Skip to content

Commit

Permalink
rolling update in 20240126
Browse files Browse the repository at this point in the history
Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
  • Loading branch information
iosmanthus committed Jan 26, 2024
1 parent 3f10388 commit 3d5c6d0
Show file tree
Hide file tree
Showing 35 changed files with 500 additions and 276 deletions.
80 changes: 50 additions & 30 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 13 additions & 6 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

master.url = "github:NixOS/nixpkgs";

sops-nix.url = "github:iosmanthus/sops-nix/nested-secrets";
sops-nix.url = "github:Mic92/sops-nix";

home-manager = {
url = "github:nix-community/home-manager";
Expand All @@ -20,6 +20,11 @@
};

jetbrains.url = "github:NixOS/nixpkgs/master";

nix-ld = {
url = "github:Mic92/nix-ld";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self
Expand All @@ -29,21 +34,23 @@
, home-manager
, sops-nix
, berberman
, nix-ld
, ...
}:
}@inputs:
let
this = import ./packages;

mkWorkstationModules =
system: [
./nixos/workstation
./secrets/proxy
./secrets/workstation

self.nixosModules.system
self.nixosModules.admin.iosmanthus

sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
nix-ld.nixosModules.nix-ld

({ config, ... }: {
home-manager = {
Expand Down Expand Up @@ -93,15 +100,14 @@
};
packages = [
"bat"
"brave"
"discord"
"docker"
"eza"
"fd"
"feishu"
"firefox"
"firmwareLinuxNonfree"
"gh"
"google-chrome"
"i3"
"kitty"
"lens"
Expand All @@ -127,7 +133,7 @@
];
};
jetbrains = this.branchOverlay {
branch = master;
branch = inputs.jetbrains;
system = "x86_64-linux";
config = { allowUnfree = true; };
packages = [ "jetbrains" ];
Expand Down Expand Up @@ -203,6 +209,7 @@
yapf
gotools
go_1_20
wgcf
];
};
});
Expand Down
34 changes: 19 additions & 15 deletions modules/admin/default.nix
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
{
iosmanthus = { pkgs, ... }: {
imports = [
./options.nix
];
admin = {
name = "iosmanthus";
email = "myosmanthustree@gmail.com";
shell = pkgs.zsh;
home = "/home/iosmanthus";
hashedPassword = "$6$vKbKYA/EtYlE8cAB$hRfeaahQG8JOE8r4FPE.VDQp0/XCgb.VlX5oPAoQxwoanr2GspYU1yBNgjvWYaSv8OpGlVN9YWwuoiSypLZzI1";
gpgPubKey = "0xDEE5BAABFE092169";
sshPubKey = ''
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAE0CpL+RLwnpBp1VzD3VUZpCEOIb1U+R6Jyu/SBq+Msg+CRlxfJThUJY4ZGwp6/d+VPWuQQHvvQ6OoLQdV5Pa9xZAFYOUEDWjAnD16gh29aoVDFzv+sDt2wyA4WZfqydrFSD9QhP88RpcGAcHZXCjzaGT1tEOw2wIOgGs6P53Mrti46Yw==
'';
iosmanthus =
{ pkgs
, config
, ...
}: {
imports = [
./options.nix
];
admin = rec {
name = "iosmanthus";
email = "myosmanthustree@gmail.com";
shell = pkgs.zsh;
home = "/home/iosmanthus";
hashedPasswordFile = config.sops.secrets."${name}/hashed-password".path;
gpgPubKey = "0xDEE5BAABFE092169";
sshPubKey = ''
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAE0CpL+RLwnpBp1VzD3VUZpCEOIb1U+R6Jyu/SBq+Msg+CRlxfJThUJY4ZGwp6/d+VPWuQQHvvQ6OoLQdV5Pa9xZAFYOUEDWjAnD16gh29aoVDFzv+sDt2wyA4WZfqydrFSD9QhP88RpcGAcHZXCjzaGT1tEOw2wIOgGs6P53Mrti46Yw==
'';
};
};
};
}
4 changes: 2 additions & 2 deletions modules/admin/options.nix
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ let
shell = mkOption {
type = types.package;
};
hashedPassword = mkOption {
type = types.str;
hashedPasswordFile = mkOption {
type = types.path;
};
sshPubKey = mkOption {
type = types.str;
Expand Down
1 change: 0 additions & 1 deletion modules/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
./sing-box
./caddy
./subgen
#./promtail
];
};
}
36 changes: 33 additions & 3 deletions nixos/aws-lightsail-0/caddy/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
content = ''
${config.sops.placeholder."caddy/virtual-host-a"} {
tls {
dns cloudflare ${config.sops.placeholder."cloudflare-api-token"}
dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
}
log {
level INFO
Expand All @@ -26,13 +26,44 @@
}
${config.sops.placeholder."caddy/virtual-host-b"} {
tls {
dns cloudflare ${config.sops.placeholder."cloudflare-api-token"}
dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
}
log {
level INFO
}
reverse_proxy 127.0.0.1:8080
}
${config.sops.placeholder."caddy/virtual-host-c"} {
tls {
dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
}
log {
level INFO
}
# Uncomment to improve security (WARNING: only use if you understand the implications!)
# If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
header / {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Disable cross-site filter (XSS)
X-XSS-Protection "0"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevent search engines from indexing (optional)
X-Robots-Tag "noindex, nofollow"
# Disallow sniffing of X-Content-Type-Options
X-Content-Type-Options "nosniff"
# Server name removing
-Server
# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
-X-Powered-By
# Remove Last-Modified because etag is the same and is as effective
-Last-Modified
}
reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
}
}
:8080 {
route /subgen/* {
uri strip_prefix /subgen
Expand Down Expand Up @@ -62,5 +93,4 @@
}
'';
};

}
Loading

0 comments on commit 3d5c6d0

Please sign in to comment.