aboutsummaryrefslogtreecommitdiff
path: root/nix/modules
diff options
context:
space:
mode:
Diffstat (limited to 'nix/modules')
-rw-r--r--nix/modules/cgit.nix6
-rw-r--r--nix/modules/conduit.nix12
-rw-r--r--nix/modules/configuration.nix44
-rw-r--r--nix/modules/git-daemon.nix1
-rw-r--r--nix/modules/gitweb.nix7
-rw-r--r--nix/modules/home/user.nix3
-rw-r--r--nix/modules/home/zsh.nix2
-rw-r--r--nix/modules/nginx.nix77
-rw-r--r--nix/modules/ssh.nix8
9 files changed, 123 insertions, 37 deletions
diff --git a/nix/modules/cgit.nix b/nix/modules/cgit.nix
new file mode 100644
index 0000000..cfb9158
--- /dev/null
+++ b/nix/modules/cgit.nix
@@ -0,0 +1,6 @@
+{ config, lib, ... }:
+{
+ services.cgit = {
+ enable = true;
+ };
+}
diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix
new file mode 100644
index 0000000..954e5fc
--- /dev/null
+++ b/nix/modules/conduit.nix
@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+ services.matrix-conduit = {
+ enable = lib.mkDefault config.monorepo.profiles.server.enable;
+ # random comment
+ settings.global = {
+ server_name = "matrix.ret2pop.net";
+ address = "0.0.0.0";
+ port = 6167;
+ };
+ };
+}
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 6f8f314..bd37c77 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -14,6 +14,8 @@
./dovecot.nix
./ollama.nix
./i2pd.nix
+ ./gitweb.nix
+ ./conduit.nix
];
documentation = {
@@ -241,6 +243,10 @@
};
security = {
+ acme = {
+ acceptTerms = true;
+ defaults.email = "ret2pop@gmail.com";
+ };
apparmor = {
enable = true;
killUnconfinedConfinables = true;
@@ -280,16 +286,39 @@
config.common.default = "*";
};
+ environment.etc."gitconfig".text = ''
+ [init]
+ defaultBranch = main
+ '';
+ environment.extraInit = ''
+ umask 0022
+ '';
environment.systemPackages = with pkgs; [
restic
sbctl
git
vim
curl
+ nmap
+ (writeShellScriptBin "new-repo"
+ ''
+ #!/bin/bash
+ cd /srv/git
+ git init --bare "$1"
+ vim "$1/description"
+ chown -R git:git "$1"
+ ''
+ )
];
- users.groups.git = {};
+ users.groups.nginx = lib.mkDefault {};
+ users.groups.git = lib.mkDefault {};
users.users = {
+ nginx.group = "nginx";
+ nginx.isSystemUser = lib.mkDefault true;
+ nginx.extraGroups = [
+ "acme"
+ ];
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
];
@@ -299,8 +328,14 @@
home = "/srv/git";
shell = "${pkgs.git}/bin/git-shell";
group = "git";
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
+ ];
};
"${config.monorepo.vars.userName}" = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
+ ];
initialPassword = "${config.monorepo.vars.userName}";
isNormalUser = true;
description = config.monorepo.vars.fullName;
@@ -314,7 +349,12 @@
"olm-3.2.16"
];
- nix.settings.experimental-features = "nix-command flakes";
+ nix = {
+ settings = {
+ experimental-features = "nix-command flakes";
+ trusted-users = [ "@wheel" ];
+ };
+ };
time.timeZone = config.monorepo.vars.timeZone;
i18n.defaultLocale = "en_CA.UTF-8";
system.stateVersion = "24.11";
diff --git a/nix/modules/git-daemon.nix b/nix/modules/git-daemon.nix
index e71356e..e5e2192 100644
--- a/nix/modules/git-daemon.nix
+++ b/nix/modules/git-daemon.nix
@@ -3,7 +3,6 @@
services.gitDaemon = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
exportAll = true;
- listenAddress = "0.0.0.0";
basePath = "/srv/git";
};
}
diff --git a/nix/modules/gitweb.nix b/nix/modules/gitweb.nix
new file mode 100644
index 0000000..51cff87
--- /dev/null
+++ b/nix/modules/gitweb.nix
@@ -0,0 +1,7 @@
+{ lib, config, ... }:
+{
+ services.gitweb = {
+ gitwebTheme = true;
+ projectroot = "/srv/git/";
+ };
+}
diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 85b6a70..7872d53 100644
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -65,7 +65,8 @@
(writeShellScriptBin "remote-build"
''
#!/bin/bash
-nixos-rebuild --target-host "$1" switch --flake .#spontaneity
+cd ~/monorepo/nix
+nixos-rebuild --use-remote-sudo --target-host "$1" switch --flake .#spontaneity
''
)
(writeShellScriptBin "install-vps"
diff --git a/nix/modules/home/zsh.nix b/nix/modules/home/zsh.nix
index fc041e9..0c5bced 100644
--- a/nix/modules/home/zsh.nix
+++ b/nix/modules/home/zsh.nix
@@ -3,7 +3,7 @@
programs.zsh = {
enable = true;
initExtra = ''
- umask 0077
+ umask 0022
export EXTRA_CCFLAGS="-I/usr/include"
source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh
export QT_QPA_PLATFORM="wayland"
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index 18becfe..af2d42f 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -2,7 +2,7 @@
{
services.nginx = {
enable = lib.mkDefault config.monorepo.profiles.server.enable;
-
+ user = "nginx";
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
@@ -10,37 +10,58 @@
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
- sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
- appendHttpConfig = ''
- # Add HSTS header with preloading to HTTPS requests.
- # Adding this header to HTTP requests is discouraged
- map $scheme $hsts_header {
- https "max-age=31536000; includeSubdomains; preload";
- }
- add_header Strict-Transport-Security $hsts_header;
-
- # Enable CSP for your services.
- #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
- # Minimize information leaked to other domains
- add_header 'Referrer-Policy' 'origin-when-cross-origin';
+ # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
- # Disable embedding as a frame
- add_header X-Frame-Options DENY;
+ appendHttpConfig = '''';
- # Prevent injection of code in other mime types (XSS Attacks)
- add_header X-Content-Type-Options nosniff;
-
- # This might create errors
- proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-'';
+ gitweb = {
+ enable = true;
+ virtualHost = "ret2pop.net";
+ };
virtualHosts = {
- "ret2pop.nullring.xyz" = {
- # addSSL = true;
- # enableACME = true;
- root = "/home/preston/ret2pop-website/";
+ "matrix.ret2pop.net" = {
+ enableACME = true;
+ forceSSL = true;
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 443;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ } {
+ addr = "0.0.0.0";
+ port = 8448;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 8448;
+ ssl = true;
+ }
+ ];
+ locations."/_matrix/" = {
+ proxyPass = "http://127.0.0.1:6167";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_buffers 32 16k;
+ proxy_read_timeout 5m;
+ '';
+ };
+
+ extraConfig = ''
+ merge_slashes off;
+ '';
+ };
+ "ret2pop.net" = {
+ serverName = "ret2pop.net";
+ root = "/var/www/ret2pop-website/";
+ addSSL = true;
+ enableACME = true;
};
};
};
diff --git a/nix/modules/ssh.nix b/nix/modules/ssh.nix
index 5c705c9..076ee47 100644
--- a/nix/modules/ssh.nix
+++ b/nix/modules/ssh.nix
@@ -1,11 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
{
services.openssh = {
enable = true;
settings = {
- PasswordAuthentication = true;
- AllowUsers = [ config.monorepo.vars.userName ];
- PermitRootLogin = "prohibit-password";
+ PasswordAuthentication = lib.mkDefault (! config.monorepo.profiles.server.enable);
+ AllowUsers = [ config.monorepo.vars.userName "root" "git" ];
+ PermitRootLogin = "yes";
KbdInteractiveAuthentication = false;
};
};
generated by cgit (git 2.34.1) at 2025-02-23 09:14:46 +0000