BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added etesync

Browse Source
This commit is contained in:
Alexander Szczepanski
2021-12-02 08:42:29 +01:00
parent 2bdb4244b3
commit 527b387c2e
23 changed files with 743 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
machine/vps.nix
View File

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }:
let
secrets-desktop = import ../configs/secrets-desktop.nix;
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
in
{
imports =
@ -22,7 +24,21 @@ in
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
interfaces.ens3.useDHCP = true;
# defaultGateway = {
# "address" = "gw.contabo.net";
# "interface" = "ens18";
# };
interfaces.ens18 = {
useDHCP = true;
# ipv4.addresses = [ {
# address = "207.180.220.97";
# prefixLength = 24;
# } ];
ipv6.addresses = [ {
address = "2a02:c207:3008:1547::1";
prefixLength = 64;
} ];
};
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
@ -49,12 +65,18 @@ in
nat = {
enable = true;
externalInterface = "ens3";
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall = {
allowedTCPPorts = [ 80 443 22000 ];
allowedUDPPorts = [ 80 443 51820 ];
interfaces.wg0 = {
allowedTCPPorts = [ 61208 19999 ];
};
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
};
};
@ -62,66 +84,53 @@ in
security.acme.email = "webmaster@szczepan.ski";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
services = {
fail2ban = {
enable = true;
virtualHosts = {
"szczepan.ski" = {
forceSSL = true;
enableACME = true;
#root = "/var/www/myhost.org";
};
"nextcloud.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
'';
};
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8081/";
};
};
};
jails.DEFAULT =
''
bantime = 7d
'';
jails.sshd =
''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
};
netdata.enable = true;
syncthing = {
user = "alex";
group = "users";
enable = true;
dataDir = "/home/alex";
configDir = "/home/alex/.config/syncthing";
};
};
services.fail2ban = {
enable = true;
jails.DEFAULT =
''
bantime = 7d
'';
jails.sshd =
''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2" ;
passphrase = secrets-desktop.borg-key;
};
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = "/home/alex";
repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg";
startAt = "daily";
# user = "alex";
prune.keep = {
daily = 7;
weekly = 4;
monthly = 6;
};
extraPruneArgs = "--save-space --list --stats";
exclude = map (x: paths + "/" + x) be.borg-exclude;
};
};
# Limit stack size to reduce memory usage