:00
|
|
|
'';
|
|
|
|
# brotli and zstd requires recompilation so I don't enable it
|
|
|
|
# services.nginx.recommendedBrotliSettings = true;
|
|
|
|
# services.nginx.recommendedZstdSettings = true;
|
2023-05-11 05:33:08 +07:00
|
|
|
services.nginx.recommendedGzipSettings = true;
|
2023-07-28 09:59:47 +07:00
|
|
|
services.nginx.recommendedOptimisation = true;
|
2023-05-11 05:33:08 +07:00
|
|
|
services.nginx.recommendedProxySettings = true;
|
2023-07-28 09:59:47 +07:00
|
|
|
services.nginx.recommendedTlsSettings = true;
|
2023-05-11 05:33:08 +07:00
|
|
|
|
|
|
|
# BLOG
|
2023-07-28 09:59:47 +07:00
|
|
|
services.nginx.virtualHosts.${cfg.domainName} = {
|
|
|
|
quic = true;
|
2023-05-11 05:33:08 +07:00
|
|
|
enableACME = true;
|
2023-07-28 09:59:47 +07:00
|
|
|
serverAliases = [ "www.${cfg.domainName}" ];
|
2023-05-11 05:33:08 +07:00
|
|
|
forceSSL = true;
|
|
|
|
extraConfig = "autoindex on;";
|
|
|
|
locations."/".root = "/var/www/${cfg.domainName}/";
|
|
|
|
locations."/src".root = "/var/www/${cfg.domainName}/";
|
|
|
|
locations."/src".extraConfig = "index force_dirlisting;";
|
|
|
|
locations."/submit_comment".extraConfig = ''
|
|
|
|
access_log /var/log/nginx/comments.log postdata;
|
|
|
|
proxy_pass https://${cfg.domainName}/submit.htm;
|
|
|
|
break;
|
|
|
|
'';
|
|
|
|
locations."/submit.htm" = {
|
|
|
|
extraConfig = ''
|
|
|
|
return 200 '<!doctype html><html><head><base href="/"/><link rel="preload" href="style.css" as="style"><title>Success!</title><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><link rel="icon" type="image/jpeg" href="pfp.jpg"><link rel="alternate" type="application/rss+xml" title="RSS" href="https://${cfg.domainName}/blog/index.xml"><link href="style.css" rel="stylesheet" /><script src="main.js"></script><meta http-equiv="refresh" content="10; url=$http_referer" /></head><body onload="documentLoaded()"><hr/><div class="main-body"><p>Success! It may take a while for your comment to get moderated.</p><p>Please wait for 10 seconds until you get redirected back...</p><p>Or just go there <a href="$http_referer">manually</a>.</p></div><hr/></body></html>';
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2023-05-13 20:32:35 +07:00
|
|
|
|
2023-05-11 05:33:08 +07:00
|
|
|
/*locations."/dns-query".extraConfig = ''
|
|
|
|
grpc_pass grpc://127.0.0.1:53453;
|
|
|
|
'';*/
|
|
|
|
|
|
|
|
# TODO: firefox sync?
|
|
|
|
}
|