diff --git a/README.md b/README.md index ef05812..fdc79e0 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,66 @@ -# dotconf +# nixos-config +This repository contain all my nixos config +hosts : + * backup + backup server : online + * web + server web : OVH + * dell-5590 + pro laptop + * services + VM on personal PX server. Hosting grafana - prometheus - loki + * x201 + personnal laptop + * next + VM on personnal PX server. Nosting personnal nextcloud + +modules : + * common.nix : common config like environnement variable and common system packages base + * gitea.nix : use on web server + * prometheus-node.nix : prometheus node-exporter. use by all machine + * rest-server.nix : use by backup server. Restic server + * users.nix : user configuration. use by all machine + +# How to use +## First boot +After first boot : + + nix-shell -p git + git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git + cd nix-os-config + cp modules/users.nix /etc/nixos/ + cp modules/common.nix /etc/nixos/ + nano /etc/nixos/configuration.nix + +add **./users.nix** and **./common.nix** after **./hardware-configuration.nix** and exit + + nixos-rebuild switch + rm -rf ~/nixos-config + exit + +Copy your personnal private key to account + + scp -i .ssh/privatekey .ssh/privatekey machine:/home/alexandre/.ssh/ + +Logging with user + + mkdir git;cd git + git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git + cd nixos-config/hosts + mkdir newhosts + cd newhosts + cp /etc/nixos/* . + +edit configuration.nix and change **./users.nix** to **../modules/users.nix** and change ./common.nix to ../modules/common.nix + + rm /etc/nixos + ln -s /home/alexandre/git/nixos-config/hosts/machine /etc/nixos + ln -s /home/alexandre/git/ + +## Exploit +to rebuild system, just : + + sudo nixos-rebuild switch + +Users have not a password. diff --git a/hosts/backup/configuration.nix b/hosts/backup/configuration.nix new file mode 100644 index 0000000..9097c37 --- /dev/null +++ b/hosts/backup/configuration.nix @@ -0,0 +1,19 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ../modules/rest-server.nix + ../modules/users.nix + ../modules/common.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = false; + networking.hostName = "back"; + services.openssh.enable = true; + services.openssh.permitRootLogin = "no"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" + ]; + + +} diff --git a/hosts/backup/hardware-configuration.nix b/hosts/backup/hardware-configuration.nix new file mode 100644 index 0000000..856a106 --- /dev/null +++ b/hosts/backup/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; }; + swapDevices = [ { device = "/dev/sda2"; } ]; +} diff --git a/hosts/services/configuration.nix b/hosts/services/configuration.nix new file mode 100644 index 0000000..995c5ac --- /dev/null +++ b/hosts/services/configuration.nix @@ -0,0 +1,19 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./firewall-services.nix + ../modules/users.nix + ../modules/common.nix + ../modules/grafana.nix + + ]; + + system.stateVersion = "21.05"; + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "services"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" + ]; +} diff --git a/hosts/services/firewall-services.nix b/hosts/services/firewall-services.nix new file mode 100644 index 0000000..9adbf18 --- /dev/null +++ b/hosts/services/firewall-services.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall = { + allowPing = true; + # allowed TCP range + allowedTCPPorts = [ 22 80 2342 9001 9002]; + }; + services.fail2ban = { + enable = true; + maxretry = 2; + ignoreIP = [ + "127.0.0.0/8" + "212.114.16.52" + ]; + }; +} diff --git a/hosts/services/hardware-configuration.nix b/hosts/services/hardware-configuration.nix new file mode 100644 index 0000000..a08c213 --- /dev/null +++ b/hosts/services/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/web/configuration.nix b/hosts/web/configuration.nix new file mode 100644 index 0000000..f8e7dc3 --- /dev/null +++ b/hosts/web/configuration.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ./webserver.nix + ./firewall-web.nix + ../modules/gitea.nix + ../modules/prometheus-node.nix + ../modules/common.nix + ../modules/users.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = false; + networking.hostName = "web"; + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + # Nix Garbage Collector + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + +} diff --git a/hosts/web/firewall-web.nix b/hosts/web/firewall-web.nix new file mode 100644 index 0000000..15077a3 --- /dev/null +++ b/hosts/web/firewall-web.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall = { + allowPing = true; + # allowed TCP range + allowedTCPPorts = [ 22 80 443 9002 2021]; + }; + services.fail2ban = { + enable = true; + maxretry = 2; + ignoreIP = [ + "127.0.0.0/8" + "212.114.16.52" + ]; + }; +} diff --git a/hosts/web/hardware-configuration.nix b/hosts/web/hardware-configuration.nix new file mode 100644 index 0000000..0914f55 --- /dev/null +++ b/hosts/web/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; }; + swapDevices = [ { device = "/dev/sda3"; } ]; +} diff --git a/hosts/web/webserver.nix b/hosts/web/webserver.nix new file mode 100644 index 0000000..0f3e1a4 --- /dev/null +++ b/hosts/web/webserver.nix @@ -0,0 +1,49 @@ +{config, pkgs, ...}: +let + caddyDir = "/var/lib/caddy"; +in +{ + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://git.atlanticaweb.fr { + encode gzip + reverse_proxy http://localhost:3001 + } + atlanticaweb.fr { + root * /srv/www/atlanticaweb.fr + encode gzip zstd + file_server + } + atlanticaweb.fr:2021 { + metrics + } + www.atlanticaweb.fr { + redir https://atlanticaweb.fr{uri} + } + pizzajoffre.fr { + root * /srv/www/pizzajoffre.fr + encode gzip zstd + file_server + } + www.pizzajoffre.fr { + redir https://pizzajoffre.fr{uri} + } + ''; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; +} diff --git a/modules/common.nix b/modules/common.nix new file mode 100644 index 0000000..3f2a519 --- /dev/null +++ b/modules/common.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ...}: +{ + environment.variables.EDITOR = "nvim"; + environment.systemPackages = with pkgs; [ + gitAndTools.gitFull + unzip + zip + tmux + lshw + bc + neovim + ncdu + nixos-option + bat + procs + exa + ]; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..f1a143c --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + + { + + services.gitea = { + enable = true; # Enable Gitea + appName = "git.atlanticaweb.fr"; # Give the site a name + database = { + type = "sqlite3"; # Database type + }; + domain = "git.atlanticaweb.fr"; # Domain name + rootUrl = "https://git.atlanticaweb.fr/"; # Root web URL + httpPort = 3001; # Provided unique port + dump.enable = true; + dump.backupDir = "/srv/backup/gitea"; + lfs.enable = true; + disableRegistration = true; # comment this line for the first user admin + }; + + } diff --git a/modules/grafana.nix b/modules/grafana.nix new file mode 100644 index 0000000..1b58e25 --- /dev/null +++ b/modules/grafana.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ...}: + let + caddyDir = "/var/lib/caddy"; + in + { + services.grafana = { + enable = true; + domain = "sup.atlanticaweb.fr"; + port = 2342; + addr = "192.168.10.109"; + }; + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "services"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "192.168.10.114:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; +} diff --git a/modules/prometheus-node.nix b/modules/prometheus-node.nix new file mode 100644 index 0000000..9814e32 --- /dev/null +++ b/modules/prometheus-node.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: + { + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + } diff --git a/modules/rest-server.nix b/modules/rest-server.nix new file mode 100644 index 0000000..00fdfd2 --- /dev/null +++ b/modules/rest-server.nix @@ -0,0 +1,42 @@ + +{ lib, config, pkgs, ... }: +let + caddyDir = "/var/lib/caddy"; +in +{ + services.restic.server = { + enable = true; + appendOnly = true; + extraFlags = [ "--no-auth" ]; + dataDir = "/var/lib/backup"; + prometheus = true; + listenAddress = "127.0.0.1:8080"; + }; + networking = { + firewall.enable = true; + firewall.allowedTCPPorts = [ 80 443 ]; + }; + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://back.atlanticaweb.fr { + reverse_proxy http://127.0.0.1:8080 + } + ''; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; +} diff --git a/modules/users.nix b/modules/users.nix new file mode 100644 index 0000000..64b9f4e --- /dev/null +++ b/modules/users.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ...}: +{ + users = { + groups = { + alexandre = {}; + }; + users = { + alexandre = { + isNormalUser = true; + createHome = true; + home = "/home/alexandre"; + description = "Alexandre LUCAZEAU"; + extraGroups = [ "wheel" ]; + group = "alexandre"; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ]; + }; + }; + }; + programs.git = { + enable = true; + config.user.email = "lucazeau.alexandre@gmail.com"; + config.user.name = "Alexandre LUCAZEAU"; + config.init.defaultBranch = "main"; + config.core.sshCommand = "ssh -i ~/.ssh/id_ed25519-perso"; + }; + programs.fish.enable = true; + programs.fish.shellAliases = { + ll = "ls -l"; + ls = "exa"; + vi = "nvim"; + vim = "nvim"; + }; + security.sudo = { + enable = true; + execWheelOnly = true; + extraRules = [ + { users = [ "alexandre" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + }; +}