mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 04:58:01 +00:00
nixos/shared-setups: init modules subset
This commit is contained in:
parent
9b1c1132b8
commit
30a39a2fd8
@ -1,6 +1,7 @@
|
||||
{
|
||||
imports = [
|
||||
./extra-arguments.nix
|
||||
./shared-setups/server
|
||||
./state
|
||||
./suites/archiving.nix
|
||||
./suites/browsers.nix
|
||||
|
30
modules/nixos/_private/shared-setups/server/crowdsec.nix
Normal file
30
modules/nixos/_private/shared-setups/server/crowdsec.nix
Normal file
@ -0,0 +1,30 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.shared-setups.server.crowdsec;
|
||||
in
|
||||
{
|
||||
options.shared-setups.server.crowdsec.enable =
|
||||
lib.mkEnableOption "typical Crowdsec setup for public-facing servers";
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.crowdsec = {
|
||||
enable = true;
|
||||
settings = {
|
||||
common = {
|
||||
daemonize = false;
|
||||
log_media = "stdout";
|
||||
};
|
||||
};
|
||||
|
||||
plugins = {
|
||||
http = {
|
||||
settings = {
|
||||
type = "http";
|
||||
log_level = "info";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
8
modules/nixos/_private/shared-setups/server/default.nix
Normal file
8
modules/nixos/_private/shared-setups/server/default.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{
|
||||
imports = [
|
||||
./crowdsec.nix
|
||||
./fail2ban.nix
|
||||
./firewall.nix
|
||||
./nginx.nix
|
||||
];
|
||||
}
|
29
modules/nixos/_private/shared-setups/server/fail2ban.nix
Normal file
29
modules/nixos/_private/shared-setups/server/fail2ban.nix
Normal file
@ -0,0 +1,29 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.shared-setups.server.fail2ban;
|
||||
in
|
||||
{
|
||||
options.shared-setups.server.fail2ban.enable =
|
||||
lib.mkEnableOption "typical fail2ban configuration for public-facing servers";
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
bantime-increment = {
|
||||
enable = true;
|
||||
factor = "4";
|
||||
maxtime = "24h";
|
||||
overalljails = true;
|
||||
};
|
||||
extraPackages = with pkgs; [ ipset ];
|
||||
|
||||
# We're going to be unforgiving with this one since we only have key
|
||||
# authentication and password authentication is disabled anyways.
|
||||
jails.sshd.settings = {
|
||||
enabled = true;
|
||||
maxretry = 1;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
20
modules/nixos/_private/shared-setups/server/firewall.nix
Normal file
20
modules/nixos/_private/shared-setups/server/firewall.nix
Normal file
@ -0,0 +1,20 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.shared-setups.server.firewall;
|
||||
in
|
||||
{
|
||||
options.shared-setups.server.firewall.enable = lib.mkEnableOption "typical firewall setup";
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking = {
|
||||
nftables.enable = true;
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
22 # Secure Shells.
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
86
modules/nixos/_private/shared-setups/server/nginx.nix
Normal file
86
modules/nixos/_private/shared-setups/server/nginx.nix
Normal file
@ -0,0 +1,86 @@
|
||||
# The reverse proxy of choice. Logs should be rotated weekly.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.shared-setups.server.nginx;
|
||||
in
|
||||
{
|
||||
options.shared-setups.server.nginx.enable =
|
||||
lib.mkEnableOption "typical Nginx configuration for public-facing servers";
|
||||
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
{
|
||||
# The main server where it will tie all of the services in one neat little
|
||||
# place. Take note, the virtual hosts definition are all in their respective
|
||||
# modules.
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
enableReload = true;
|
||||
|
||||
package = pkgs.nginxMainline;
|
||||
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
# Some more server-sided compressions.
|
||||
recommendedBrotliSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
|
||||
proxyCachePath.apps = {
|
||||
enable = true;
|
||||
keysZoneName = "apps";
|
||||
};
|
||||
|
||||
appendConfig = ''
|
||||
worker_processes auto;
|
||||
'';
|
||||
|
||||
# We're avoiding any service to be the default server especially that it
|
||||
# could be used for enter a service with unencrypted HTTP. So we're setting
|
||||
# up one with an unresponsive server response.
|
||||
appendHttpConfig = ''
|
||||
# https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/
|
||||
proxy_cache_min_uses 5;
|
||||
proxy_cache_valid 200 302 10m;
|
||||
proxy_cache_valid 404 1m;
|
||||
proxy_no_cache $http_pragma $http_authorization;
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
return 444;
|
||||
}
|
||||
'';
|
||||
|
||||
# This is defined for other services.
|
||||
upstreams."nginx" = {
|
||||
extraConfig = ''
|
||||
zone services 64k;
|
||||
'';
|
||||
servers = {
|
||||
"localhost:80" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80 # HTTP servers.
|
||||
443 # HTTPS servers.
|
||||
];
|
||||
|
||||
# Generate a DH parameters for nginx-specific security configurations.
|
||||
security.dhparams.params.nginx.bits = 4096;
|
||||
}
|
||||
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
# Some fail2ban policies to apply for nginx.
|
||||
services.fail2ban.jails = {
|
||||
nginx-http-auth.settings = { enabled = true; };
|
||||
nginx-botsearch.settings = { enabled = true; };
|
||||
nginx-bad-request.settings = { enabled = true; };
|
||||
};
|
||||
})
|
||||
]);
|
||||
}
|
Loading…
Reference in New Issue
Block a user