diff --git a/nix.nix b/nix.nix new file mode 100644 index 0000000..4fab5ea --- /dev/null +++ b/nix.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: +{ + system = { + autoUpgrade = { + enable = true; + allowReboot = true; + }; + }; + + nix = { + optimise.automatic = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 22 + 80 + 443 + 2222 + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + git + vim + wget + neovim + ]; +} diff --git a/ssh.nix b/ssh.nix new file mode 100644 index 0000000..ccd29c1 --- /dev/null +++ b/ssh.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: +{ + users.users.kamov = { + isNormalUser = true; + extraGroups = [ "wheel" "www" ]; + openssh.authorizedKeys.keyFiles = [ /root/.ssh/kamov.pub ]; + }; + + services = { + endlessh = { + enable = true; + port = 22; + }; + openssh = { + enable = true; + ports = [ 2222 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + }; +} diff --git a/web.nix b/web.nix new file mode 100644 index 0000000..8340637 --- /dev/null +++ b/web.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: +{ + # Group for people who can edit the website + users.groups.www = {}; + + # Directory for web content + systemd.tmpfiles.rules = [ + "d /var/www/kamoshi.org 775 root www" + ]; + + # Automatically renew certs + security.acme = { + acceptTerms = true; + defaults.email = "maciej@kamoshi.org"; + }; + + services = { + nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + virtualHosts = { + "kamoshi.org" = { + root = "/var/www/kamoshi.org"; + forceSSL = true; + enableACME = true; + }; + }; + }; + }; +}