diff --git a/home/system/sops/server.nix b/home/system/sops/server.nix index 09fd384..0bbddf4 100644 --- a/home/system/sops/server.nix +++ b/home/system/sops/server.nix @@ -9,6 +9,11 @@ secrets = { sshconfig = { path = "/home/hadi/.ssh/config"; }; github-key = { path = "/home/hadi/.ssh/github"; }; + nextcloud-adminpass = { + path = "/etc/nextcloud/adminpassFile"; + owner = "nextcloud"; + group = "nextcloud"; + }; }; }; diff --git a/hosts/modules/nginx.nix b/hosts/modules/nginx.nix deleted file mode 100644 index 33b15fb..0000000 --- a/hosts/modules/nginx.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - services.nginx = { - enable = true; - virtualHosts = { - "test.anotherhadi.com" = { - locations."/" = { - proxy_set_header = [ - "X-Real-IP $remote_addr" - "proxy_set_header Host $host" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for" - ]; - proxyPass = "http://192.168.2.22:80"; - }; - }; - }; - }; -} diff --git a/hosts/modules/openssh.nix b/hosts/modules/openssh.nix deleted file mode 100644 index 6cc3d83..0000000 --- a/hosts/modules/openssh.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.openssh = { - enable = true; - ports = [ 22 ]; - }; -} diff --git a/hosts/modules/server/nextcloud.nix b/hosts/modules/server/nextcloud.nix new file mode 100644 index 0000000..67ffc83 --- /dev/null +++ b/hosts/modules/server/nextcloud.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +let + hostname = "cloud.anotherhadi.com"; +in +{ + services.nextcloud = { + enable = true; + hostName = hostname; + https = true; + config = { + adminUser = "jack"; + adminpassFile = "/etc/nextcloud/adminpassFile"; + }; + settings = { + trusted_domains = [ "localhost" "127.0.0.1" "192.168.2.23" "cloud.anotherhadi.com" ]; + }; + nginx.recommendedHttpHeaders = true; + }; + services.nginx.virtualHosts.${hostname} = { + forceSSL = true; + enableACME = true; + } +} \ No newline at end of file diff --git a/hosts/modules/server/nginx.nix b/hosts/modules/server/nginx.nix new file mode 100644 index 0000000..f7401a0 --- /dev/null +++ b/hosts/modules/server/nginx.nix @@ -0,0 +1,8 @@ +{config, ...}:{ + services.nginx.enable = true; + security.acme = { + acceptTerms = true; + defaults.email = ${config.var.git.email}; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/hosts/modules/server/openssh.nix b/hosts/modules/server/openssh.nix new file mode 100644 index 0000000..6dd327e --- /dev/null +++ b/hosts/modules/server/openssh.nix @@ -0,0 +1,14 @@ +{ + services.openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = true; + AllowUsers = null; # Allows all users by default. Can be [ "user1" "user2" ] + UseDns = true; + X11Forwarding = false; + PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" + }; + }; + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/hosts/modules/server/security.nix b/hosts/modules/server/security.nix new file mode 100644 index 0000000..1123365 --- /dev/null +++ b/hosts/modules/server/security.nix @@ -0,0 +1,7 @@ +{ + networking.firewall.enable = true; + services.fail2ban = { + enable = true; + maxretry = 5; + }; +} \ No newline at end of file diff --git a/hosts/modules/server/vaultwarden.nix b/hosts/modules/server/vaultwarden.nix new file mode 100644 index 0000000..faa3581 --- /dev/null +++ b/hosts/modules/server/vaultwarden.nix @@ -0,0 +1,9 @@ +let + +in{ + services.vaultwarden = { + enable = true; + config = '' + + } +} \ No newline at end of file diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 4e73dcc..d613595 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -2,8 +2,8 @@ imports = [ ./hardware-configuration.nix ./variables.nix - ../modules/openssh.nix - ../modules/nginx.nix + ../modules/server/openssh.nix + ../modules/server/nginx.nix ]; # Bootloader.