ADD : web server

2022-05-26 10:55:06 +00:00 · 2022-05-26 10:55:06 +00:00 · 621f36fc34
parent c6d7048dc2
commit 621f36fc34
6 changed files with 135 additions and 0 deletions
--- a/hosts/web/configuration.nix
+++ b/hosts/web/configuration.nix
@ -0,0 +1,29 @@
+{ pkgs, ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./webserver.nix
+    ./firewall-web.nix
+    ../modules/gitea.nix
+    ../modules/prometheus-node.nix
+    ../modules/common.nix
+    ../modules/users.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = false;
+  networking.hostName = "web";
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    };
+  
+   # Nix Garbage Collector
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+
+}
--- a/hosts/web/firewall-web.nix
+++ b/hosts/web/firewall-web.nix
@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall = {
+    allowPing = true;
+    # allowed TCP range
+    allowedTCPPorts = [ 22 80 443 9002 2021];
+  };
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2;
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "212.114.16.52"
+    ];
+  };
+}
--- a/hosts/web/hardware-configuration.nix
+++ b/hosts/web/hardware-configuration.nix
@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
+  swapDevices = [ { device = "/dev/sda3"; } ];
+}
--- a/hosts/web/webserver.nix
+++ b/hosts/web/webserver.nix
@ -0,0 +1,49 @@
+{config, pkgs, ...}:
+let
+  caddyDir = "/var/lib/caddy";
+in
+{
+  services.caddy = {
+    enable = true;
+    email = "lucazeau.alexandre@gmail.com";
+    config = ''
+    {
+      storage file_system {
+      root ${caddyDir}
+      }
+    }
+    https://git.atlanticaweb.fr {
+      encode gzip
+      reverse_proxy http://localhost:3001
+    }
+    atlanticaweb.fr {
+      root * /srv/www/atlanticaweb.fr
+      encode gzip zstd
+      file_server
+    }
+    atlanticaweb.fr:2021 {
+      metrics
+    }
+    www.atlanticaweb.fr {
+      redir https://atlanticaweb.fr{uri}
+    }
+    pizzajoffre.fr {
+      root * /srv/www/pizzajoffre.fr
+      encode gzip zstd
+      file_server
+    }
+    www.pizzajoffre.fr {
+      redir https://pizzajoffre.fr{uri}
+    }
+    '';
+  };
+  users.users.caddy = {
+    group = "caddy";
+    uid = config.ids.uids.caddy;
+    home = caddyDir;
+    createHome = true;
+    extraGroups = [ "users" ];
+  };
+
+  users.groups.caddy.gid = config.ids.uids.caddy;
+}
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+
+    {
+
+      services.gitea = {
+        enable = true;                               # Enable Gitea
+        appName = "git.atlanticaweb.fr";         # Give the site a name
+        database = {
+          type = "sqlite3";                         # Database type
+        };
+        domain = "git.atlanticaweb.fr";            # Domain name
+        rootUrl = "https://git.atlanticaweb.fr/";   # Root web URL
+        httpPort = 3001;                             # Provided unique port
+	dump.enable = true;
+	dump.backupDir = "/srv/backup/gitea";
+	lfs.enable = true;
+	disableRegistration = true; # comment this line for the first user admin
+      };
+
+   }
--- a/modules/prometheus-node.nix
+++ b/modules/prometheus-node.nix
@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+    {
+	 services.prometheus = {
+	    exporters = {
+	      node = {
+		enable = true;
+		enabledCollectors = [ "systemd" ];
+		port = 9002;
+	      };
+	    };
+	  };
+     }