selfprivacy-nixos-config/configuration.nix

169 lines
5 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, ... }:
2024-05-30 00:09:20 +00:00
let
redis-sp-api-srv-name = "sp-api";
sp-print-api-token = pkgs.writeShellApplication {
name = "sp-print-api-token";
runtimeInputs = with pkgs; [ redis ];
text = ''
hash_token="$(redis-cli -s /run/redis-${redis-sp-api-srv-name}/redis.sock keys "token_repo:tokens:*" | head -n 1)"
hash_token="''${hash_token#"token_repo:tokens:"}"
token="$(redis-cli -s /run/redis-${redis-sp-api-srv-name}/redis.sock HGETALL "token_repo:tokens:$hash_token")"
token="$(echo "$token" | sed -n '2p')"
echo "$token"
'';
};
in
2021-11-15 10:02:05 +00:00
{
imports = [
./selfprivacy-module.nix
./volumes.nix
2021-11-15 10:02:05 +00:00
./users.nix
./letsencrypt/acme.nix
./letsencrypt/resolve.nix
./webserver/nginx.nix
./webserver/memcached.nix
# ./resources/limits.nix
2021-11-15 10:02:05 +00:00
];
2023-11-20 21:23:28 +00:00
fileSystems."/".options = [ "noatime" ];
services.selfprivacy-api.enable = true;
2024-05-30 00:09:20 +00:00
services.redis.servers.${redis-sp-api-srv-name} = {
enable = true;
save = [
[
30
1
]
[
10
10
]
];
port = 0;
settings = {
notify-keyspace-events = "KEA";
};
};
services.do-agent.enable = if config.selfprivacy.server.provider == "DIGITALOCEAN" then true else false;
2023-12-18 14:13:57 +00:00
boot.tmp.cleanOnBoot = true;
2021-11-15 10:02:05 +00:00
networking = {
hostName = config.selfprivacy.hostname;
domain = config.selfprivacy.domain;
usePredictableInterfaceNames = false;
2021-11-15 10:02:05 +00:00
firewall = {
2022-02-15 12:09:45 +00:00
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
allowedUDPPorts = lib.mkForce [ 8443 10000 ];
extraCommands = ''
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface vpn00 -j ACCEPT
'';
2021-11-15 10:02:05 +00:00
};
nameservers = [ "1.1.1.1" "1.0.0.1" ];
};
time.timeZone = config.selfprivacy.timezone;
2021-11-15 10:02:05 +00:00
i18n.defaultLocale = "en_GB.UTF-8";
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.ssh.rootKeys;
2021-11-15 10:02:05 +00:00
services.openssh = {
enable = config.selfprivacy.ssh.enable;
2023-12-18 14:13:57 +00:00
settings = {
PasswordAuthentication = config.selfprivacy.ssh.passwordAuthentication;
PermitRootLogin = "yes";
};
2021-11-15 10:02:05 +00:00
openFirewall = false;
};
programs.ssh = {
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
2021-11-15 10:02:05 +00:00
};
environment.systemPackages = with pkgs; [
git
jq
2024-05-30 00:09:20 +00:00
sp-print-api-token
2021-11-15 10:02:05 +00:00
];
2023-11-18 01:53:08 +00:00
# consider environment.defaultPackages = lib.mkForce [];
documentation.enable = false; # no {man,info}-pages & docs, etc to save space
2023-12-27 07:37:59 +00:00
# (or create a systemd service with `ConditionFirstBoot=yes`?)
systemd.tmpfiles.rules = [
"# Completely remove remnants of NIXOS_LUSTRATE."
"R! /old-root"
];
system.stateVersion =
lib.mkIf (config.selfprivacy.stateVersion != null)
config.selfprivacy.stateVersion;
system.autoUpgrade = {
enable = config.selfprivacy.autoUpgrade.enable;
allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
# TODO get attribute name from selfprivacy options
flake = "/etc/nixos#default";
};
systemd.services.nixos-upgrade.serviceConfig.WorkingDirectory = "/etc/nixos";
# TODO parameterize URL somehow; run nix flake update as non-root user
systemd.services.nixos-upgrade.serviceConfig.ExecCondition =
pkgs.writeShellScript "flake-update-script" ''
set -o xtrace
if ${config.nix.package.out}/bin/nix flake update \
--override-input selfprivacy-nixos-config git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git?ref=flakes
then
if ${pkgs.diffutils}/bin/diff -u -r /etc/selfprivacy/nixos-config-source/ /etc/nixos/
then
set +o xtrace
echo "No configuration changes detected. Nothing to upgrade."
exit 1
fi
else
# ExecStart must not start after 255 exit code, service must fail.
exit 255
fi
'';
2021-11-15 10:02:05 +00:00
nix = {
channel.enable = false;
2023-11-18 01:53:08 +00:00
# daemonCPUSchedPolicy = "idle";
# daemonIOSchedClass = "idle";
# daemonIOSchedPriority = 7;
# this is superseded by nix.settings.auto-optimise-store.
# optimise.automatic = true;
2021-11-15 10:02:05 +00:00
gc = {
automatic = true; # TODO it's debatable, because of IO&CPU load
2021-11-15 10:02:05 +00:00
options = "--delete-older-than 7d";
};
};
2023-11-18 01:53:08 +00:00
nix.settings = {
sandbox = true;
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
# auto-optimise-store = true;
# evaluation restrictions:
# restrict-eval = true;
# allowed-uris = [];
allow-dirty = false;
};
services.journald.extraConfig = "SystemMaxUse=500M";
2021-11-15 10:02:05 +00:00
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
2021-11-15 10:02:05 +00:00
};
# TODO must be configurable and determined at nixos-infect stage
2021-11-15 10:02:05 +00:00
swapDevices = [
{
device = "/swapfile";
priority = 0;
size = 2048;
}
];
# TODO why is sudo needed?
2021-11-15 10:02:05 +00:00
security = {
sudo = {
enable = true;
};
};
systemd.enableEmergencyMode = false;
systemd.coredump.enable = false;
}