Compare commits
3 Commits
b3ff15b0a4
...
163e96c560
Author | SHA1 | Date |
---|---|---|
Benjamin Yule Bädorf | 163e96c560 | |
Benjamin Yule Bädorf | 5ee63e7e1c | |
Benjamin Yule Bädorf | e127ae6062 |
18
flake.lock
18
flake.lock
|
@ -423,11 +423,11 @@
|
|||
},
|
||||
"nixpkgs-master": {
|
||||
"locked": {
|
||||
"lastModified": 1711485334,
|
||||
"narHash": "sha256-qOHrFSfo6W5J5RkkJy7xLSECKaK/NITQXfeh715fD7s=",
|
||||
"lastModified": 1711717242,
|
||||
"narHash": "sha256-PW9J9sFw5DA4Fo3Cq4Soc+an6tjTS4VV2NxG6G0UMqw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e19e9bceda53148e8dd6e8f54bf19375e5e60af9",
|
||||
"rev": "824952ff6b32b0019465b139b5c76d915ec074ea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -439,11 +439,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1711333969,
|
||||
"narHash": "sha256-5PiWGn10DQjMZee5NXzeA6ccsv60iLu+Xtw+mfvkUAs=",
|
||||
"lastModified": 1711523803,
|
||||
"narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "57e6b3a9e4ebec5aa121188301f04a6b8c354c9b",
|
||||
"rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -487,11 +487,11 @@
|
|||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1711124224,
|
||||
"narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
|
||||
"lastModified": 1711460390,
|
||||
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
|
||||
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -15,7 +15,6 @@
|
|||
|
||||
# Allow pub.solar restic backups
|
||||
services.openssh.allowSFTP = true;
|
||||
services.openssh.openFirewall = true;
|
||||
|
||||
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
|
||||
|
||||
|
|
|
@ -44,7 +44,6 @@ in {
|
|||
};
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
./networking.nix
|
||||
./unbound.nix
|
||||
./nginx.nix
|
||||
./invoiceplane-proxy.nix
|
||||
./wireguard.nix
|
||||
./email.nix
|
||||
./website.nix
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
security.acme.certs = {
|
||||
"invoicing.b12f.io" = {};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"invoicing.b12f.io" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "invoicing.b12f.io";
|
||||
# This redirects to invoiceplane on pie
|
||||
locations."/".proxyPass = "https://invoicing.b12f.io";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -14,8 +14,6 @@
|
|||
"2a0f:fc81::" #dns0.eu
|
||||
];
|
||||
|
||||
services.openssh.openFirewall = true;
|
||||
|
||||
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp1s0 = {
|
||||
|
|
|
@ -58,6 +58,9 @@
|
|||
"\"b12f.io\" transparent"
|
||||
];
|
||||
local-data = [
|
||||
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
|
||||
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
||||
|
||||
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
|
||||
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
|
||||
"\"backup.b12f.io. 10800 IN A 10.13.12.3\""
|
||||
|
|
|
@ -21,7 +21,7 @@ in {
|
|||
boot.loader.generic-extlinux-compatible.enable = false;
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1_hardened;
|
||||
|
||||
boot.kernelParams = [
|
||||
"boot.shell_on_fail=1"
|
||||
|
|
|
@ -33,7 +33,6 @@ in {
|
|||
|
||||
services.invoiceplane.webserver = "nginx";
|
||||
services.invoiceplane.sites."invoicing.b12f.io" = {
|
||||
# nginx is not supported
|
||||
enable = true;
|
||||
|
||||
database = {
|
||||
|
|
|
@ -27,7 +27,6 @@
|
|||
"192.168.178.3" = [ "droppie-initrd.b12f.io" ];
|
||||
};
|
||||
|
||||
services.openssh.openFirewall = true;
|
||||
services.openssh.allowSFTP = true;
|
||||
|
||||
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
|
||||
|
|
|
@ -19,6 +19,8 @@
|
|||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
dnsProvider = "hostingde";
|
||||
dnsPropagationCheck = true;
|
||||
# We check via dns0 directly or unbound will be in our way
|
||||
dnsResolver = "193.110.81.0";
|
||||
credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
|
||||
group = "nginx";
|
||||
webroot = null;
|
||||
|
|
|
@ -12,7 +12,7 @@ in {
|
|||
loader.systemd-boot.enable = lib.mkDefault true;
|
||||
|
||||
# Use latest LTS linux kernel by default
|
||||
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_7_hardened;
|
||||
|
||||
# Support ntfs drives
|
||||
supportedFilesystems = ["ntfs"];
|
||||
|
|
|
@ -13,26 +13,9 @@ in {
|
|||
./i18n.nix
|
||||
./networking.nix
|
||||
./packages.nix
|
||||
./hardening.nix
|
||||
];
|
||||
|
||||
# Service that makes Out of Memory Killer more effective
|
||||
services.earlyoom.enable = true;
|
||||
|
||||
services.logind.lidSwitch = "hibernate";
|
||||
|
||||
services.tor.settings = {
|
||||
UseBridges = true;
|
||||
};
|
||||
|
||||
# The options below are directly taken from or inspired by
|
||||
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||
|
||||
# Limit the use of sudo to the group wheel
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
# Remove the complete default environment of packages like
|
||||
# nano, perl and rsync
|
||||
environment.defaultPackages = lib.mkForce [];
|
||||
|
||||
# fileSystems."/".options = [ "noexec" ];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.pub-solar.core;
|
||||
psCfg = config.pub-solar;
|
||||
in {
|
||||
services.tor.settings = {
|
||||
UseBridges = true;
|
||||
};
|
||||
|
||||
# Always go to encrypted hibernation instead of sleep
|
||||
services.logind.lidSwitch = "hibernate";
|
||||
|
||||
# The options below are directly taken from or inspired by
|
||||
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
||||
|
||||
# Limit the use of sudo to the group wheel
|
||||
security.sudo.execWheelOnly = true;
|
||||
|
||||
# Remove the complete default environment of packages like
|
||||
# nano, perl and rsync
|
||||
environment.defaultPackages = lib.mkForce [];
|
||||
|
||||
# fileSystems."/".options = [ "noexec" ];
|
||||
|
||||
# disable coredump that could be exploited later
|
||||
# and also slow down the system when something crash
|
||||
systemd.coredump.enable = false;
|
||||
|
||||
# required to run chromium
|
||||
security.chromiumSuidSandbox.enable = true;
|
||||
|
||||
# create system-wide executables firefox and chromium
|
||||
# that will wrap the real binaries so everything
|
||||
# work out of the box.
|
||||
programs.firejail.enable = true;
|
||||
|
||||
# enable antivirus clamav and
|
||||
# keep the signatures' database updated
|
||||
services.clamav.daemon.enable = true;
|
||||
services.clamav.updater.enable = true;
|
||||
}
|
|
@ -37,6 +37,9 @@
|
|||
'';
|
||||
};
|
||||
|
||||
# Don't expose SSH via public interfaces
|
||||
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 22 ];
|
||||
|
||||
# For rage encryption, all hosts need a ssh key pair
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
|
|
|
@ -11,14 +11,12 @@ in {
|
|||
hardware.logitech.wireless.enable = true;
|
||||
|
||||
users.users."${psCfg.user.name}".packages = with pkgs; [
|
||||
ungoogled-chromium
|
||||
wine
|
||||
|
||||
gimp
|
||||
present-md
|
||||
inkscape
|
||||
gpxsee
|
||||
digikam
|
||||
nix-output-monitor
|
||||
tigervnc
|
||||
nodejs
|
||||
|
@ -28,8 +26,6 @@ in {
|
|||
signal-desktop
|
||||
tdesktop
|
||||
element-desktop
|
||||
cinny-desktop
|
||||
irssi
|
||||
|
||||
# Nix specific utilities
|
||||
alejandra
|
||||
|
@ -39,6 +35,25 @@ in {
|
|||
nvd
|
||||
];
|
||||
|
||||
programs.firejail.wrappedBinaries = {
|
||||
chromium = {
|
||||
executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
|
||||
profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
|
||||
};
|
||||
# signal-desktop = {
|
||||
# executable = "${pkgs.lib.getBin pkgs.signal-desktop}/bin/signal-desktop";
|
||||
# profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
||||
# };
|
||||
# telegram-desktop = {
|
||||
# executable = "${pkgs.lib.getBin pkgs.tdesktop}/bin/telegram-desktop";
|
||||
# profile = "${pkgs.firejail}/etc/firejail/telegram-desktop.profile";
|
||||
# };
|
||||
# element-desktop = {
|
||||
# executable = "${pkgs.lib.getBin pkgs.element-desktop}/bin/element-desktop";
|
||||
# profile = "${pkgs.firejail}/etc/firejail/element-desktop.profile";
|
||||
# };
|
||||
};
|
||||
|
||||
fonts = {
|
||||
packages = with pkgs; [
|
||||
dejavu_fonts
|
||||
|
|
|
@ -88,7 +88,6 @@ in {
|
|||
|
||||
users.users."${psCfg.user.name}".packages = with pkgs; [
|
||||
alacritty
|
||||
firefox-wayland
|
||||
flameshot
|
||||
gnome.adwaita-icon-theme
|
||||
gnome.eog
|
||||
|
@ -103,6 +102,13 @@ in {
|
|||
wcwd
|
||||
];
|
||||
|
||||
programs.firejail.wrappedBinaries = {
|
||||
firefox = {
|
||||
executable = "${pkgs.lib.getBin pkgs.firefox-wayland}/bin/firefox";
|
||||
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users."${psCfg.user.name}" = {
|
||||
home.file."xinitrc".source = ./.xinitrc;
|
||||
xdg.configFile."alacritty/alacritty.yml".source = yamlFormat.generate "alacritty.yml" (import ./alacritty.nix);
|
||||
|
|
|
@ -160,7 +160,7 @@ resource "hostingde_record" "b12f-invoicing" {
|
|||
zone_id = hostingde_zone.b12f.id
|
||||
name = "invoicing.b12f.io"
|
||||
type = "CNAME"
|
||||
content = "pie.b12f.io"
|
||||
content = "frikandel.b12f.io"
|
||||
ttl = 300
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue