aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--default.nix9
-rw-r--r--tharos.nix133
-rw-r--r--tharos/boot.nix51
-rw-r--r--tharos/caddy.nix29
-rw-r--r--tharos/cgit.nix (renamed from cgit.nix)1
-rw-r--r--tharos/default.nix49
-rw-r--r--tharos/nextcloud.nix (renamed from nextcloud.nix)0
-rw-r--r--tharos/security.nix46
-rw-r--r--www/caddy.nix29
9 files changed, 183 insertions, 164 deletions
diff --git a/default.nix b/default.nix
index 86ccd40..1e20ba6 100644
--- a/default.nix
+++ b/default.nix
@@ -30,14 +30,7 @@ flake-parts.lib.mkFlake
with lib.fileset;
toList (
# Alle Nix-Dateien in diesem Projekt sind Flake-Parts-Module
- fileFilter (
- file:
- file.hasExt "nix"
- && !lib.elem file.name [
- "flake.nix"
- "default.nix"
- ]
- ) ./.
+ difference (fileFilter (file: file.hasExt "nix" && file.name != "flake.nix") ./.) ./default.nix
);
systems = [ "x86_64-linux" ];
}
diff --git a/tharos.nix b/tharos.nix
deleted file mode 100644
index 6d96754..0000000
--- a/tharos.nix
+++ /dev/null
@@ -1,133 +0,0 @@
-{
- self,
- inputs,
- lib,
- ...
-}:
-{
- flake.machines.tharos = {
- bootstrap-target = "root@${self.machines.tharos.deploy-target}";
- # Administratoren verbinden sich mit ihrem selbst festgelegten Nutzernamen
- deploy-target = "81.169.239.254";
- nixos =
- {
- config,
- pkgs,
- modulesPath,
- ...
- }:
-
- {
- imports = [
- inputs.disko.nixosModules.default
- "${modulesPath}/profiles/qemu-guest.nix"
- ];
-
- nixpkgs.hostPlatform = "x86_64-linux";
- system.stateVersion = "25.05";
-
- services.cloud-init = {
- enable = true;
- network.enable = true;
- };
- # `cloud-init` übernimmt Netzwerkeinstellungen
- networking.useDHCP = false;
-
- # Kein Login für Nutzer die nicht explizit deklariert sind
- users.mutableUsers = false;
- users.users = lib.mapAttrs (username: keyFiles: {
- isNormalUser = true;
- openssh.authorizedKeys.keyFiles = keyFiles;
- # ANMERKUNG: Der Einfachheit halber sind bis auf Weiteres alle Nutzer mit SSH-Zugang auch Administratoren
- extraGroups = [ "wheel" ];
- }) self.keys;
-
- /*
- `sudo` über SSH ohne Passworteingabe
- ANMERKUNG: Nutzer sollten in ihrem ` ~/.ssh/config` für die Maschine einstellen:
-
- ForwardAgent: yes
- */
- security.pam.sshAgentAuth.enable = true;
- security.pam.services.sudo.sshAgentAuth = true;
-
- # Nur Administratoren können den angemeldeten Benutzer wechseln
- security.pam.services.su.requireWheel = true;
-
- networking.firewall.allowPing = true;
- services.openssh = {
- enable = true;
- settings = {
- PasswordAuthentication = false;
- PermitRootLogin = "prohibit-password";
- };
- };
-
- nix = {
- settings.trusted-users = [
- "root"
- "@wheel"
- ];
- settings.experimental-features = [
- "nix-command"
- "flakes"
- ];
- };
-
- disko.devices.disk.main = {
- device = "/dev/vda";
- type = "disk";
- content = {
- type = "gpt";
- partitions = {
- # Die KVM läuft auf SeaBIOS, daher muss es hier eine MBR-Partition sein
- boot = {
- size = "1M";
- type = "EF02";
- };
- root = {
- size = "100%";
- content = {
- type = "filesystem";
- format = "ext4";
- mountpoint = "/";
- };
- };
- };
- };
- };
-
- /*
- ANMERKUNG: Erhalten durch:
-
- nix run .#machines.infect-tharos -- --no-reboot --generate-hardware-config nixos-hardware-config <datei>
- */
- boot.initrd.availableKernelModules = [
- "ata_piix"
- "uhci_hcd"
- "virtio_pci"
- "virtio_blk"
- ];
- boot.kernelModules = [ "kvm-amd" ];
- };
-
- vm =
- {
- config,
- lib,
- pkgs,
- ...
- }:
- {
- virtualisation = {
- memorySize = 4096;
- diskSize = 4096;
- cores = 2;
- graphics = false;
- };
-
- services.cloud-init.enable = lib.mkForce false;
- networking.useDHCP = lib.mkForce true;
- };
- };
-}
diff --git a/tharos/boot.nix b/tharos/boot.nix
new file mode 100644
index 0000000..1843e63
--- /dev/null
+++ b/tharos/boot.nix
@@ -0,0 +1,51 @@
+{ inputs, ... }:
+{
+ flake.machines.tharos = {
+ nixos =
+ {
+ modulesPath,
+ ...
+ }:
+ {
+ imports = [
+ inputs.disko.nixosModules.default
+ "${modulesPath}/profiles/qemu-guest.nix"
+ ];
+ disko.devices.disk.main = {
+ device = "/dev/vda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ # Die KVM läuft auf SeaBIOS, daher muss es hier eine MBR-Partition sein
+ boot = {
+ size = "1M";
+ type = "EF02";
+ };
+ root = {
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+
+ /*
+ ANMERKUNG: Erhalten durch:
+
+ nix run .#machines.infect-tharos -- --no-reboot --generate-hardware-config nixos-hardware-config <datei>
+ */
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "virtio_blk"
+ ];
+ boot.kernelModules = [ "kvm-amd" ];
+ };
+ };
+}
diff --git a/tharos/caddy.nix b/tharos/caddy.nix
new file mode 100644
index 0000000..fc152c7
--- /dev/null
+++ b/tharos/caddy.nix
@@ -0,0 +1,29 @@
+{ self, ... }:
+{
+ flake.domain = "heimfeld.hamburg";
+ flake.machines.tharos = {
+ nixos =
+ { ... }:
+ {
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.caddy = {
+ enable = true;
+ email = "redaktion@${self.domain}";
+ };
+ };
+
+ vm =
+ { pkgs, ... }:
+ {
+ services.caddy.globalConfig = ''
+ local_certs
+ '';
+
+ systemd.services.caddy.path = [ pkgs.nssTools ]; # Irrelevante Warnung unterdrücken
+ };
+ };
+}
diff --git a/cgit.nix b/tharos/cgit.nix
index 542245f..b4a75c3 100644
--- a/cgit.nix
+++ b/tharos/cgit.nix
@@ -69,7 +69,6 @@
vm =
{
config,
- pkgs,
lib,
...
}:
diff --git a/tharos/default.nix b/tharos/default.nix
new file mode 100644
index 0000000..65f2024
--- /dev/null
+++ b/tharos/default.nix
@@ -0,0 +1,49 @@
+{
+ self,
+ ...
+}:
+{
+ flake.machines.tharos = {
+ bootstrap-target = "root@${self.machines.tharos.deploy-target}";
+ # Administratoren verbinden sich mit ihrem selbst festgelegten Nutzernamen
+ deploy-target = "81.169.239.254";
+ nixos =
+ { ... }:
+ {
+ nixpkgs.hostPlatform = "x86_64-linux";
+ system.stateVersion = "25.05";
+
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ };
+ # `cloud-init` übernimmt Netzwerkeinstellungen
+ networking.useDHCP = false;
+
+ nix = {
+ settings.trusted-users = [
+ "root"
+ "@wheel"
+ ];
+ settings.experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+ };
+ };
+
+ vm =
+ { lib, ... }:
+ {
+ virtualisation = {
+ memorySize = 4096;
+ diskSize = 4096;
+ cores = 2;
+ graphics = false;
+ };
+
+ services.cloud-init.enable = lib.mkForce false;
+ networking.useDHCP = lib.mkForce true;
+ };
+ };
+}
diff --git a/nextcloud.nix b/tharos/nextcloud.nix
index eedb507..eedb507 100644
--- a/nextcloud.nix
+++ b/tharos/nextcloud.nix
diff --git a/tharos/security.nix b/tharos/security.nix
new file mode 100644
index 0000000..03b59dc
--- /dev/null
+++ b/tharos/security.nix
@@ -0,0 +1,46 @@
+{
+ self,
+ inputs,
+ ...
+}:
+{
+ flake.machines.tharos = {
+ nixos =
+ {
+ lib,
+ modulesPath,
+ ...
+ }:
+ {
+ # Kein Login für Nutzer die nicht explizit deklariert sind
+ users.mutableUsers = false;
+ users.users = lib.mapAttrs (username: keyFiles: {
+ isNormalUser = true;
+ openssh.authorizedKeys.keyFiles = keyFiles;
+ # ANMERKUNG: Der Einfachheit halber sind bis auf Weiteres alle Nutzer mit SSH-Zugang auch Administratoren
+ extraGroups = [ "wheel" ];
+ }) self.keys;
+
+ /*
+ `sudo` über SSH ohne Passworteingabe
+ ANMERKUNG: Nutzer sollten in ihrem ` ~/.ssh/config` für die Maschine einstellen:
+
+ ForwardAgent: yes
+ */
+ security.pam.sshAgentAuth.enable = true;
+ security.pam.services.sudo.sshAgentAuth = true;
+
+ # Nur Administratoren können den angemeldeten Benutzer wechseln
+ security.pam.services.su.requireWheel = true;
+
+ networking.firewall.allowPing = true;
+ services.openssh = {
+ enable = true;
+ settings = {
+ PasswordAuthentication = false;
+ PermitRootLogin = "prohibit-password";
+ };
+ };
+ };
+ };
+}
diff --git a/www/caddy.nix b/www/caddy.nix
index 8797204..6721316 100644
--- a/www/caddy.nix
+++ b/www/caddy.nix
@@ -8,27 +8,17 @@ let
};
in
{
- flake.domain = "heimfeld.hamburg";
flake.machines.tharos = {
nixos =
{ lib, ... }:
{
- networking.firewall.allowedTCPPorts = [
- 80
- 443
- ];
-
- services.caddy = {
- enable = true;
- email = "redaktion@${self.domain}";
- virtualHosts.${self.domain} = {
- serverAliases = [ "www.${self.domain}" ];
- extraConfig = ''
- file_server
- root * /var/www/${self.domain}
- encode gzip
- '';
- };
+ services.caddy.virtualHosts.${self.domain} = {
+ serverAliases = [ "www.${self.domain}" ];
+ extraConfig = ''
+ file_server
+ root * /var/www/${self.domain}
+ encode gzip
+ '';
};
systemd.tmpfiles.rules = [
@@ -45,16 +35,11 @@ in
...
}:
{
- services.caddy.globalConfig = ''
- local_certs
- '';
services.caddy.virtualHosts = {
"http://www.localhost:${toString config.virtualisation.exposedPorts.http.port}".extraConfig =
config.services.caddy.virtualHosts.${self.domain}.extraConfig;
};
- systemd.services.caddy.path = [ pkgs.nssTools ]; # Irrelevante Warnung unterdrücken
-
services.getty.helpLine = lib.mkBefore ''
${self.domain}: http://www.localhost:${
with config.virtualisation; toString (portOffset + exposedPorts.http.port)
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-13 04:05:29 +0000