derped/nixos
1
0
Fork 0
Code Releases Activity

More nginx config dehardcoding. Did some sshd hardening.

Browse source
This commit is contained in:
Kevin Baensch 2019-03-24 22:55:17 +01:00
parent 66ca5839e5
commit e745bdea3d
5 changed files with 15 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
machines/Lilim/options.nix
View file

@ -29,9 +29,9 @@ with lib;
"xpkgs" "xpkgs"
]; ];
services = [ services = [
# "containers" "containers"
"xserver" "xserver"
# "docker" "docker"
"udev" "udev"
"cups" "cups"
]; ];

2
services/containers.nix
View file

@ -18,6 +18,8 @@ mkIf (elem "containers" config.machine.services) {
../pkgs/nixpkgs.nix ../pkgs/nixpkgs.nix
../pkgs/pkgsets.nix ../pkgs/pkgsets.nix
]; ];
services.nixosManual.showManual = false;
services.ntp.enable = false;
}; };
}; };
} }

6
services/mailserver.nix
View file

@ -5,10 +5,10 @@ with lib;
mkIf (elem "mailserver" config.machine.services) { mkIf (elem "mailserver" config.machine.services) {
mailserver = rec { mailserver = rec {
enable = true; enable = true;
fqdn = "mail.ophanim.de"; fqdn = "mail.${config.machine.domain}";
domains = [ "ophanim.de" ]; domains = [ config.machine.domain ];
loginAccounts = { loginAccounts = {
"derped@ophanim.de" = { "derped@${config.machine.domain}" = {
hashedPassword = (builtins.readFile /secret/derped.mail); hashedPassword = (builtins.readFile /secret/derped.mail);
}; };
}; };

5
services/nginx.nix
View file

@ -2,6 +2,7 @@
# Includes: # # Includes: #
# - Nginx + SSL config # # - Nginx + SSL config #
# - Gitea # # - Gitea #
# - Hydra #
# - Nextcloud # # - Nextcloud #
# - Mail ssl root # # - Mail ssl root #
############################################################################################## ##############################################################################################
@ -33,7 +34,7 @@ mkIf (elem "nginx" config.machine.services) {
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
location / { location / {
proxy_pass http://127.0.0.1:3001; proxy_pass http://${config.services.hydra.listenHost}:${config.services.hydra.port};
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header REMOTE_ADDR $remote_addr; proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -163,7 +164,7 @@ mkIf (elem "nginx" config.machine.services) {
location @node { location @node {
client_max_body_size 0; client_max_body_size 0;
proxy_pass http://localhost:3000; proxy_pass http://${config.services.gitea.httpAddress}:${config.services.gitea.httpPort};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;

5
services/openssh.nix
View file

@ -9,13 +9,18 @@ with lib;
mkIf (elem "openssh" config.machine.services) { mkIf (elem "openssh" config.machine.services) {
services.openssh = { services.openssh = {
enable = true; enable = true;
kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
sftpFlags = [ "-f AUTHPRIV" "-l INFO" ]; sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
startWhenNeeded = true; startWhenNeeded = true;
challengeResponseAuthentication = false; challengeResponseAuthentication = false;
passwordAuthentication = false; passwordAuthentication = false;
permitRootLogin = "no"; permitRootLogin = "no";
extraConfig = '' extraConfig = ''
UsePAM no
UseRoaming no
AllowUsers derped git nix-ssh AllowUsers derped git nix-ssh
UsePrivilegeSeparation sandbox
LogLevel VERBOSE
''; '';
}; };
} }