xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

things

Browse source
This commit is contained in:
XenGi 2025-12-05 12:06:16 +01:00
parent ff9315233c
commit 8bfa4284cb
Signed by: xengi
SSH key fingerprint: SHA256:jxWM2RTHvxxcncXycwwWkP7HCWb4VREN05UGJTbIPZg
2 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

22
configuration.nix
View file

@ -55,7 +55,8 @@
users.users.root = { users.users.root = {
packages = with pkgs; [ packages = with pkgs; [
kitty # for terminfo kitty # for terminfo
neofetch # for shits and giggles fastfetch # for shits and giggles
tmux
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
@ -69,16 +70,25 @@
}; };
networking = { networking = {
hostname = "matrix";
domain = "berlin.ccc.de";
nameservers = [
"2606:4700:4700::1111#one.one.one.one"
"2620:fe::fe#dns.quad9.net"
];
useDHCP = false;
useNetworkd = true; useNetworkd = true;
nftables.enable = true;
dhcpcd.enable = false; dhcpcd.enable = false;
nftables.enable = true;
tempAddresses = "disabled";
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
22 # SSH 22
80 # HTTP/1 80 # HTTP/1
443 # HTTP/2 443 # HTTP/2
8448 # Matrix federation 8448 # Matrix federation
10022 # SSH
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
443 # HTTP/3 443 # HTTP/3
@ -94,7 +104,7 @@
fstrim.enable = false; # Let Proxmox host handle fstrim fstrim.enable = false; # Let Proxmox host handle fstrim
openssh = { openssh = {
enable = true; enable = true;
openFirewall = true; ports = [ 22 10022 ];
settings = { settings = {
PermitEmptyPasswords = "no"; PermitEmptyPasswords = "no";
PermitRootLogin = "prohibit-password"; PermitRootLogin = "prohibit-password";
@ -111,6 +121,10 @@
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
''; '';
}; };
sshguard = {
enable = true;
services = [ "sshd" ];
};
# Cache DNS lookups to improve performance # Cache DNS lookups to improve performance
resolved = { resolved = {
enable = true; enable = true;

3
services/nginx.nix
View file

@ -21,6 +21,7 @@ in
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
virtualHosts."${fqdn}" = { virtualHosts."${fqdn}" = {
default = true;
quic = true; quic = true;
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
@ -49,7 +50,7 @@ in
]; ];
locations = { locations = {
"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
"/".return = "418 \"I'm a Teapot!\""; "/".return = "418 \"🫖\"";
"= /.well-known/matrix/client" = { "= /.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
extraConfig = '' extraConfig = ''