From 7d78e4984146462f7edf81047f71a1ef60b54a7e Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 25 May 2022 12:50:35 +0000 Subject: [PATCH 01/16] ADD : backup server config --- hosts/backup/common.nix | 13 ++++++++ hosts/backup/configuration.nix | 18 +++++++++++ hosts/backup/hardware-configuration.nix | 8 +++++ hosts/backup/rest-server.nix | 15 +++++++++ hosts/backup/users.nix | 41 +++++++++++++++++++++++++ 5 files changed, 95 insertions(+) create mode 100644 hosts/backup/common.nix create mode 100644 hosts/backup/configuration.nix create mode 100644 hosts/backup/hardware-configuration.nix create mode 100644 hosts/backup/rest-server.nix create mode 100644 hosts/backup/users.nix diff --git a/hosts/backup/common.nix b/hosts/backup/common.nix new file mode 100644 index 0000000..fc6dfb3 --- /dev/null +++ b/hosts/backup/common.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ...}: +{ + environment.variables.EDITOR = "nvim"; + environment.systemPackages = with pkgs; [ + gitAndTools.gitFull + unzip + zip + tmux + lshw + bc + neovim + ]; +} diff --git a/hosts/backup/configuration.nix b/hosts/backup/configuration.nix new file mode 100644 index 0000000..44b9568 --- /dev/null +++ b/hosts/backup/configuration.nix @@ -0,0 +1,18 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./rest-server.nix + ./users.nix + ./common.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = false; + networking.hostName = "back"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" + ]; + + +} diff --git a/hosts/backup/hardware-configuration.nix b/hosts/backup/hardware-configuration.nix new file mode 100644 index 0000000..856a106 --- /dev/null +++ b/hosts/backup/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; }; + swapDevices = [ { device = "/dev/sda2"; } ]; +} diff --git a/hosts/backup/rest-server.nix b/hosts/backup/rest-server.nix new file mode 100644 index 0000000..3baa7da --- /dev/null +++ b/hosts/backup/rest-server.nix @@ -0,0 +1,15 @@ + +{ lib, config, ... }: +{ + services.restic.server = { + enable = true; + appendOnly = true; + extraFlags = [ "--no-auth" ]; + dataDir = "/var/lib/backup"; + prometheus = true; + }; + networking = { + firewall.enable = true; + firewall.allowedTCPPorts = [ 8000 ]; + }; +} diff --git a/hosts/backup/users.nix b/hosts/backup/users.nix new file mode 100644 index 0000000..80e35a7 --- /dev/null +++ b/hosts/backup/users.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ...}: +{ + users = { + groups = { + alexandre = {}; + }; + users = { + alexandre = { + isNormalUser = true; + createHome = true; + home = "/home/alexandre"; + description = "Alexandre LUCAZEAU"; + extraGroups = [ "wheel" ]; + group = "alexandre"; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ]; + }; + }; + }; + programs.git = { + enable = true; + config.user.email = "lucazeau.alexandre@gmail.com"; + config.user.name = "Alexandre LUCAZEAU"; + config.init.defaultBranch = "main"; + config.core.sshCommand = "ssh -i ~/.ssh/id_ed25519-perso"; + }; + programs.fish.enable = true; + programs.fish.shellAliases = { + ll = "ls -l"; + ls = "ls --color=tty"; + vi = "nvim"; + vim = "nvim"; + }; + security.sudo = { + enable = true; + execWheelOnly = true; + extraRules = [ + { users = [ "alexandre" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + }; +} From ef3b32ea8d05aa98dc025ffe9a52d8cb09e5a88e Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 25 May 2022 13:00:57 +0000 Subject: [PATCH 02/16] FIX : permitRootLogin : no --- hosts/backup/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/backup/configuration.nix b/hosts/backup/configuration.nix index 44b9568..dfe4917 100644 --- a/hosts/backup/configuration.nix +++ b/hosts/backup/configuration.nix @@ -10,6 +10,7 @@ zramSwap.enable = false; networking.hostName = "back"; services.openssh.enable = true; + services.openssh.permitRootLogin = "no"; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ]; From d76c20611ffe9ab71437f17bbcf1756bf41586cf Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 25 May 2022 13:07:27 +0000 Subject: [PATCH 03/16] FIX : change nixos configuration to modular --- hosts/backup/configuration.nix | 6 +++--- {hosts/backup => modules}/common.nix | 0 {hosts/backup => modules}/rest-server.nix | 0 {hosts/backup => modules}/users.nix | 0 4 files changed, 3 insertions(+), 3 deletions(-) rename {hosts/backup => modules}/common.nix (100%) rename {hosts/backup => modules}/rest-server.nix (100%) rename {hosts/backup => modules}/users.nix (100%) diff --git a/hosts/backup/configuration.nix b/hosts/backup/configuration.nix index dfe4917..9097c37 100644 --- a/hosts/backup/configuration.nix +++ b/hosts/backup/configuration.nix @@ -1,9 +1,9 @@ { ... }: { imports = [ ./hardware-configuration.nix - ./rest-server.nix - ./users.nix - ./common.nix + ../modules/rest-server.nix + ../modules/users.nix + ../modules/common.nix ]; boot.cleanTmpDir = true; diff --git a/hosts/backup/common.nix b/modules/common.nix similarity index 100% rename from hosts/backup/common.nix rename to modules/common.nix diff --git a/hosts/backup/rest-server.nix b/modules/rest-server.nix similarity index 100% rename from hosts/backup/rest-server.nix rename to modules/rest-server.nix diff --git a/hosts/backup/users.nix b/modules/users.nix similarity index 100% rename from hosts/backup/users.nix rename to modules/users.nix From 2a8da54ee68a90a48dbcd8a042d653f1d7a80f46 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 25 May 2022 13:11:18 +0000 Subject: [PATCH 04/16] Config backup server --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index ef05812..e7737a7 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,6 @@ # dotconf +* backup + git clone + change /etc/nixos to link to ~/git/nixos-config/hosts/backup + add ln -s /home/alexandre/git/nixos-config/modules /etc/modules From ae96b65e2e51b7ea06e39ef523379d481486c44b Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 10:45:34 +0000 Subject: [PATCH 05/16] ADD test file --- test | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test diff --git a/test b/test new file mode 100644 index 0000000..e69de29 From c6d7048dc2d0aacc193a28740cedd35fee4b97cb Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 10:48:32 +0000 Subject: [PATCH 06/16] deleted: test --- test | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 test diff --git a/test b/test deleted file mode 100644 index e69de29..0000000 From 621f36fc3471baf92de498fd99fa92644f808265 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 10:55:06 +0000 Subject: [PATCH 07/16] ADD : web server --- hosts/web/configuration.nix | 29 ++++++++++++++++ hosts/web/firewall-web.nix | 17 ++++++++++ hosts/web/hardware-configuration.nix | 8 +++++ hosts/web/webserver.nix | 49 ++++++++++++++++++++++++++++ modules/gitea.nix | 20 ++++++++++++ modules/prometheus-node.nix | 12 +++++++ 6 files changed, 135 insertions(+) create mode 100644 hosts/web/configuration.nix create mode 100644 hosts/web/firewall-web.nix create mode 100644 hosts/web/hardware-configuration.nix create mode 100644 hosts/web/webserver.nix create mode 100644 modules/gitea.nix create mode 100644 modules/prometheus-node.nix diff --git a/hosts/web/configuration.nix b/hosts/web/configuration.nix new file mode 100644 index 0000000..f8e7dc3 --- /dev/null +++ b/hosts/web/configuration.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ./webserver.nix + ./firewall-web.nix + ../modules/gitea.nix + ../modules/prometheus-node.nix + ../modules/common.nix + ../modules/users.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = false; + networking.hostName = "web"; + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + # Nix Garbage Collector + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + +} diff --git a/hosts/web/firewall-web.nix b/hosts/web/firewall-web.nix new file mode 100644 index 0000000..15077a3 --- /dev/null +++ b/hosts/web/firewall-web.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall = { + allowPing = true; + # allowed TCP range + allowedTCPPorts = [ 22 80 443 9002 2021]; + }; + services.fail2ban = { + enable = true; + maxretry = 2; + ignoreIP = [ + "127.0.0.0/8" + "212.114.16.52" + ]; + }; +} diff --git a/hosts/web/hardware-configuration.nix b/hosts/web/hardware-configuration.nix new file mode 100644 index 0000000..0914f55 --- /dev/null +++ b/hosts/web/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; }; + swapDevices = [ { device = "/dev/sda3"; } ]; +} diff --git a/hosts/web/webserver.nix b/hosts/web/webserver.nix new file mode 100644 index 0000000..0f3e1a4 --- /dev/null +++ b/hosts/web/webserver.nix @@ -0,0 +1,49 @@ +{config, pkgs, ...}: +let + caddyDir = "/var/lib/caddy"; +in +{ + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://git.atlanticaweb.fr { + encode gzip + reverse_proxy http://localhost:3001 + } + atlanticaweb.fr { + root * /srv/www/atlanticaweb.fr + encode gzip zstd + file_server + } + atlanticaweb.fr:2021 { + metrics + } + www.atlanticaweb.fr { + redir https://atlanticaweb.fr{uri} + } + pizzajoffre.fr { + root * /srv/www/pizzajoffre.fr + encode gzip zstd + file_server + } + www.pizzajoffre.fr { + redir https://pizzajoffre.fr{uri} + } + ''; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..f1a143c --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + + { + + services.gitea = { + enable = true; # Enable Gitea + appName = "git.atlanticaweb.fr"; # Give the site a name + database = { + type = "sqlite3"; # Database type + }; + domain = "git.atlanticaweb.fr"; # Domain name + rootUrl = "https://git.atlanticaweb.fr/"; # Root web URL + httpPort = 3001; # Provided unique port + dump.enable = true; + dump.backupDir = "/srv/backup/gitea"; + lfs.enable = true; + disableRegistration = true; # comment this line for the first user admin + }; + + } diff --git a/modules/prometheus-node.nix b/modules/prometheus-node.nix new file mode 100644 index 0000000..9814e32 --- /dev/null +++ b/modules/prometheus-node.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: + { + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + } From fd4a6d32ac67a5ffde64bbceb696060de3c76c3c Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 17:22:03 +0000 Subject: [PATCH 08/16] ADD services hosts --- hosts/services/common.nix | 13 +++++++ hosts/services/configuration.nix | 16 +++++++++ hosts/services/hardware-configuration.nix | 8 +++++ hosts/services/users.nix | 41 +++++++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 hosts/services/common.nix create mode 100644 hosts/services/configuration.nix create mode 100644 hosts/services/hardware-configuration.nix create mode 100644 hosts/services/users.nix diff --git a/hosts/services/common.nix b/hosts/services/common.nix new file mode 100644 index 0000000..fc6dfb3 --- /dev/null +++ b/hosts/services/common.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ...}: +{ + environment.variables.EDITOR = "nvim"; + environment.systemPackages = with pkgs; [ + gitAndTools.gitFull + unzip + zip + tmux + lshw + bc + neovim + ]; +} diff --git a/hosts/services/configuration.nix b/hosts/services/configuration.nix new file mode 100644 index 0000000..ef3d509 --- /dev/null +++ b/hosts/services/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ../modules/users.nix + ../modules/common.nix + + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "services"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" + ]; +} diff --git a/hosts/services/hardware-configuration.nix b/hosts/services/hardware-configuration.nix new file mode 100644 index 0000000..a08c213 --- /dev/null +++ b/hosts/services/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/services/users.nix b/hosts/services/users.nix new file mode 100644 index 0000000..80e35a7 --- /dev/null +++ b/hosts/services/users.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ...}: +{ + users = { + groups = { + alexandre = {}; + }; + users = { + alexandre = { + isNormalUser = true; + createHome = true; + home = "/home/alexandre"; + description = "Alexandre LUCAZEAU"; + extraGroups = [ "wheel" ]; + group = "alexandre"; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ]; + }; + }; + }; + programs.git = { + enable = true; + config.user.email = "lucazeau.alexandre@gmail.com"; + config.user.name = "Alexandre LUCAZEAU"; + config.init.defaultBranch = "main"; + config.core.sshCommand = "ssh -i ~/.ssh/id_ed25519-perso"; + }; + programs.fish.enable = true; + programs.fish.shellAliases = { + ll = "ls -l"; + ls = "ls --color=tty"; + vi = "nvim"; + vim = "nvim"; + }; + security.sudo = { + enable = true; + execWheelOnly = true; + extraRules = [ + { users = [ "alexandre" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + }; +} From bb6e4d268a3894b13ef47e1fcb13d545a77357f2 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 20:01:11 +0200 Subject: [PATCH 09/16] =?UTF-8?q?=09modifi=C3=A9=C2=A0:=20=20=20=20=20=20?= =?UTF-8?q?=20=20=20README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e7737a7..fdc79e0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,66 @@ -# dotconf -* backup +# nixos-config +This repository contain all my nixos config - git clone - change /etc/nixos to link to ~/git/nixos-config/hosts/backup - add ln -s /home/alexandre/git/nixos-config/modules /etc/modules +hosts : + * backup + backup server : online + * web + server web : OVH + * dell-5590 + pro laptop + * services + VM on personal PX server. Hosting grafana - prometheus - loki + * x201 + personnal laptop + * next + VM on personnal PX server. Nosting personnal nextcloud + +modules : + * common.nix : common config like environnement variable and common system packages base + * gitea.nix : use on web server + * prometheus-node.nix : prometheus node-exporter. use by all machine + * rest-server.nix : use by backup server. Restic server + * users.nix : user configuration. use by all machine + +# How to use +## First boot +After first boot : + + nix-shell -p git + git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git + cd nix-os-config + cp modules/users.nix /etc/nixos/ + cp modules/common.nix /etc/nixos/ + nano /etc/nixos/configuration.nix + +add **./users.nix** and **./common.nix** after **./hardware-configuration.nix** and exit + + nixos-rebuild switch + rm -rf ~/nixos-config + exit + +Copy your personnal private key to account + + scp -i .ssh/privatekey .ssh/privatekey machine:/home/alexandre/.ssh/ + +Logging with user + + mkdir git;cd git + git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git + cd nixos-config/hosts + mkdir newhosts + cd newhosts + cp /etc/nixos/* . + +edit configuration.nix and change **./users.nix** to **../modules/users.nix** and change ./common.nix to ../modules/common.nix + + rm /etc/nixos + ln -s /home/alexandre/git/nixos-config/hosts/machine /etc/nixos + ln -s /home/alexandre/git/ + +## Exploit +to rebuild system, just : + + sudo nixos-rebuild switch + +Users have not a password. From 925a08ffeeea7f7a4d44050c3077fe98e3c12c9d Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 19:08:00 +0000 Subject: [PATCH 10/16] FIX : modules/rest-server.nix Add caddy for reverse proxy, change firewall rules and change rest-server address for localhost --- modules/rest-server.nix | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/modules/rest-server.nix b/modules/rest-server.nix index 3baa7da..00fdfd2 100644 --- a/modules/rest-server.nix +++ b/modules/rest-server.nix @@ -1,5 +1,8 @@ -{ lib, config, ... }: +{ lib, config, pkgs, ... }: +let + caddyDir = "/var/lib/caddy"; +in { services.restic.server = { enable = true; @@ -7,9 +10,33 @@ extraFlags = [ "--no-auth" ]; dataDir = "/var/lib/backup"; prometheus = true; + listenAddress = "127.0.0.1:8080"; }; networking = { firewall.enable = true; - firewall.allowedTCPPorts = [ 8000 ]; + firewall.allowedTCPPorts = [ 80 443 ]; }; + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://back.atlanticaweb.fr { + reverse_proxy http://127.0.0.1:8080 + } + ''; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; } From c2eeb342e9bb53b30a35b07fa57d1f66e74746a2 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Thu, 26 May 2022 19:24:07 +0000 Subject: [PATCH 11/16] DEL unused services/common.nix and services/users.nix ADD grafana.nix --- hosts/services/common.nix | 13 ---------- hosts/services/configuration.nix | 1 + hosts/services/users.nix | 41 -------------------------------- modules/grafana.nix | 35 +++++++++++++++++++++++++++ 4 files changed, 36 insertions(+), 54 deletions(-) delete mode 100644 hosts/services/common.nix delete mode 100644 hosts/services/users.nix create mode 100644 modules/grafana.nix diff --git a/hosts/services/common.nix b/hosts/services/common.nix deleted file mode 100644 index fc6dfb3..0000000 --- a/hosts/services/common.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ...}: -{ - environment.variables.EDITOR = "nvim"; - environment.systemPackages = with pkgs; [ - gitAndTools.gitFull - unzip - zip - tmux - lshw - bc - neovim - ]; -} diff --git a/hosts/services/configuration.nix b/hosts/services/configuration.nix index ef3d509..fc961ae 100644 --- a/hosts/services/configuration.nix +++ b/hosts/services/configuration.nix @@ -3,6 +3,7 @@ ./hardware-configuration.nix ../modules/users.nix ../modules/common.nix + ../modules/grafana.nix ]; diff --git a/hosts/services/users.nix b/hosts/services/users.nix deleted file mode 100644 index 80e35a7..0000000 --- a/hosts/services/users.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, pkgs, ...}: -{ - users = { - groups = { - alexandre = {}; - }; - users = { - alexandre = { - isNormalUser = true; - createHome = true; - home = "/home/alexandre"; - description = "Alexandre LUCAZEAU"; - extraGroups = [ "wheel" ]; - group = "alexandre"; - shell = pkgs.fish; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ]; - }; - }; - }; - programs.git = { - enable = true; - config.user.email = "lucazeau.alexandre@gmail.com"; - config.user.name = "Alexandre LUCAZEAU"; - config.init.defaultBranch = "main"; - config.core.sshCommand = "ssh -i ~/.ssh/id_ed25519-perso"; - }; - programs.fish.enable = true; - programs.fish.shellAliases = { - ll = "ls -l"; - ls = "ls --color=tty"; - vi = "nvim"; - vim = "nvim"; - }; - security.sudo = { - enable = true; - execWheelOnly = true; - extraRules = [ - { users = [ "alexandre" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } - ]; - }; -} diff --git a/modules/grafana.nix b/modules/grafana.nix new file mode 100644 index 0000000..1a18162 --- /dev/null +++ b/modules/grafana.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ...}: +let + caddyDir = "/var/lib/caddy"; +in +{ +services.grafana = { + enable = true; + domain = "sup.atlanticaweb"; + port = 2342; + addr = "127.0.0.1"; + }; +services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + config = '' + { + storage file_system { + root ${caddyDir} + } + } + https://grafana.atlanticaweb.fr { + reverse_proxy http://127.0.0.1:${toString config.services.grafana.port} + } + ''; +}; +users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; +}; + +users.groups.caddy.gid = config.ids.uids.caddy; +} From f3c3a48be720b3409c743a4c88aec464ac05e70a Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 1 Jun 2022 18:25:07 +0000 Subject: [PATCH 12/16] modified: ../hosts/services/configuration.nix - change grafana firewall port modified: grafana.nix - change caddy config to extraConfig --- hosts/services/configuration.nix | 1 + modules/grafana.nix | 81 ++++++++++++++++++++------------ 2 files changed, 51 insertions(+), 31 deletions(-) diff --git a/hosts/services/configuration.nix b/hosts/services/configuration.nix index fc961ae..37d2d3c 100644 --- a/hosts/services/configuration.nix +++ b/hosts/services/configuration.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ ./hardware-configuration.nix + ./firewall-services.nix ../modules/users.nix ../modules/common.nix ../modules/grafana.nix diff --git a/modules/grafana.nix b/modules/grafana.nix index 1a18162..533033e 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -1,35 +1,54 @@ { config, pkgs, ...}: -let - caddyDir = "/var/lib/caddy"; -in -{ -services.grafana = { - enable = true; - domain = "sup.atlanticaweb"; - port = 2342; - addr = "127.0.0.1"; - }; -services.caddy = { - enable = true; - email = "lucazeau.alexandre@gmail.com"; - config = '' + let + caddyDir = "/var/lib/caddy"; + in { - storage file_system { - root ${caddyDir} + services.grafana = { + enable = true; + domain = "sup.atlanticaweb.fr"; + port = 2342; + addr = "127.0.0.1"; + }; + services.caddy = { + enable = true; + email = "lucazeau.alexandre@gmail.com"; + extraConfig = '' + { + storage file_system { + root ${caddyDir} + } } - } - https://grafana.atlanticaweb.fr { - reverse_proxy http://127.0.0.1:${toString config.services.grafana.port} - } - ''; -}; -users.users.caddy = { - group = "caddy"; - uid = config.ids.uids.caddy; - home = caddyDir; - createHome = true; - extraGroups = [ "users" ]; -}; - -users.groups.caddy.gid = config.ids.uids.caddy; + https://sup.atlanticaweb.fr:2342 { + reverse_proxy http://127.0.0.1:${toString config.services.grafana.port} + } + ''; + }; + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "services"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; + users.users.caddy = { + group = "caddy"; + uid = config.ids.uids.caddy; + home = caddyDir; + createHome = true; + extraGroups = [ "users" ]; + }; + + users.groups.caddy.gid = config.ids.uids.caddy; } From f11a7857475f6200aa673c5a37598fa4c97a690e Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 1 Jun 2022 18:27:21 +0000 Subject: [PATCH 13/16] ADD firewall files --- hosts/services/firewall-services.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 hosts/services/firewall-services.nix diff --git a/hosts/services/firewall-services.nix b/hosts/services/firewall-services.nix new file mode 100644 index 0000000..9adbf18 --- /dev/null +++ b/hosts/services/firewall-services.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall = { + allowPing = true; + # allowed TCP range + allowedTCPPorts = [ 22 80 2342 9001 9002]; + }; + services.fail2ban = { + enable = true; + maxretry = 2; + ignoreIP = [ + "127.0.0.0/8" + "212.114.16.52" + ]; + }; +} From f5ed833a480078207ef92226aced230c80b353f0 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 1 Jun 2022 19:04:19 +0000 Subject: [PATCH 14/16] modified: hosts/services/configuration.nix modified: modules/common.nix modified: modules/grafana.nix modified: modules/users.nix --- hosts/services/configuration.nix | 1 + modules/common.nix | 5 +++++ modules/grafana.nix | 15 +++++---------- modules/users.nix | 2 +- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/hosts/services/configuration.nix b/hosts/services/configuration.nix index 37d2d3c..995c5ac 100644 --- a/hosts/services/configuration.nix +++ b/hosts/services/configuration.nix @@ -8,6 +8,7 @@ ]; + system.stateVersion = "21.05"; boot.cleanTmpDir = true; zramSwap.enable = true; networking.hostName = "services"; diff --git a/modules/common.nix b/modules/common.nix index fc6dfb3..3f2a519 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -9,5 +9,10 @@ lshw bc neovim + ncdu + nixos-option + bat + procs + exa ]; } diff --git a/modules/grafana.nix b/modules/grafana.nix index 533033e..e599a3d 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -7,20 +7,15 @@ enable = true; domain = "sup.atlanticaweb.fr"; port = 2342; - addr = "127.0.0.1"; - }; + addr = "192.168.10.109"; + }; services.caddy = { enable = true; email = "lucazeau.alexandre@gmail.com"; extraConfig = '' - { - storage file_system { - root ${caddyDir} - } - } - https://sup.atlanticaweb.fr:2342 { - reverse_proxy http://127.0.0.1:${toString config.services.grafana.port} - } + storage file_system { + root * ${caddyDir} + }; ''; }; services.prometheus = { diff --git a/modules/users.nix b/modules/users.nix index 80e35a7..64b9f4e 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -27,7 +27,7 @@ programs.fish.enable = true; programs.fish.shellAliases = { ll = "ls -l"; - ls = "ls --color=tty"; + ls = "exa"; vi = "nvim"; vim = "nvim"; }; From 9cb865961c3abfafc9b74bc4c412f6be2599e0bf Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 1 Jun 2022 19:33:08 +0000 Subject: [PATCH 15/16] modified: grafana.nix --- modules/grafana.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/grafana.nix b/modules/grafana.nix index e599a3d..7f63bb5 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -9,15 +9,6 @@ port = 2342; addr = "192.168.10.109"; }; - services.caddy = { - enable = true; - email = "lucazeau.alexandre@gmail.com"; - extraConfig = '' - storage file_system { - root * ${caddyDir} - }; - ''; - }; services.prometheus = { enable = true; port = 9001; From 6d8a1a320187fe51a8a6d03ec043d9a656bce830 Mon Sep 17 00:00:00 2001 From: Alexandre LUCAZEAU Date: Wed, 1 Jun 2022 20:21:07 +0000 Subject: [PATCH 16/16] modified: grafana.nix - ADD nextcloud server --- modules/grafana.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/grafana.nix b/modules/grafana.nix index 7f63bb5..1b58e25 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -25,6 +25,12 @@ static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "192.168.10.114:${toString config.services.prometheus.exporters.node.port}" ]; + }]; } ]; };