diff options
| author | Valentin <valentin@fricklerhandwerk.de> | 2025-11-11 13:34:09 +0100 |
|---|---|---|
| committer | Valentin <valentin@fricklerhandwerk.de> | 2025-11-11 16:21:51 +0100 |
| commit | 293b48f4946cb1e88f21abe665dcd18106b48e11 (patch) | |
| tree | ee46989d138de3d97815f418e6a935c4d2b0f988 | |
| parent | 2c599720401012630cd633ee311404e2ccfcef91 (diff) | |
Konfiguration klarer nach Aspekten unterteilt
Insbesondere behandelt das Modul für die Website nur noch dieses spezifische Anliegen.
| -rw-r--r-- | default.nix | 9 | ||||
| -rw-r--r-- | tharos.nix | 133 | ||||
| -rw-r--r-- | tharos/boot.nix | 51 | ||||
| -rw-r--r-- | tharos/caddy.nix | 29 | ||||
| -rw-r--r-- | tharos/cgit.nix (renamed from cgit.nix) | 1 | ||||
| -rw-r--r-- | tharos/default.nix | 49 | ||||
| -rw-r--r-- | tharos/nextcloud.nix (renamed from nextcloud.nix) | 0 | ||||
| -rw-r--r-- | tharos/security.nix | 46 | ||||
| -rw-r--r-- | www/caddy.nix | 29 |
9 files changed, 183 insertions, 164 deletions
diff --git a/default.nix b/default.nix index 86ccd40..1e20ba6 100644 --- a/default.nix +++ b/default.nix @@ -30,14 +30,7 @@ flake-parts.lib.mkFlake with lib.fileset; toList ( # Alle Nix-Dateien in diesem Projekt sind Flake-Parts-Module - fileFilter ( - file: - file.hasExt "nix" - && !lib.elem file.name [ - "flake.nix" - "default.nix" - ] - ) ./. + difference (fileFilter (file: file.hasExt "nix" && file.name != "flake.nix") ./.) ./default.nix ); systems = [ "x86_64-linux" ]; } diff --git a/tharos.nix b/tharos.nix deleted file mode 100644 index 6d96754..0000000 --- a/tharos.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ - self, - inputs, - lib, - ... -}: -{ - flake.machines.tharos = { - bootstrap-target = "root@${self.machines.tharos.deploy-target}"; - # Administratoren verbinden sich mit ihrem selbst festgelegten Nutzernamen - deploy-target = "81.169.239.254"; - nixos = - { - config, - pkgs, - modulesPath, - ... - }: - - { - imports = [ - inputs.disko.nixosModules.default - "${modulesPath}/profiles/qemu-guest.nix" - ]; - - nixpkgs.hostPlatform = "x86_64-linux"; - system.stateVersion = "25.05"; - - services.cloud-init = { - enable = true; - network.enable = true; - }; - # `cloud-init` übernimmt Netzwerkeinstellungen - networking.useDHCP = false; - - # Kein Login für Nutzer die nicht explizit deklariert sind - users.mutableUsers = false; - users.users = lib.mapAttrs (username: keyFiles: { - isNormalUser = true; - openssh.authorizedKeys.keyFiles = keyFiles; - # ANMERKUNG: Der Einfachheit halber sind bis auf Weiteres alle Nutzer mit SSH-Zugang auch Administratoren - extraGroups = [ "wheel" ]; - }) self.keys; - - /* - `sudo` über SSH ohne Passworteingabe - ANMERKUNG: Nutzer sollten in ihrem ` ~/.ssh/config` für die Maschine einstellen: - - ForwardAgent: yes - */ - security.pam.sshAgentAuth.enable = true; - security.pam.services.sudo.sshAgentAuth = true; - - # Nur Administratoren können den angemeldeten Benutzer wechseln - security.pam.services.su.requireWheel = true; - - networking.firewall.allowPing = true; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - - nix = { - settings.trusted-users = [ - "root" - "@wheel" - ]; - settings.experimental-features = [ - "nix-command" - "flakes" - ]; - }; - - disko.devices.disk.main = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - # Die KVM läuft auf SeaBIOS, daher muss es hier eine MBR-Partition sein - boot = { - size = "1M"; - type = "EF02"; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - - /* - ANMERKUNG: Erhalten durch: - - nix run .#machines.infect-tharos -- --no-reboot --generate-hardware-config nixos-hardware-config <datei> - */ - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_blk" - ]; - boot.kernelModules = [ "kvm-amd" ]; - }; - - vm = - { - config, - lib, - pkgs, - ... - }: - { - virtualisation = { - memorySize = 4096; - diskSize = 4096; - cores = 2; - graphics = false; - }; - - services.cloud-init.enable = lib.mkForce false; - networking.useDHCP = lib.mkForce true; - }; - }; -} diff --git a/tharos/boot.nix b/tharos/boot.nix new file mode 100644 index 0000000..1843e63 --- /dev/null +++ b/tharos/boot.nix @@ -0,0 +1,51 @@ +{ inputs, ... }: +{ + flake.machines.tharos = { + nixos = + { + modulesPath, + ... + }: + { + imports = [ + inputs.disko.nixosModules.default + "${modulesPath}/profiles/qemu-guest.nix" + ]; + disko.devices.disk.main = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + # Die KVM läuft auf SeaBIOS, daher muss es hier eine MBR-Partition sein + boot = { + size = "1M"; + type = "EF02"; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + + /* + ANMERKUNG: Erhalten durch: + + nix run .#machines.infect-tharos -- --no-reboot --generate-hardware-config nixos-hardware-config <datei> + */ + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_blk" + ]; + boot.kernelModules = [ "kvm-amd" ]; + }; + }; +} diff --git a/tharos/caddy.nix b/tharos/caddy.nix new file mode 100644 index 0000000..fc152c7 --- /dev/null +++ b/tharos/caddy.nix @@ -0,0 +1,29 @@ +{ self, ... }: +{ + flake.domain = "heimfeld.hamburg"; + flake.machines.tharos = { + nixos = + { ... }: + { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.caddy = { + enable = true; + email = "redaktion@${self.domain}"; + }; + }; + + vm = + { pkgs, ... }: + { + services.caddy.globalConfig = '' + local_certs + ''; + + systemd.services.caddy.path = [ pkgs.nssTools ]; # Irrelevante Warnung unterdrücken + }; + }; +} diff --git a/cgit.nix b/tharos/cgit.nix index 542245f..b4a75c3 100644 --- a/cgit.nix +++ b/tharos/cgit.nix @@ -69,7 +69,6 @@ vm = { config, - pkgs, lib, ... }: diff --git a/tharos/default.nix b/tharos/default.nix new file mode 100644 index 0000000..65f2024 --- /dev/null +++ b/tharos/default.nix @@ -0,0 +1,49 @@ +{ + self, + ... +}: +{ + flake.machines.tharos = { + bootstrap-target = "root@${self.machines.tharos.deploy-target}"; + # Administratoren verbinden sich mit ihrem selbst festgelegten Nutzernamen + deploy-target = "81.169.239.254"; + nixos = + { ... }: + { + nixpkgs.hostPlatform = "x86_64-linux"; + system.stateVersion = "25.05"; + + services.cloud-init = { + enable = true; + network.enable = true; + }; + # `cloud-init` übernimmt Netzwerkeinstellungen + networking.useDHCP = false; + + nix = { + settings.trusted-users = [ + "root" + "@wheel" + ]; + settings.experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + + vm = + { lib, ... }: + { + virtualisation = { + memorySize = 4096; + diskSize = 4096; + cores = 2; + graphics = false; + }; + + services.cloud-init.enable = lib.mkForce false; + networking.useDHCP = lib.mkForce true; + }; + }; +} diff --git a/nextcloud.nix b/tharos/nextcloud.nix index eedb507..eedb507 100644 --- a/nextcloud.nix +++ b/tharos/nextcloud.nix diff --git a/tharos/security.nix b/tharos/security.nix new file mode 100644 index 0000000..03b59dc --- /dev/null +++ b/tharos/security.nix @@ -0,0 +1,46 @@ +{ + self, + inputs, + ... +}: +{ + flake.machines.tharos = { + nixos = + { + lib, + modulesPath, + ... + }: + { + # Kein Login für Nutzer die nicht explizit deklariert sind + users.mutableUsers = false; + users.users = lib.mapAttrs (username: keyFiles: { + isNormalUser = true; + openssh.authorizedKeys.keyFiles = keyFiles; + # ANMERKUNG: Der Einfachheit halber sind bis auf Weiteres alle Nutzer mit SSH-Zugang auch Administratoren + extraGroups = [ "wheel" ]; + }) self.keys; + + /* + `sudo` über SSH ohne Passworteingabe + ANMERKUNG: Nutzer sollten in ihrem ` ~/.ssh/config` für die Maschine einstellen: + + ForwardAgent: yes + */ + security.pam.sshAgentAuth.enable = true; + security.pam.services.sudo.sshAgentAuth = true; + + # Nur Administratoren können den angemeldeten Benutzer wechseln + security.pam.services.su.requireWheel = true; + + networking.firewall.allowPing = true; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + }; +} diff --git a/www/caddy.nix b/www/caddy.nix index 8797204..6721316 100644 --- a/www/caddy.nix +++ b/www/caddy.nix @@ -8,27 +8,17 @@ let }; in { - flake.domain = "heimfeld.hamburg"; flake.machines.tharos = { nixos = { lib, ... }: { - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - services.caddy = { - enable = true; - email = "redaktion@${self.domain}"; - virtualHosts.${self.domain} = { - serverAliases = [ "www.${self.domain}" ]; - extraConfig = '' - file_server - root * /var/www/${self.domain} - encode gzip - ''; - }; + services.caddy.virtualHosts.${self.domain} = { + serverAliases = [ "www.${self.domain}" ]; + extraConfig = '' + file_server + root * /var/www/${self.domain} + encode gzip + ''; }; systemd.tmpfiles.rules = [ @@ -45,16 +35,11 @@ in ... }: { - services.caddy.globalConfig = '' - local_certs - ''; services.caddy.virtualHosts = { "http://www.localhost:${toString config.virtualisation.exposedPorts.http.port}".extraConfig = config.services.caddy.virtualHosts.${self.domain}.extraConfig; }; - systemd.services.caddy.path = [ pkgs.nssTools ]; # Irrelevante Warnung unterdrücken - services.getty.helpLine = lib.mkBefore '' ${self.domain}: http://www.localhost:${ with config.virtualisation; toString (portOffset + exposedPorts.http.port) |