Merge branch 'main' of git.atlanticaweb.fr:alexandre/nixos-config

README.md

@@ -1,2 +1,66 @@
-# dotconf
+# nixos-config
+This repository contain all my nixos config
 
+hosts :
+  * backup
+        backup server : online
+  * web
+        server web : OVH
+  * dell-5590
+        pro laptop
+  * services
+        VM on personal PX server. Hosting grafana - prometheus - loki
+  * x201
+        personnal laptop
+  * next
+        VM on personnal PX server. Nosting personnal nextcloud
+
+modules :
+  * common.nix : common config like environnement variable and common system packages base
+  * gitea.nix : use on web server
+  * prometheus-node.nix : prometheus node-exporter. use by all machine
+  * rest-server.nix : use by backup server. Restic server
+  * users.nix : user configuration. use by all machine
+
+# How to use
+## First boot
+After first boot :
+
+        nix-shell -p git
+        git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git
+        cd nix-os-config
+        cp modules/users.nix /etc/nixos/
+        cp modules/common.nix /etc/nixos/
+        nano /etc/nixos/configuration.nix
+
+add **./users.nix** and **./common.nix** after **./hardware-configuration.nix** and exit
+
+        nixos-rebuild switch
+        rm -rf ~/nixos-config
+        exit
+
+Copy your personnal private key to account
+
+		scp -i .ssh/privatekey .ssh/privatekey machine:/home/alexandre/.ssh/
+
+Logging with user
+
+        mkdir git;cd git
+        git clone gitea@git.atlanticaweb.fr:alexandre/nixos-config.git
+        cd nixos-config/hosts
+        mkdir newhosts
+        cd newhosts
+        cp /etc/nixos/* .
+
+edit configuration.nix and change **./users.nix** to **../modules/users.nix** and change ./common.nix to ../modules/common.nix
+
+		rm /etc/nixos
+		ln -s /home/alexandre/git/nixos-config/hosts/machine /etc/nixos
+		ln -s /home/alexandre/git/
+
+## Exploit
+to rebuild system, just :
+
+		sudo nixos-rebuild switch
+
+Users have not a password.

hosts/backup/configuration.nix

@@ -0,0 +1,19 @@
+{ ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ../modules/rest-server.nix
+    ../modules/users.nix
+    ../modules/common.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = false;
+  networking.hostName = "back";
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = "no";
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" 
+  ];
+
+
+}

hosts/backup/hardware-configuration.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
+  swapDevices = [ { device = "/dev/sda2"; } ];
+}

hosts/services/configuration.nix

@@ -0,0 +1,19 @@
+{ ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./firewall-services.nix
+    ../modules/users.nix
+    ../modules/common.nix
+    ../modules/grafana.nix
+    
+  ];
+
+  system.stateVersion = "21.05";
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+  networking.hostName = "services";
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" 
+  ];
+}

hosts/services/firewall-services.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall = {
+    allowPing = true;
+    # allowed TCP range
+    allowedTCPPorts = [ 22 80 2342 9001 9002];
+  };
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2;
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "212.114.16.52"
+    ];
+  };
+}

hosts/services/hardware-configuration.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  
+}

hosts/web/configuration.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./webserver.nix
+    ./firewall-web.nix
+    ../modules/gitea.nix
+    ../modules/prometheus-node.nix
+    ../modules/common.nix
+    ../modules/users.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = false;
+  networking.hostName = "web";
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    };
+  
+   # Nix Garbage Collector
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+
+}

hosts/web/firewall-web.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall = {
+    allowPing = true;
+    # allowed TCP range
+    allowedTCPPorts = [ 22 80 443 9002 2021];
+  };
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2;
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "212.114.16.52"
+    ];
+  };
+}

hosts/web/hardware-configuration.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
+  swapDevices = [ { device = "/dev/sda3"; } ];
+}

hosts/web/webserver.nix

@@ -0,0 +1,49 @@
+{config, pkgs, ...}:
+let
+  caddyDir = "/var/lib/caddy";
+in
+{
+  services.caddy = {
+    enable = true;
+    email = "lucazeau.alexandre@gmail.com";
+    config = ''
+    {
+      storage file_system {
+      root ${caddyDir}
+      }
+    }
+    https://git.atlanticaweb.fr {
+      encode gzip
+      reverse_proxy http://localhost:3001
+    }
+    atlanticaweb.fr {
+      root * /srv/www/atlanticaweb.fr
+      encode gzip zstd
+      file_server
+    }
+    atlanticaweb.fr:2021 {
+      metrics
+    }
+    www.atlanticaweb.fr {
+      redir https://atlanticaweb.fr{uri}
+    }
+    pizzajoffre.fr {
+      root * /srv/www/pizzajoffre.fr
+      encode gzip zstd
+      file_server
+    }
+    www.pizzajoffre.fr {
+      redir https://pizzajoffre.fr{uri}
+    }
+    '';
+  };
+  users.users.caddy = {
+    group = "caddy";
+    uid = config.ids.uids.caddy;
+    home = caddyDir;
+    createHome = true;
+    extraGroups = [ "users" ];
+  };
+
+  users.groups.caddy.gid = config.ids.uids.caddy;
+}

modules/common.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, ...}:
+{
+  environment.variables.EDITOR = "nvim";
+  environment.systemPackages = with pkgs; [
+    gitAndTools.gitFull
+    unzip
+    zip
+    tmux
+    lshw
+    bc
+    neovim
+    ncdu
+    nixos-option
+    bat
+    procs
+    exa
+  ];
+}

modules/gitea.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+
+    {
+
+      services.gitea = {
+        enable = true;                               # Enable Gitea
+        appName = "git.atlanticaweb.fr";         # Give the site a name
+        database = {
+          type = "sqlite3";                         # Database type
+        };
+        domain = "git.atlanticaweb.fr";            # Domain name
+        rootUrl = "https://git.atlanticaweb.fr/";   # Root web URL
+        httpPort = 3001;                             # Provided unique port
+	dump.enable = true;
+	dump.backupDir = "/srv/backup/gitea";
+	lfs.enable = true;
+	disableRegistration = true; # comment this line for the first user admin
+      };
+
+   }

modules/grafana.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, ...}:
+  let
+     caddyDir = "/var/lib/caddy";
+  in
+  {
+  services.grafana = {
+      enable = true;
+      domain = "sup.atlanticaweb.fr";
+      port = 2342;
+      addr = "192.168.10.109";
+  };
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "services";
+        static_configs = [{
+          targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+        }];
+	}
+	{
+        job_name = "nextcloud";
+        static_configs = [{
+          targets = [ "192.168.10.114:${toString config.services.prometheus.exporters.node.port}" ];
+        }];
+      }
+    ];
+  };
+  users.users.caddy = {
+    group = "caddy";
+    uid = config.ids.uids.caddy;
+    home = caddyDir;
+    createHome = true;
+    extraGroups = [ "users" ];
+  };
+  
+  users.groups.caddy.gid = config.ids.uids.caddy;
+}

modules/prometheus-node.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+    {
+	 services.prometheus = {
+	    exporters = {
+	      node = {
+		enable = true;
+		enabledCollectors = [ "systemd" ];
+		port = 9002;
+	      };
+	    };
+	  };
+     }

modules/rest-server.nix

@@ -0,0 +1,42 @@
+
+{ lib, config, pkgs, ... }:
+let
+   caddyDir = "/var/lib/caddy";
+in
+{
+  services.restic.server = {
+	enable = true;
+  	appendOnly = true;
+  	extraFlags = [ "--no-auth" ];
+  	dataDir = "/var/lib/backup";
+  	prometheus = true;
+	listenAddress = "127.0.0.1:8080";
+	};
+  networking = {
+	firewall.enable = true;
+        firewall.allowedTCPPorts = [ 80 443 ];
+	};
+  services.caddy = {
+    enable = true;
+    email = "lucazeau.alexandre@gmail.com";
+    config = ''
+    {
+      storage file_system {
+      root ${caddyDir}
+      }
+    }
+    https://back.atlanticaweb.fr {
+    	reverse_proxy http://127.0.0.1:8080
+    }
+    '';
+  };
+  users.users.caddy = {
+    group = "caddy";
+    uid = config.ids.uids.caddy;
+    home = caddyDir;
+    createHome = true;
+    extraGroups = [ "users" ];
+  };
+  
+  users.groups.caddy.gid = config.ids.uids.caddy;
+}

modules/users.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, ...}:
+{
+  users = { 
+    groups = {
+      alexandre = {};
+    };
+    users = {
+      alexandre = {
+        isNormalUser = true;
+	createHome = true;
+        home = "/home/alexandre";
+        description = "Alexandre LUCAZEAU";
+        extraGroups = [ "wheel" ];
+        group = "alexandre";
+        shell = pkgs.fish;
+	openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" ];
+      };
+    };
+  };
+  programs.git = {
+	enable = true;
+	config.user.email = "lucazeau.alexandre@gmail.com";
+	config.user.name = "Alexandre LUCAZEAU";
+	config.init.defaultBranch = "main";
+	config.core.sshCommand = "ssh -i ~/.ssh/id_ed25519-perso";
+  };
+  programs.fish.enable = true;
+  programs.fish.shellAliases = {
+	ll = "ls -l";
+	ls = "exa";
+	vi = "nvim";
+	vim = "nvim";
+  };
+  security.sudo = {
+	enable = true;
+	execWheelOnly = true;
+	extraRules = [
+	{ users = [ "alexandre" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+	];
+  };
+}