diff --git a/hosts/web/configuration.nix b/hosts/web/configuration.nix new file mode 100644 index 0000000..f8e7dc3 --- /dev/null +++ b/hosts/web/configuration.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ./webserver.nix + ./firewall-web.nix + ../modules/gitea.nix + ../modules/prometheus-node.nix + ../modules/common.nix + ../modules/users.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = false; + networking.hostName = "web"; + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + # Nix Garbage Collector + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + +} diff --git a/hosts/web/firewall-web.nix b/hosts/web/firewall-web.nix new file mode 100644 index 0000000..15077a3 --- /dev/null +++ b/hosts/web/firewall-web.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall = { + allowPing = true; + # allowed TCP range + allowedTCPPorts = [ 22 80 443 9002 2021]; + }; + services.fail2ban = { + enable = true; + maxretry = 2; + ignoreIP = [ + "127.0.0.0/8" + "212.114.16.52" + ]; + }; +} diff --git a/hosts/web/hardware-configuration.nix b/hosts/web/hardware-configuration.nix new file mode 100644 index 0000000..0914f55 --- /dev/null +++ b/hosts/web/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; }; + swapDevices = [ { device = "/dev/sda3"; } ]; +} diff --git a/hosts/web/webserver.nix b/hosts/web/webserver.nix new file mode 100644 index 0000000..0f3e1a4 --- /dev/null +++ b/hosts/web/webserver.nix @@ -0,0 +1,49 @@ +{config, pkgs, ...}: +let + caddyDir = "/var/lib/caddy"; +in +{ + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://git.atlanticaweb.fr { + encode gzip + reverse_proxy http://localhost:3001 + } + atlanticaweb.fr { + root * /srv/www/atlanticaweb.fr + encode gzip zstd + file_server + } + atlanticaweb.fr:2021 { + metrics + } + www.atlanticaweb.fr { + redir https://atlanticaweb.fr{uri} + } + pizzajoffre.fr { + root * /srv/www/pizzajoffre.fr + encode gzip zstd + file_server + } + www.pizzajoffre.fr { + redir https://pizzajoffre.fr{uri} + } + ''; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..f1a143c --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + + { + + services.gitea = { + enable = true; # Enable Gitea + appName = "git.atlanticaweb.fr"; # Give the site a name + database = { + type = "sqlite3"; # Database type + }; + domain = "git.atlanticaweb.fr"; # Domain name + rootUrl = "https://git.atlanticaweb.fr/"; # Root web URL + httpPort = 3001; # Provided unique port + dump.enable = true; + dump.backupDir = "/srv/backup/gitea"; + lfs.enable = true; + disableRegistration = true; # comment this line for the first user admin + }; + + } diff --git a/modules/prometheus-node.nix b/modules/prometheus-node.nix new file mode 100644 index 0000000..9814e32 --- /dev/null +++ b/modules/prometheus-node.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: + { + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + }