nixos-config/hosts/plover/default.nix

{ config, lib, pkgs, modulesPath, ... }:

let
  inherit (import ./modules/hardware/networks.nix) interfaces;
in
{
  imports = [
    # Since this will be rarely configured, make sure to import the appropriate
    # hardware modules depending on the hosting provider (and even just the
    # server).
    ./modules/hardware/hetzner-cloud-cx21.nix

    # The users for this host.
    (lib.getUser "nixos" "admin")
    (lib.getUser "nixos" "plover")

    # Hardened profile from nixpkgs.
    "${modulesPath}/profiles/hardened.nix"

    # Of course, what is a server without a backup? A professionally-handled
    # production system. However, we're not professionals so we do have
    # backups.
    ./modules/services/borgbackup.nix

    # The primary DNS server that is completely hidden.
    ./modules/services/bind.nix

    # The reverse proxy of choice.
    ./modules/services/nginx.nix

    # The single-sign on setup.
    ./modules/services/kanidm.nix
    ./modules/services/vouch-proxy.nix

    # The monitoring stack.
    ./modules/services/prometheus.nix
    ./modules/services/grafana.nix

    # The database of choice which is used by most self-managed services on
    # this server.
    ./modules/services/postgresql.nix

    # The application services for this server. They are modularized since
    # configuring it here will make it too big.
    ./modules/services/atuin.nix
    ./modules/services/gitea.nix
    ./modules/services/vaultwarden.nix
    ./modules/services/wireguard.nix
    ./modules/services/wezterm-mux-server.nix
  ];

  # Automatic format and partitioning.
  disko.devices = import ./disko.nix {
    disks = [ "/dev/sda" ];
  };

  networking = {
    nftables.enable = true;
    domain = "foodogsquared.one";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # Secure Shells.
      ];
    };
  };

  services.fail2ban = {
    ignoreIP = [
      # VPN clients.
      "${interfaces.wireguard0.IPv4.address}/13"
      "${interfaces.wireguard0.IPv6.address}/64"
    ];

    # We're going to be unforgiving with this one since we only have key
    # authentication and password authentication is disabled anyways.
    jails.sshd.settings = {
      enabled = true;
      maxretry = 1;
    };
  };


  sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
    "lego/env" = { };
  };

  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  profiles.server = {
    enable = true;
    headless.enable = true;
    hardened-config.enable = true;
    cleanup.enable = true;
  };

  # DNS-related settings. We're settling by configuring the ACME setup with a
  # self-hosted DNS server.
  security.acme.defaults = {
    email = "admin+acme@foodogsquared.one";
    dnsProvider = "rfc2136";
    dnsResolver = "1.1.1.1";
    credentialsFile = config.sops.secrets."lego/env".path;
  };

  # Enable generating new DH params.
  security.dhparams.enable = true;

  # !!! The keys should be rotated at an interval here.
  services.openssh.hostKeys = [{
    path = config.sops.secrets."ssh-key".path;
    type = "ed25519";
  }];

  system.stateVersion = "23.11";
}
treewide: remove `options` attribute for modules 2023-10-02 06:26:11 +00:00			`{ config, lib, pkgs, modulesPath, ... }:`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`let`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00			`inherit (import ./modules/hardware/networks.nix) interfaces;`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`in`
			`{`
			`imports = [`
hosts/plover: move hardware config to be hosting provider-specific 2023-01-14 07:55:30 +00:00			`# Since this will be rarely configured, make sure to import the appropriate`
			`# hardware modules depending on the hosting provider (and even just the`
			`# server).`
			`./modules/hardware/hetzner-cloud-cx21.nix`
hosts/plover: update config 2022-11-26 06:13:17 +00:00
users/plover: add home-manager user to config 2022-12-03 05:46:46 +00:00			`# The users for this host.`
			`(lib.getUser "nixos" "admin")`
hosts/plover: update config 2022-11-26 06:13:17 +00:00			`(lib.getUser "nixos" "plover")`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00
Revert "hosts/plover: add headless profile from nixpkgs" This reverts commit 6300aa72754fd922cbd7e1a3c0f3990eb1441a7f. 2022-12-03 07:46:22 +00:00			`# Hardened profile from nixpkgs.`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00			`"${modulesPath}/profiles/hardened.nix"`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00
hosts/plover: modularize BorgBackup service 2023-11-06 08:59:20 +00:00			`# Of course, what is a server without a backup? A professionally-handled`
			`# production system. However, we're not professionals so we do have`
			`# backups.`
			`./modules/services/borgbackup.nix`

hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00			`# The primary DNS server that is completely hidden.`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`./modules/services/bind.nix`
hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00
hosts/plover: add comments to various parts 2023-02-08 10:03:20 +00:00			`# The reverse proxy of choice.`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`./modules/services/nginx.nix`

hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`# The single-sign on setup.`
			`./modules/services/kanidm.nix`
			`./modules/services/vouch-proxy.nix`

hosts/plover: init Grafana server 2023-10-07 19:27:47 +00:00			`# The monitoring stack.`
hosts/plover: init Prometheus monitoring daemon 2023-10-07 19:28:35 +00:00			`./modules/services/prometheus.nix`
hosts/plover: init Grafana server 2023-10-07 19:27:47 +00:00			`./modules/services/grafana.nix`

hosts/plover: modularize PostgreSQL service 2023-01-13 07:26:32 +00:00			`# The database of choice which is used by most self-managed services on`
			`# this server.`
			`./modules/services/postgresql.nix`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# The application services for this server. They are modularized since`
			`# configuring it here will make it too big.`
			`./modules/services/atuin.nix`
			`./modules/services/gitea.nix`
			`./modules/services/vaultwarden.nix`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00			`./modules/services/wireguard.nix`
hosts/plover: add and configure Wezterm mux server Not yet fully configured though so we'll have to update the Wezterm server configuration. 2023-07-20 02:40:45 +00:00			`./modules/services/wezterm-mux-server.nix`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`];`

hosts/plover: add disko device config 2023-06-30 05:38:38 +00:00			`# Automatic format and partitioning.`
			`disko.devices = import ./disko.nix {`
			`disks = [ "/dev/sda" ];`
			`};`

hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`networking = {`
hosts/plover: use nftables as firewall 2023-01-06 12:26:57 +00:00			`nftables.enable = true;`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`domain = "foodogsquared.one";`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`firewall = {`
hosts/plover: enable firewall (again) 2023-02-06 08:09:09 +00:00			`enable = true;`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`allowedTCPPorts = [`
			`22 # Secure Shells.`
			`];`
			`};`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`};`
hosts/plover: update config It now uses PostgreSQL for the services and also fixed some of the misconfigurations in the services. 2022-11-27 16:41:44 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`services.fail2ban = {`
			`ignoreIP = [`
			`# VPN clients.`
			`"${interfaces.wireguard0.IPv4.address}/13"`
			`"${interfaces.wireguard0.IPv6.address}/64"`
			`];`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`# We're going to be unforgiving with this one since we only have key`
			`# authentication and password authentication is disabled anyways.`
hosts/plover: use fail2ban jails settings It is nicer compared to the traditional setting with strings. 2023-07-14 06:41:58 +00:00			`jails.sshd.settings = {`
			`enabled = true;`
			`maxretry = 1;`
			`};`
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`};`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00
hosts/plover: modularize BorgBackup service 2023-11-06 08:59:20 +00:00
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`sops.secrets = lib.getSecrets ./secrets/secrets.yaml {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"ssh-key" = { };`
			`"lego/env" = { };`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`};`
hosts/plover: init 2022-11-23 05:27:01 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# All of the keys required to deploy the secrets.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.age.keyFile = "/var/lib/sops-nix/key.txt";`

hosts/plover: update config 2022-12-02 04:33:51 +00:00			`profiles.server = {`
			`enable = true;`
			`headless.enable = true;`
			`hardened-config.enable = true;`
			`cleanup.enable = true;`
			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# DNS-related settings. We're settling by configuring the ACME setup with a`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`# self-hosted DNS server.`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`security.acme.defaults = {`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`email = "admin+acme@foodogsquared.one";`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`dnsProvider = "rfc2136";`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`dnsResolver = "1.1.1.1";`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`credentialsFile = config.sops.secrets."lego/env".path;`
hosts/plover: add DNS-related config 2022-12-03 00:09:26 +00:00			`};`

hosts/plover: enable DH params generation This is for certain applications as we'll see. 2023-06-30 02:46:43 +00:00			`# Enable generating new DH params.`
			`security.dhparams.enable = true;`

			`# !!! The keys should be rotated at an interval here.`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`services.openssh.hostKeys = [{`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`path = config.sops.secrets."ssh-key".path;`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`type = "ed25519";`
			`}];`

hosts: update system state version to 23.11 2023-08-03 05:29:00 +00:00			`system.stateVersion = "23.11";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`}`