From 3ec7bc623a720d4b958b12615fae34efcb3a260c Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sun, 5 Mar 2023 22:47:21 +0100 Subject: fix things & make some others simpler, also ipv6 🎉 --- abbenay/configuration.nix | 3 --- chaski/configuration.nix | 63 +++++++++++++++++------------------------------ chaski/services/chat.nix | 43 ++++++++++++++++++++++++++++++++ common/headless.nix | 23 +++++++++++++++++ flora/configuration.nix | 21 +--------------- flora/services/nginx.nix | 4 --- 6 files changed, 89 insertions(+), 68 deletions(-) create mode 100644 chaski/services/chat.nix diff --git a/abbenay/configuration.nix b/abbenay/configuration.nix index ec4c08d..62a4a58 100644 --- a/abbenay/configuration.nix +++ b/abbenay/configuration.nix @@ -9,9 +9,6 @@ services.avahi.enable = true; services.avahi.nssmdns = true; - enable = true; - }; - environment.systemPackages = with pkgs; [ gnome3.gnome-tweaks flatpak diff --git a/chaski/configuration.nix b/chaski/configuration.nix index 2ecfe4c..658f55a 100644 --- a/chaski/configuration.nix +++ b/chaski/configuration.nix @@ -10,58 +10,39 @@ ./hardware-configuration.nix ./services/uplcg.nix ./services/tracktrain.nix + ./services/chat.nix ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - - users.users.chat = { - isNormalUser = true; - home = "/home/chat"; - shell = pkgs.fish; - packages = with pkgs; [ - fish tmux weechat - ]; - }; - services.openssh = { - extraConfig = '' - Match user chat - ForceCommand tmux attach || tmux - ''; - }; - programs.mosh.enable = true; - users.users.chat.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw==" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpWMKJrYaI9BRFCeVimQfHkg0THZJwLqh+z2fFxLU7q stuebinm@pixelimn" - ]; services.nginx.enable = true; - services.nginx.appendHttpConfig = '' - access_log off; - add_header Permissions-Policy "interest-cohort=()"; - ''; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/sda" ]; - networking.hostName = "chaski"; # Define your hostname. + networking = { + hostName = "chaski"; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.ens10.useDHCP = true; - networking.interfaces.ens3.useDHCP = true; + enableIPv6 = true; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens3"; + }; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? + interfaces.ens3.ipv6.addresses = [ { + address = "2a01:4f9:c010:69ed::1"; + prefixLength = 64; + } ]; + + useDHCP = false; + interfaces.ens10.useDHCP = true; + interfaces.ens3.useDHCP = true; + + firewall.logRefusedConnections = false; + firewall.allowedTCPPorts = [ 80 443 ]; + }; - boot.loader.grub.devices = [ "/dev/sda" ]; + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/chaski/services/chat.nix b/chaski/services/chat.nix new file mode 100644 index 0000000..0771e19 --- /dev/null +++ b/chaski/services/chat.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, inputs, ... }: + +# this defines an extra user, so i can run weechat in tmux +# (and not deal with having an irc relay) +{ + + imports = [ inputs.home-manager.nixosModule ]; + + programs.mosh.enable = true; + users.users.chat = { + isNormalUser = true; + home = "/home/chat"; + shell = pkgs.fish; + packages = with pkgs; [ + fish tmux weechat + ]; + }; + home-manager.users.chat = _: { + programs.tmux = { + enable = true; + terminal = "screen-256color"; + }; + home.stateVersion = "22.11"; + }; + services.openssh = { + extraConfig = '' + Match user chat + ForceCommand ${pkgs.writeScript "logon-weechat" '' + #!${pkgs.fish}/bin/fish + if test -n "$SSH_ORIGINAL_COMMAND" + # allow mosh to start its server + exec fish -c "$SSH_ORIGINAL_COMMAND" + else + tmux attach || tmux -c weechat + end + ''} + ''; + }; + users.users.chat.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw==" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpWMKJrYaI9BRFCeVimQfHkg0THZJwLqh+z2fFxLU7q stuebinm@pixelimn" + ]; +} diff --git a/common/headless.nix b/common/headless.nix index d3a7c22..0689e6a 100644 --- a/common/headless.nix +++ b/common/headless.nix @@ -28,4 +28,27 @@ defaults.email = "stuebinm@disroot.org"; }; + services.fail2ban = { + enable = true; + bantime-increment.enable = true; + bantime-increment.overalljails = true; + bantime-increment.maxtime = "1312m"; + ignoreIP = [ "185.39.64.13" ]; + }; + + services.logrotate = { + enable = true; + # the nginx module does stuff here, which apparently no one tells anyone about + settings.nginx = { + rotate = 2; + nocompress = true; + compress = false; + }; + }; + + services.nginx.appendHttpConfig = '' + access_log off; + add_header Permissions-Policy "interest-cohort=()"; + ''; + programs.mosh.enable = true; } diff --git a/flora/configuration.nix b/flora/configuration.nix index 750268e..c04f240 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -35,31 +35,12 @@ useDHCP = false; interfaces.ens3.useDHCP = true; + interfaces.ens10.useDHCP = true; firewall.logRefusedConnections = false; - - }; - services.fail2ban = { - enable = true; - bantime-increment.enable = true; - bantime-increment.overalljails = true; - bantime-increment.maxtime = "1312m"; - ignoreIP = [ "88.133.194.232" ]; - }; - - services.logrotate = { - enable = true; - # the nginx module does stuff here, which apparently no one tells anyone about - settings.nginx = { - rotate = 2; - nocompress = true; - compress = false; - }; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/flora/services/nginx.nix b/flora/services/nginx.nix index bbcacb7..fbbff73 100644 --- a/flora/services/nginx.nix +++ b/flora/services/nginx.nix @@ -9,9 +9,5 @@ recommendedOptimisation = true; recommendedTlsSettings = true; recommendedProxySettings = true; - - appendHttpConfig = '' - add_header Permissions-Policy "interest-cohort=()"; - ''; }; } -- cgit v1.2.3