Last active
May 6, 2023 16:27
-
-
Save ghuntley/9369011a979ce2422d9851e38e784895 to your computer and use it in GitHub Desktop.
ghuntley-net
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Edit this configuration file to define what should be installed on | |
# your system. Help is available in the configuration.nix(5) man page | |
# and in the NixOS manual (accessible by running ‘nixos-help’). | |
{ config, lib, pkgs, ... }: | |
{ | |
imports = | |
[ | |
./hardware-configuration.nix | |
]; | |
boot.loader.grub.enable = true; | |
boot.loader.grub.version = 2; | |
boot.loader.grub.device = "/dev/vda"; | |
networking.hostName = "ghuntley-net"; | |
time.timeZone = "UTC"; | |
networking.useDHCP = false; | |
networking.interfaces.ens3.useDHCP = true; | |
i18n.defaultLocale = "en_US.UTF-8"; | |
console = { | |
font = "Lat2-Terminus16"; | |
keyMap = "us"; | |
}; | |
users.users.ghuntley = { | |
isNormalUser = true; | |
extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. | |
}; | |
environment.systemPackages = with pkgs; [ | |
nixpkgs-fmt | |
elinks | |
vim | |
htop | |
tmux | |
docker | |
restic | |
rclone | |
imagemagick | |
parted | |
mastodon | |
]; | |
services.tailscale.enable = true; | |
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; | |
services.openssh.enable = true; | |
services.openssh.passwordAuthentication = false; | |
services.openssh.permitRootLogin = "no"; | |
programs.mosh.enable = true; | |
security.acme.email = "ghuntley@ghuntley.com"; | |
security.acme.acceptTerms = true; | |
services.nginx = { | |
enable = true; | |
# Use recommended settings | |
recommendedGzipSettings = true; | |
recommendedOptimisation = true; | |
recommendedProxySettings = true; | |
recommendedTlsSettings = true; | |
# Only allow PFS-enabled ciphers with AES256 | |
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; | |
commonHttpConfig = '' | |
# Add HSTS header with preloading to HTTPS requests. | |
# Adding this header to HTTP requests is discouraged | |
map $scheme $hsts_header { | |
https "max-age=31536000; includeSubdomains; preload"; | |
} | |
add_header Strict-Transport-Security $hsts_header; | |
# Enable CSP for your services. | |
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; | |
# Minimize information leaked to other domains | |
add_header 'Referrer-Policy' 'origin-when-cross-origin'; | |
# Disable embedding as a frame | |
add_header X-Frame-Options DENY; | |
# Prevent injection of code in other mime types (XSS Attacks) | |
add_header X-Content-Type-Options nosniff; | |
# Enable XSS protection of the browser. | |
# May be unnecessary when CSP is configured properly (see above) | |
add_header X-XSS-Protection "1; mode=block"; | |
# This might create errors | |
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; | |
''; | |
}; | |
services.nginx.virtualHosts."ghuntley.net" = { | |
forceSSL = false; | |
enableACME = true; | |
root = "/srv/ghuntley.net"; | |
}; | |
services.nginx.virtualHosts."ghuntley.com" = { | |
forceSSL = true; | |
enableACME = true; | |
locations."/" = { | |
extraConfig = '' | |
proxy_pass http://localhost:3001; | |
proxy_pass_header Authorization; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffering off; | |
''; | |
}; | |
locations."/.well-known/webfinger" = { | |
extraConfig = '' | |
return 301 https://fediverse.ghuntley.com$request_uri; | |
''; | |
}; | |
locations."/linktree/" = { | |
extraConfig = '' | |
alias /srv/ghuntley.com/static/linktree/; | |
''; | |
}; | |
locations."/notes/" = { | |
extraConfig = '' | |
proxy_pass https://ghuntleynotes.netlify.app; | |
proxy_pass_header Authorization; | |
proxy_http_version 1.1; | |
proxy_ssl_server_name on; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffering off; | |
''; | |
}; | |
}; | |
services.nginx.virtualHosts."fediverse.ghuntley.com" = { | |
forceSSL = true; | |
enableACME = true; | |
root = "${config.services.mastodon.package}/public/"; | |
locations."/system/".alias = "/var/lib/mastodon/public-system/"; | |
locations."/" = { | |
tryFiles = "$uri @proxy"; | |
}; | |
locations."@proxy" = { | |
proxyPass = (if config.services.mastodon.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(config.services.mastodon.webPort)}"); | |
proxyWebsockets = true; | |
}; | |
locations."/api/v1/streaming/" = { | |
proxyPass = (if config.services.mastodon.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(config.services.mastodon.streamingPort)}/"); | |
proxyWebsockets = true; | |
}; | |
}; | |
# | |
# https://docs.joinmastodon.org/admin/config/ | |
# | |
services.elasticsearch.enable = true; | |
services.elasticsearch.package = pkgs.elasticsearch7; | |
services.mastodon.elasticsearch.host = "localhost"; | |
services.mastodon.enable = true; | |
services.mastodon.enableUnixSocket = false; | |
services.mastodon.configureNginx = false; | |
services.mastodon.localDomain = "ghuntley.com"; | |
services.mastodon.extraConfig = { | |
ALTERNATE_DOMAINS = "geoffreyhuntley.com"; | |
WEB_DOMAIN = "fediverse.ghuntley.com"; | |
SINGLE_USER_MODE = "true"; | |
EMAIL_DOMAIN_ALLOWLIST = "ghuntley.com"; | |
RAILS_LOG_LEVEL = "debug"; | |
}; | |
services.mastodon.smtp.fromAddress = "mastodon@fediverse.ghuntley.com"; | |
#services.mastodon.smtp.authenticate = true; | |
#services.mastodon.smtp.user = "postmaster@mg.ghuntley.com"; | |
#services.mastodon.smtp.host = "smtp.mailgun.org"; | |
#services.mastodon.smtp.port = 465; | |
virtualisation.oci-containers.containers = { | |
ghost = { | |
image = "ghost:5.8"; | |
ports = [ "3001:2368" ]; | |
volumes = [ | |
"/srv/ghuntley.com/ghost:/var/lib/ghost/content:cached" | |
]; | |
environment = { | |
url = "https://ghuntley.com"; | |
}; | |
}; | |
}; | |
systemd.services.docker-pull = { | |
serviceConfig.User = "root"; | |
serviceConfig.Type = "oneshot"; | |
path = [ | |
pkgs.docker | |
pkgs.systemd | |
]; | |
script = '' | |
${pkgs.docker}/bin/docker pull ghost | |
${pkgs.systemd}/bin/systemctl restart docker-ghost | |
''; | |
}; | |
systemd.timers.docker-pull = { | |
wantedBy = [ "timers.target" ]; | |
partOf = [ "updateghost.service" ]; | |
timerConfig.OnCalendar = "daily"; | |
}; | |
services.postgresqlBackup.enable = true; | |
services.postgresqlBackup.databases = [ "mastodon" ]; | |
services.postgresqlBackup.location = "/srv/postgresql"; | |
systemd.services.backup = { | |
serviceConfig.User = "root"; | |
serviceConfig.Type = "oneshot"; | |
path = [ | |
pkgs.rsync | |
pkgs.openssh | |
]; | |
script = '' | |
${pkgs.rsync}/bin/rsync --archive --verbose --human-readable --delete-after --stats --compress /etc/nixos redacted@redacted.example.com:machines/ghuntley.net/etc/nixos | |
${pkgs.rsync}/bin/rsync --archive --verbose --human-readable --delete-after --stats --compress /srv redacted@redacted.example.com:machines/ghuntley.net/srv | |
${pkgs.rsync}/bin/rsync --archive --verbose --human-readable --delete-after --stats --compress /var/lib/mastodon redacted@redacted.example.com:machines/ghuntley.net/var/lib/mastodon | |
${pkgs.rsync}/bin/rsync --archive --verbose --human-readable --delete-after --stats --compress /var/lib/postgresql redacted@redacted.example.com:machines/ghuntley.net/var/lib/postgresql | |
${pkgs.rsync}/bin/rsync --archive --verbose --human-readable --delete-after --stats --compress /var/lib/elasticsearch redacted@redacted.example.com:machines/ghuntley.net/var/lib/elasticsearch | |
''; | |
}; | |
systemd.timers.backup = { | |
wantedBy = [ "timers.target" ]; | |
partOf = [ "prunebackups.service" ]; | |
timerConfig.OnCalendar = "hourly"; | |
}; | |
networking.firewall.allowedTCPPorts = [ 80 443 ]; | |
networking.firewall.allowedUDPPorts = [ 80 443 60000 60001 60002 60003 60004 60005 60006 60007 60008 60009 60010 ]; | |
networking.firewall.enable = true; | |
services.fail2ban.enable = true; | |
nix.autoOptimiseStore = true; | |
nix.gc = { | |
automatic = true; | |
dates = "weekly"; | |
options = "--delete-older-than 30d"; | |
}; | |
system.autoUpgrade.enable = true; | |
nixpkgs.config.allowUnfree = true; | |
# This value determines the NixOS release from which the default | |
# settings for stateful data, like file locations and database versions | |
# on your system were taken. It‘s perfectly fine and recommended to leave | |
# this value at the release version of the first install of this system. | |
# Before changing this value read the documentation for this option | |
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). | |
system.stateVersion = "21.05"; # Did you read the comment? | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment