diff --git a/configs/common-server.nix b/configs/common-server.nix new file mode 100644 index 0000000..8023a9a --- /dev/null +++ b/configs/common-server.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +let + secrets = import ../configs/secrets.nix; + be = import ../configs/borg-exclude.nix; + unstable = import { config.allowUnfree = true; }; +in { + imports = [ ../configs/common.nix ../configs/docker.nix ../configs/user.nix ]; + + fileSystems."/export/docker" = { + device = "/home/alex/docker"; + options = [ "bind" ]; + }; +} diff --git a/machine/vps.nix b/machine/vps.nix index 42ffaea..9338a09 100644 --- a/machine/vps.nix +++ b/machine/vps.nix @@ -3,28 +3,9 @@ let secrets = import ../configs/secrets.nix; be = import ../configs/borg-exclude.nix; unstable = import { config.allowUnfree = true; }; - - configFile = pkgs.writeText "monero.conf" '' - log-file=/dev/stdout - data-dir=/var/lib/monero - rpc-bind-ip=127.0.0.1 - rpc-bind-port=18081 - enforce-dns-checkpointing=true - enable-dns-blocklist=true # Block known-malicious nodes - no-igd=true # Disable UPnP port mapping - no-zmq=true # ZMQ configuration - - # bandwidth settings - out-peers=32 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays - in-peers=32 # The default is unlimited; we prefer to put a cap on this - ''; in { - imports = [ - /etc/nixos/hardware-configuration.nix - ../configs/common.nix - ../configs/docker.nix - ../configs/user.nix - ]; + imports = + [ /etc/nixos/hardware-configuration.nix ../configs/common-server.nix ]; boot.loader.grub = { enable = true; @@ -32,11 +13,6 @@ in { device = "/dev/sda"; # or "nodev" for efi only }; - fileSystems."/export/docker" = { - device = "/home/alex/docker"; - options = [ "bind" ]; - }; - time.timeZone = "Europe/Berlin"; networking = { @@ -492,31 +468,6 @@ in { }; }; - # users.users.monero = { - # isSystemUser = true; - # group = "monero"; - # description = "Monero daemon user"; - # home = "/var/lib/monero"; - # createHome = true; - # }; - - # users.groups.monero = { }; - - # systemd.services.monero = { - # description = "monero daemon"; - # after = [ "network.target" ]; - # wantedBy = [ "multi-user.target" ]; - - # serviceConfig = { - # User = "monero"; - # Group = "monero"; - # ExecStart = - # "${unstable.pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive"; - # Restart = "always"; - # SuccessExitStatus = [ 0 1 ]; - # }; - # }; - # Limit stack size to reduce memory usage systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; diff --git a/machine/vps3.nix b/machine/vps3.nix new file mode 100644 index 0000000..42ec3e7 --- /dev/null +++ b/machine/vps3.nix @@ -0,0 +1,128 @@ +{ config, lib, pkgs, ... }: +let + secrets = import ../configs/secrets.nix; + be = import ../configs/borg-exclude.nix; + unstable = import { config.allowUnfree = true; }; +in { + imports = + [ /etc/nixos/hardware-configuration.nix ../configs/common-server.nix ]; + + time.timeZone = "Europe/Berlin"; + + networking = { + hostName = "vpse"; # Define your hostname. + useDHCP = false; + interfaces.ens18 = { useDHCP = true; }; + wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE + ''; + privateKey = secrets.wireguard-vps-private; + peers = [ + { + publicKey = secrets.wireguard-desktop-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.2/32" ]; + } + { + publicKey = secrets.wireguard-mini-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ]; + } + { + publicKey = secrets.wireguard-mbp-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.4/32" ]; + } + { + publicKey = secrets.wireguard-phone1-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.5/32" ]; + } + { + publicKey = secrets.wireguard-raspberrypi-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.6/32" ]; + } + ]; + }; + }; + firewall = { + allowPing = true; + allowedTCPPorts = [ + 80 # web + 443 # web + ]; + allowedUDPPorts = [ + 80 # web + 443 # web + 51820 # wireguard + ]; + # interfaces.wg0 = { + # allowedTCPPorts = [ + # 2049 + # 61208 # foo + # ]; + # }; + }; + }; + + environment.systemPackages = with pkgs; [ goaccess xd nyx ]; + + programs = { + mtr.enable = true; + fuse.userAllowOther = true; + }; + + security.acme.defaults.email = "webmaster@szczepan.ski"; + security.acme.acceptTerms = true; + + services = { + fail2ban = { + enable = true; + + jails.DEFAULT = '' + bantime = 7d + ''; + + jails.sshd = '' + filter = sshd + maxretry = 4 + action = iptables[name=ssh, port=ssh, protocol=tcp] + enabled = true + ''; + }; + + borgbackup.jobs.home = rec { + compression = "auto,zstd"; + encryption = { + mode = "repokey-blake2"; + passphrase = secrets.borg-key; + }; + extraCreateArgs = + "--stats --verbose --checkpoint-interval 600 --exclude-caches"; + environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; + paths = [ "/home/alex" "/var/lib" ]; + repo = secrets.borg-repo; + startAt = "daily"; + prune.keep = { + daily = 7; + weekly = 4; + monthly = 6; + }; + extraPruneArgs = "--save-space --stats"; + exclude = [ "/home/alex/.cache" ]; + }; + }; + + # Limit stack size to reduce memory usage + systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; + + system.stateVersion = "22.05"; +}