diff --git a/machines/base.nix b/machines/base.nix index 3c1b3df..9e21cdb 100644 --- a/machines/base.nix +++ b/machines/base.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { @@ -15,12 +15,29 @@ time.timeZone = "Europe/Paris"; i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + console = { - keyMap = "fr"; + keyMap = lib.mkForce "fr"; font = null; useXkbConfig = true; }; + services.xserver = { + layout = "fr"; + xkbVariant = ""; + }; + programs.gnupg.agent.enable = true; networking.firewall.enable = true; @@ -28,6 +45,7 @@ neovim attic kitty + tailscale ]; environment.variables.EDITOR = "nvim"; @@ -37,6 +55,8 @@ networking.firewall.checkReversePath = "loose"; + services.tailscale.enable = true; + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" "/persistent/etc/ssh/ssh_host_ed25519_key" diff --git a/machines/core-data/default.nix b/machines/core-data/default.nix index 9a35b9f..8cf2d93 100644 --- a/machines/core-data/default.nix +++ b/machines/core-data/default.nix @@ -1,81 +1,32 @@ { pkgs, lib, ... }: { - imports = - [ - ./hardware.nix - ./home-julien.nix - ]; + imports = [ + ./hardware.nix + ./home-julien.nix + ]; # Bootloader. boot.loader.systemd-boot.enable = true; - deployment.targetHost = lib.mkForce "192.168.0.66"; + deployment.targetHost = lib.mkForce "192.168.0.57"; deployment.targetPort = lib.mkForce 45; - security.acme.defaults.email = "julien@malka.sh"; - - networking.hostName = "core-data"; + luj.nginx.enable = true; systemd.network.enable = true; systemd.network.networks."10-wan" = { matchConfig.Name = "ens18"; networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; + Address = "2a01:e0a:de4:a0e1:be24:11ff:fe09:638d"; }; - # make routing on this interface a dependency for network-online.target linkConfig.RequiredForOnline = "routable"; }; - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - services.xserver = { - layout = "fr"; - xkbVariant = ""; - }; - console.keyMap = "fr"; - - security.acme.acceptTerms = true; - - environment.systemPackages = with pkgs; [ - neovim - tailscale - ]; - - services.openssh.enable = true; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - - networking.firewall.checkReversePath = "loose"; - systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - services.tailscale.enable = true; - - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.settings.PasswordAuthentication = lib.mkForce true; - # Photoprism services.photoprism = { enable = true; @@ -100,20 +51,17 @@ enable = true; package = pkgs.mariadb; ensureDatabases = [ "photoprism" ]; - ensureUsers = [{ - name = "photoprism"; - ensurePermissions = { - "photoprism.*" = "ALL PRIVILEGES"; - }; - }]; + ensureUsers = [ + { + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + } + ]; }; services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; clientMaxBodySize = "500m"; virtualHosts = { "photos.malka.family" = { @@ -128,8 +76,6 @@ }; }; - - services.openssh.extraConfig = '' HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostKey /etc/ssh/ssh_host_ed25519_key @@ -137,33 +83,5 @@ MaxAuthTries 20 ''; - security.pki.certificates = [ - ''-----BEGIN CERTIFICATE----- -MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw -EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X -DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u -TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 -7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ -BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja -mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG -SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc -oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== ------END CERTIFICATE-----'' - ''-----BEGIN CERTIFICATE----- -MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES -MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe -Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v -bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 -BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw -EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC -jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf -VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= ------END CERTIFICATE-----'' - ]; - - system.stateVersion = "23.11"; - } diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix index 27e57ec..abdb40c 100644 --- a/machines/core-security/default.nix +++ b/machines/core-security/default.nix @@ -11,17 +11,11 @@ ./home-julien.nix ]; - # Bootloader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; boot.loader.grub.useOSProber = true; - security.acme.defaults.email = "julien@malka.sh"; - - networking.hostName = "core-security"; # Define your hostname. - systemd.network.enable = true; - systemd.network.networks."10-wan" = { matchConfig.Name = "ens18"; networkConfig = { @@ -34,52 +28,8 @@ linkConfig.RequiredForOnline = "routable"; }; - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - services.xserver = { - layout = "fr"; - xkbVariant = ""; - }; - - console.keyMap = "fr"; - - security.acme.acceptTerms = true; - - environment.systemPackages = with pkgs; [ - neovim - tailscale - ]; - services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - ]; - - networking.firewall.checkReversePath = "loose"; - - systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; luj.nginx.enable = true; @@ -91,8 +41,6 @@ }; }; - services.tailscale.enable = true; - services.vaultwarden = { enable = true; config = { @@ -169,33 +117,5 @@ # TODO: Remove when keycloak is update in stable channel nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ]; - security.pki.certificates = [ - '' - -----BEGIN CERTIFICATE----- - MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw - EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X - DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u - TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI - zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 - 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ - BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja - mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG - SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc - oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== - -----END CERTIFICATE-----'' - '' - -----BEGIN CERTIFICATE----- - MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES - MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe - Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v - bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq - hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 - BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw - EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC - jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf - VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= - -----END CERTIFICATE-----'' - ]; - system.stateVersion = "22.11"; } diff --git a/machines/lambda/default.nix b/machines/lambda/default.nix index 7344e8e..8b9e8d2 100644 --- a/machines/lambda/default.nix +++ b/machines/lambda/default.nix @@ -1,30 +1,17 @@ { pkgs, ... }: { - imports = - [ - ./hardware.nix - ./home-julien.nix - ]; + imports = [ + ./hardware.nix + ./home-julien.nix + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; deployment.buildOnTarget = true; - networking.hostName = "lambda"; - - time.timeZone = "Europe/Paris"; - - environment.systemPackages = [ pkgs.tailscale ]; - services.tailscale.enable = true; - networking.firewall.checkReversePath = "loose"; - - services.nginx.enable = true; - services.nginx.recommendedGzipSettings = true; - services.nginx.recommendedOptimisation = true; - services.nginx.recommendedProxySettings = true; - services.nginx.recommendedTlsSettings = true; + luj.nginx.enable = true; services.uptime-kuma = { enable = true; @@ -34,19 +21,18 @@ }; }; - services.ntfy-sh = - { - enable = true; - package = pkgs.unstable.ntfy-sh; - settings = { - listen-http = ":8081"; - behind-proxy = true; - upstream-base-url = "https://ntfy.sh"; - base-url = "https://notifications.julienmalka.me"; - auth-file = "/srv/ntfy/user.db"; - auth-default-access = "deny-all"; - }; + services.ntfy-sh = { + enable = true; + package = pkgs.unstable.ntfy-sh; + settings = { + listen-http = ":8081"; + behind-proxy = true; + upstream-base-url = "https://ntfy.sh"; + base-url = "https://notifications.julienmalka.me"; + auth-file = "/srv/ntfy/user.db"; + auth-default-access = "deny-all"; }; + }; services.nginx.virtualHosts."status.julienmalka.me" = { forceSSL = true; @@ -77,90 +63,10 @@ }; }; - networking.nameservers = [ "9.9.9.9" ]; - - services.grafana.enable = true; - services.grafana.settings.server.http_port = 3000; - services.victoriametrics.enable = true; - - services.nginx.virtualHosts."monitoring.julienmalka.me" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - }; - }; - - - security.acme.certs."prometheus.luj".server = "https://ca.luj/acme/acme/directory"; - services.nginx.virtualHosts."prometheus.luj" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:8428"; - extraConfig = '' - allow 100.10.10.0/8; - deny all; - ''; - }; - }; - - - - nix.gc = { automatic = true; dates = "weekly"; }; - - - security.acme.acceptTerms = true; - security.acme.defaults.email = "julien@malka.sh"; - - - security.pki.certificates = [ - ''-----BEGIN CERTIFICATE----- -MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw -EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X -DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u -TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 -7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ -BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja -mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG -SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc -oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== ------END CERTIFICATE-----'' - ''-----BEGIN CERTIFICATE----- -MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES -MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe -Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v -bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 -BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw -EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC -jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf -VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= ------END CERTIFICATE-----'' - ]; - - - services.openssh = { - enable = true; - ports = [ 45 ]; - settings.PermitRootLogin = "yes"; - openFirewall = true; - }; - - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k julien@enigma.local" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" - ]; - - networking.firewall.allowedTCPPorts = [ 443 80 8428 ]; - networking.firewall.allowedUDPPorts = [ 443 80 8428 ]; system.stateVersion = "22.11"; } diff --git a/machines/lisa/default.nix b/machines/lisa/default.nix index cb99804..4dd42e3 100644 --- a/machines/lisa/default.nix +++ b/machines/lisa/default.nix @@ -1,4 +1,4 @@ -{ pkgs, modulesPath, ... }: +{ modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -17,16 +17,8 @@ mailserver.enable = true; }; - # make the tailscale command usable to users - environment.systemPackages = [ pkgs.tailscale ]; - - # enable the tailscale service - services.tailscale.enable = true; - services.fail2ban.enable = true; - networking.hostName = "lisa"; - networking.hostId = "fbb334ae"; networking.useNetworkd = true;