SelfPrivacy/selfprivacy-nixos-infect
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git synced 2024-11-22 12:01:27 +00:00
Code Issues Projects Releases Wiki Activity

Updated NixOS configs

Browse source
This commit is contained in:
Illia Chub 2020-12-23 17:52:14 +02:00
parent 7df8dc28de
commit ef8b351954
1 changed files with 235 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

240
nixos-infect
View file

@ -10,12 +10,15 @@ makeConf() {
# NB <<"EOF" quotes / $ ` in heredocs, <<EOF does not
mkdir /etc/nixos
mkdir -p /etc/nixos/mailserver/system
mkdir /etc/nixos/mailserver/userdata
mkdir /etc/nixos/letsencrypt
mkdir /etc/nixos/backup
mkdir /etc/nixos/passmgr
mkdir /etc/nixos/nginx
mkdir /etc/nixos/git
mkdir /etc/nixos/nextcloud
mkdir /etc/nixos/resources
mkdir /etc/nixos/videomeet
# Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
local IFS=$'\n'
@ -34,32 +37,192 @@ makeConf() {
./hardware-configuration.nix
$network_import
$NIXOS_IMPORT
./files.nix
./mailserver/system/mailserver.nix
./letsencrypt/acme.nix
./backup/restic.nix
./passmgr/bitwarden.nix
./nginx/nginx.nix
./nextcloud/nextcloud.nix
./resources/limits.nix
./videomeet/jitsi.nix
./git/gitea.nix
];
boot.cleanTmpDir = true;
networking.hostName = "$(hostname)";
networking.firewall.allowPing = true;
services.openssh.enable = true;
networking = {
hostName = "$(hostname)";
firewall = {
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 8404 ];
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 ];
};
};
time.timeZone = "Europe/Uzhgorod";
i18n.defaultLocale = "en_GB.UTF-8";
users.users.root.openssh.authorizedKeys.keys = [$(while read -r line; do echo -n "
\"$line\" "; done <<< "$keys")
];
services.openssh = {
enable = true;
passwordAuthentication = true;
permitRootLogin = "yes";
openFirewall = false;
};
programs.ssh = {
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" ];
hostKeyAlgorithms = [ "ssh-ed25519" ];
};
environment.systemPackages = with pkgs; [
letsencrypt
mkpasswd
git
wget
curl
restic
pwgen
tmux
sudo
python3
] ++ (with python38Packages; [
pip
flask
pandas
]);
environment.variables = {
DOMAIN = "$DOMAIN";
AWS_ACCESS_KEY_ID = "$AWS_ACCESS_KEY_ID";
AWS_SECRET_ACCESS_KEY = "$AWS_SECRET_ACCESS_KEY";
};
system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = false;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-20.09-small;
nix = {
optimise.automatic = true;
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
swapDevices = [
{
device = "/swapfile";
priority = 0;
size = 2048;
}
];
security = {
sudo = {
enable = true;
wheelNeedsPassword = true;
};
};
}
EOF
# If you rerun this later, be sure to prune the filesSystems attr
cat > /etc/nixos/hardware-configuration.nix << EOF
cat > /etc/nixos/hardware-configuration.nix << EOF
{ ... }:
{
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.loader.grub.device = "$grubdev";
fileSystems."/" = { device = "$rootfsdev"; fsType = "ext4"; };
}
EOF
cat > /etc/nixos/files.nix << EOF
{ pkgs, ... }:
{
systemd.tmpfiles.rules =
let
nextcloudDBPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
irememberMyownvillagewhereiwasdrillingshit1
'';
nextcloudAdminPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
irememberMyownvillagewhereiwasdrillingshit1
'';
resticPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
irememberMyownvillagewhereiwasdrillingshit1
'';
apiEndpoints = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
from flask import Flask, jsonify, request
from flask_restful import Resource, Api, reqparse
import pandas as pd
import ast
import subprocess
import os
app = Flask(__name__)
api = Api(app)
@app.route("/systemVersion", methods=["GET"])
def uname():
uname = subprocess.check_output(["uname", "-arm"])
return jsonify(uname)
@app.route("/getDKIM", methods=["GET"])
def getDkimKey():
dkim = subprocess.check_output(["cat", os.getenv("DOMAIN")+".selector.txt"])
return jsonify(dkim)
@app.route("/pythonVersion", methods=["GET"])
def getPythonVersion():
pythonVersion = subprocess.check_output(["python","--version"])
return jsonify(pythonVersion)
@app.route("/apply", methods=["GET"])
def rebuildSystem():
rebuildResult = subprocess.Popen(["nixos-rebuild","switch"])
rebuildResult.communicate()[0]
return jsonify(rebuildResult.returncode)
@app.route("/rollback", methods=["GET"])
def rollbackSystem():
rollbackResult = subprocess.Popen(["nixos-rebuild","switch","--rollback"])
rollbackResult.communicate()[0]
return jsonify(rollbackResult.returncode)
@app.route("/upgrade", methods=["GET"])
def upgradeSystem():
upgradeResult = subprocess.Popen(["nixos-rebuild","switch","--upgrade"])
upgradeResult.communicate()[0]
return jsonify(upgradeResult.returncode)
@app.route("/createUser", methods=["GET"])
def createUser():
user = subprocess.Popen(["useradd","-m",request.headers.get("X-User")])
user.communicate()[0]
return jsonify(user.returncode)
@app.route("/deleteUser", methods=["DELETE"])
def deleteUser():
user = subprocess.Popen(["userdel",request.headers.get("X-User")])
user.communicate()[0]
return jsonify(user.returncode)
@app.route("/serviceStatus", methods=["GET"])
def getServiceStatus():
imapService = subprocess.Popen(["systemctl", "status", "dovecot2.service"])
imapService.communicate()[0]
smtpService = subprocess.Popen(["systemctl", "status", "postfix.service"])
smtpService.communicate()[0]
httpService = subprocess.Popen(["systemctl", "status", "nginx.service"])
httpService.communicate()[0]
return jsonify(
imap=imapService.returncode,
smtp=smtpService.returncode,
http=httpService.returncode
)
if __name__ == '__main__':
app.run()
'';
apiRequirements = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
flask
'';
in
[
"d /var/restic 0660 restic - - -"
"d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -"
"d /var/api 0775 unit unit -"
"d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -"
"f /var/api/app.py 0775 unit unit - ${apiEndpoints}"
"f /var/api/requirements.txt 0664 unit unit - ${apiRequirements}"
"f /var/restic/restic-repo-password 0660 restic - - ${resticPass}"
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}"
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}"
];
}
EOF
cat > /etc/nixos/mailserver/system/mailserver.nix << EOF
@ -293,7 +456,7 @@ proxy_headers_hash_bucket_size 128;
}
EOF
cat > /etc/nixos/nextcloud/nextcloud.nix << EOF
cat > /etc/nixos/nextcloud/nextcloud.nix << EOF
{ pkgs, ... }:
{
services.nextcloud = {
@ -382,6 +545,73 @@ EOF
};
};
}
EOF
cat /etc/nixos/resources/limits.nix << EOF
{ pkgs, ... }:
{
systemd.services = {
dovecot2 = {
serviceConfig = {
cpuAccounting = true;
cpuQuota = "20%";
memoryAccounting = true;
memoryMax = "256M";
startLimitIntervalSec = 500;
startLimitBurst = 5;
blockIOWeigth = 25;
};
};
postfix = {
serviceConfig = {
cpuAccounting = true;
cpuQuota = "20%";
memoryAccounting = true;
memoryMax = "256M";
startLimitIntervalSec = 500;
startLimitBurst = 5;
blockIOWeigth = 25;
};
};
ocserv = {
serviceConfig = {
cpuAccounting = true;
cpuQuota = "70%";
memoryAccounting = true;
memoryMax = "512M";
startLimitIntervalSec = 500;
startLimitBurst = 5;
};
};
nginx = {
serviceConfig = {
cpuAccounting = true;
cpuQuota = "70%";
memoryAccounting = true;
memoryMax = "768M";
startLimitIntervalSec = 500;
startLimitBurst = 5;
blockIOWeigth = 10;
};
};
};
}
EOF
cat /etc/nixos/videomeet/jitsi.nix << EOF
{ pkgs, ... }:
{
services.jitsi-meet = {
enable = true;
hostName = "meet.$DOMAIN";
nginx.enable = true;
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
}
EOF
[[ -n "$doNetConf" ]] && makeNetworkingConf