diff options
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/default.nix | 3 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell/default.nix | 3 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/synology-vm/default.nix | 3 | ||||
| -rw-r--r-- | modules/nixos/default.nix | 4 | ||||
| -rw-r--r-- | modules/nixos/podman.nix | 13 | ||||
| -rw-r--r-- | modules/nixos/ssh.nix | 21 | ||||
| -rw-r--r-- | profiles/cgroups.nix (renamed from modules/nixos/cgroups.nix) | 0 | ||||
| -rw-r--r-- | profiles/defaults.nix (renamed from modules/nixos/base.nix) | 13 | ||||
| -rw-r--r-- | profiles/server.nix | 44 |
9 files changed, 53 insertions, 51 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index b49431f..fd21220 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -6,6 +6,9 @@ ./disks.nix ./secrets.nix ./profiles/nginx.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ]; networking.hostName = "do-rproxy"; diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix index fe4e0ee..abbc78f 100644 --- a/machines/nixos/x86_64-linux/rivendell/default.nix +++ b/machines/nixos/x86_64-linux/rivendell/default.nix @@ -10,6 +10,9 @@ (modulesPath + "/installer/scan/not-detected.nix") inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series ../../../../profiles/disk/btrfs-on-luks.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ../../../../profiles/forgejo.nix ../../../../profiles/keycloak.nix ../../../../profiles/tailscale.nix diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 915d851..c1b2270 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -10,6 +10,9 @@ ./hardware.nix ./secrets.nix ./profiles/goget.nix + ../../../../profiles/defaults.nix + ../../../../profiles/server.nix + ../../../../profiles/cgroups.nix ]; boot.loader.efi.canTouchEfiVariables = true; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bc5c6de..a3c5d70 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,15 +2,11 @@ { imports = [ ./backups.nix - ./base.nix - ./cgroups.nix ./hardware ./home-manager.nix ./nas-client.nix ./nix.nix - ./podman.nix ./remote-unlock.nix - ./ssh.nix ./user.nix ]; } diff --git a/modules/nixos/podman.nix b/modules/nixos/podman.nix deleted file mode 100644 index bd5aa3c..0000000 --- a/modules/nixos/podman.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - virtualisation.podman = { - enable = true; - dockerCompat = true; - autoPrune.enable = true; - autoPrune.flags = [ - "--all" - ]; - defaultNetwork.settings.dns_enabled = true; - }; - - virtualisation.oci-containers.backend = "podman"; -} diff --git a/modules/nixos/ssh.nix b/modules/nixos/ssh.nix deleted file mode 100644 index b4c8772..0000000 --- a/modules/nixos/ssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, ... }: -{ - networking.firewall.allowedTCPPorts = [ 22 ]; - - services.openssh = { - enable = lib.mkDefault true; - settings = { - PasswordAuthentication = lib.mkForce false; - KbdInteractiveAuthentication = lib.mkForce false; - - PermitRootLogin = lib.mkForce "prohibit-password"; - }; - openFirewall = lib.mkDefault true; - hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; -} diff --git a/modules/nixos/cgroups.nix b/profiles/cgroups.nix index 07dc964..07dc964 100644 --- a/modules/nixos/cgroups.nix +++ b/profiles/cgroups.nix diff --git a/modules/nixos/base.nix b/profiles/defaults.nix index 9ed3abc..7c8a7fb 100644 --- a/modules/nixos/base.nix +++ b/profiles/defaults.nix @@ -39,19 +39,6 @@ dnssec = "false"; }; - services.fail2ban = { - enable = true; - ignoreIP = [ - "10.100.0.0/24" # wireguard - ]; - bantime = "1h"; - bantime-increment = { - enable = true; - maxtime = "168h"; - factor = "4"; - }; - }; - i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ diff --git a/profiles/server.nix b/profiles/server.nix new file mode 100644 index 0000000..fe59484 --- /dev/null +++ b/profiles/server.nix @@ -0,0 +1,44 @@ +{ ... }: +{ + services.fail2ban = { + enable = true; + ignoreIP = [ + "10.100.0.0/24" # wireguard + ]; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + factor = "4"; + }; + }; + + virtualisation.podman = { + enable = true; + dockerCompat = true; + autoPrune.enable = true; + autoPrune.flags = [ + "--all" + ]; + defaultNetwork.settings.dns_enabled = true; + }; + + virtualisation.oci-containers.backend = "podman"; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + + PermitRootLogin = "prohibit-password"; + }; + openFirewall = true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; +} |