nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

6,191 bytes raw

# home-server-base.nix - Base configuration for home server
#
# This provides the foundation for your homelab:
# - Cloudflare DDNS (updates chat.tonybtw.com to your home IP)
# - Nginx reverse proxy (handles SSL for all services)
# - Fail2ban (basic protection)
# - SSH hardening (less strict than VPS since it's on your LAN)
#
# Import this in your configuration.nix along with service-specific configs
#
{ config, pkgs, lib, ... }:

{
  # ============================================================================
  # Cloudflare Dynamic DNS - Keeps your domain pointing to home IP
  # ============================================================================
  services.cloudflare-dyndns = {
    enable = true;
    apiTokenFile = "/root/secrets/cloudflare-token";
    domains = [
      "chat.tonybtw.com"
      # Add more as you expand:
      # "jellyfin.tonybtw.com"
      # "cloud.tonybtw.com"
    ];
    ipv4 = true;
    ipv6 = false;  # Enable if you have IPv6
  };

  # ============================================================================
  # Nginx Reverse Proxy - Handle SSL and route to services
  # ============================================================================
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    # Shared SSL configuration (Let's Encrypt)
    # Individual vhosts will reference this
  };

  # ============================================================================
  # Let's Encrypt SSL Certificates
  # ============================================================================
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "tony@tonybtw.com";  # CHANGE THIS to your email
      dnsProvider = "cloudflare";  # Use Cloudflare DNS challenge (works behind NAT)
      credentialsFile = "/root/secrets/cloudflare-acme-credentials";
    };

    certs."chat.tonybtw.com" = {
      domain = "chat.tonybtw.com";
      extraDomainNames = [
        "conference.chat.tonybtw.com"
        "upload.chat.tonybtw.com"
      ];
      group = "prosody";
      postRun = "systemctl reload prosody.service";
    };

    # Add more certs as you expand:
    # certs."jellyfin.tonybtw.com" = {
    #   domain = "jellyfin.tonybtw.com";
    #   group = "jellyfin";
    # };
  };

  # ============================================================================
  # Firewall - Allow necessary ports
  # ============================================================================
  networking.firewall = {
    enable = true;

    # Open ports for services
    allowedTCPPorts = [
      22    # SSH (consider changing to non-standard port)
      80    # HTTP (ACME challenges + redirect to HTTPS)
      443   # HTTPS (Nginx reverse proxy)
      5222  # XMPP client-to-server (C2S)
      5269  # XMPP server-to-server (S2S) - optional, for federation
      5281  # XMPP HTTPS (file uploads)
      # Add more as needed:
      # 8096  # Jellyfin (or proxy via Nginx)
    ];

    # Basic rate limiting
    extraCommands = ''
      # Rate-limit SSH (4 attempts per minute)
      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

      # Rate-limit XMPP connections
      iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set --name XMPP
      iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name XMPP -j DROP
    '';

    extraStopCommands = ''
      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH 2>/dev/null || true
      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP 2>/dev/null || true
      iptables -D INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set --name XMPP 2>/dev/null || true
      iptables -D INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name XMPP -j DROP 2>/dev/null || true
    '';
  };

  # ============================================================================
  # Fail2ban - Basic Protection
  # ============================================================================
  services.fail2ban = {
    enable = true;
    maxretry = 5;  # Less strict than VPS (you might fat-finger your password)
    bantime = "10m";
    findtime = "10m";

    jails = {
      sshd = ''
        enabled = true
        filter = sshd
        action = iptables[name=SSH, port=22, protocol=tcp]
        maxretry = 5
      '';
    };
  };

  # ============================================================================
  # SSH Configuration - Moderate Security (it's on your LAN)
  # ============================================================================
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = true;  # Allow passwords on LAN (change to false if paranoid)
      PermitRootLogin = "no";
      PubkeyAuthentication = true;
    };
  };

  # ============================================================================
  # Automatic Garbage Collection
  # ============================================================================
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };

  # ============================================================================
  # System Packages
  # ============================================================================
  environment.systemPackages = with pkgs; [
    vim
    wget
    curl
    htop
    tmux
    git
    btop
    ncdu  # Disk usage analyzer
  ];

  # ============================================================================
  # Secrets Management
  # ============================================================================
  # You'll need to create these files manually (see deployment guide)
  system.activationScripts.secrets = ''
    mkdir -p /root/secrets
    chmod 700 /root/secrets
  '';
}

1	`# home-server-base.nix - Base configuration for home server`
2	`#`
3	`# This provides the foundation for your homelab:`
4	`# - Cloudflare DDNS (updates chat.tonybtw.com to your home IP)`
5	`# - Nginx reverse proxy (handles SSL for all services)`
6	`# - Fail2ban (basic protection)`
7	`# - SSH hardening (less strict than VPS since it's on your LAN)`
8	`#`
9	`# Import this in your configuration.nix along with service-specific configs`
10	`#`
11	`{ config, pkgs, lib, ... }:`
12
13	`{`
14	`# ============================================================================`
15	`# Cloudflare Dynamic DNS - Keeps your domain pointing to home IP`
16	`# ============================================================================`
17	`services.cloudflare-dyndns = {`
18	`enable = true;`
19	`apiTokenFile = "/root/secrets/cloudflare-token";`
20	`domains = [`
21	`"chat.tonybtw.com"`
22	`# Add more as you expand:`
23	`# "jellyfin.tonybtw.com"`
24	`# "cloud.tonybtw.com"`
25	`];`
26	`ipv4 = true;`
27	`ipv6 = false; # Enable if you have IPv6`
28	`};`
29
30	`# ============================================================================`
31	`# Nginx Reverse Proxy - Handle SSL and route to services`
32	`# ============================================================================`
33	`services.nginx = {`
34	`enable = true;`
35	`recommendedProxySettings = true;`
36	`recommendedTlsSettings = true;`
37	`recommendedOptimisation = true;`
38	`recommendedGzipSettings = true;`
39
40	`# Shared SSL configuration (Let's Encrypt)`
41	`# Individual vhosts will reference this`
42	`};`
43
44	`# ============================================================================`
45	`# Let's Encrypt SSL Certificates`
46	`# ============================================================================`
47	`security.acme = {`
48	`acceptTerms = true;`
49	`defaults = {`
50	`email = "tony@tonybtw.com"; # CHANGE THIS to your email`
51	`dnsProvider = "cloudflare"; # Use Cloudflare DNS challenge (works behind NAT)`
52	`credentialsFile = "/root/secrets/cloudflare-acme-credentials";`
53	`};`
54
55	`certs."chat.tonybtw.com" = {`
56	`domain = "chat.tonybtw.com";`
57	`extraDomainNames = [`
58	`"conference.chat.tonybtw.com"`
59	`"upload.chat.tonybtw.com"`
60	`];`
61	`group = "prosody";`
62	`postRun = "systemctl reload prosody.service";`
63	`};`
64
65	`# Add more certs as you expand:`
66	`# certs."jellyfin.tonybtw.com" = {`
67	`# domain = "jellyfin.tonybtw.com";`
68	`# group = "jellyfin";`
69	`# };`
70	`};`
71
72	`# ============================================================================`
73	`# Firewall - Allow necessary ports`
74	`# ============================================================================`
75	`networking.firewall = {`
76	`enable = true;`
77
78	`# Open ports for services`
79	`allowedTCPPorts = [`
80	`22 # SSH (consider changing to non-standard port)`
81	`80 # HTTP (ACME challenges + redirect to HTTPS)`
82	`443 # HTTPS (Nginx reverse proxy)`
83	`5222 # XMPP client-to-server (C2S)`
84	`5269 # XMPP server-to-server (S2S) - optional, for federation`
85	`5281 # XMPP HTTPS (file uploads)`
86	`# Add more as needed:`
87	`# 8096 # Jellyfin (or proxy via Nginx)`
88	`];`
89
90	`# Basic rate limiting`
91	`extraCommands = ''`
92	`# Rate-limit SSH (4 attempts per minute)`
93	`iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH`
94	`iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP`
95
96	`# Rate-limit XMPP connections`
97	`iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set --name XMPP`
98	`iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name XMPP -j DROP`
99	`'';`
100
101	`extraStopCommands = ''`
102	`iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH 2>/dev/null \|\| true`
103	`iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP 2>/dev/null \|\| true`
104	`iptables -D INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set --name XMPP 2>/dev/null \|\| true`
105	`iptables -D INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name XMPP -j DROP 2>/dev/null \|\| true`
106	`'';`
107	`};`
108
109	`# ============================================================================`
110	`# Fail2ban - Basic Protection`
111	`# ============================================================================`
112	`services.fail2ban = {`
113	`enable = true;`
114	`maxretry = 5; # Less strict than VPS (you might fat-finger your password)`
115	`bantime = "10m";`
116	`findtime = "10m";`
117
118	`jails = {`
119	`sshd = ''`
120	`enabled = true`
121	`filter = sshd`
122	`action = iptables[name=SSH, port=22, protocol=tcp]`
123	`maxretry = 5`
124	`'';`
125	`};`
126	`};`
127
128	`# ============================================================================`
129	`# SSH Configuration - Moderate Security (it's on your LAN)`
130	`# ============================================================================`
131	`services.openssh = {`
132	`enable = true;`
133	`settings = {`
134	`PasswordAuthentication = true; # Allow passwords on LAN (change to false if paranoid)`
135	`PermitRootLogin = "no";`
136	`PubkeyAuthentication = true;`
137	`};`
138	`};`
139
140	`# ============================================================================`
141	`# Automatic Garbage Collection`
142	`# ============================================================================`
143	`nix.gc = {`
144	`automatic = true;`
145	`dates = "weekly";`
146	`options = "--delete-older-than 30d";`
147	`};`
148
149	`# ============================================================================`
150	`# System Packages`
151	`# ============================================================================`
152	`environment.systemPackages = with pkgs; [`
153	`vim`
154	`wget`
155	`curl`
156	`htop`
157	`tmux`
158	`git`
159	`btop`
160	`ncdu # Disk usage analyzer`
161	`];`
162
163	`# ============================================================================`
164	`# Secrets Management`
165	`# ============================================================================`
166	`# You'll need to create these files manually (see deployment guide)`
167	`system.activationScripts.secrets = ''`
168	`mkdir -p /root/secrets`
169	`chmod 700 /root/secrets`
170	`'';`
171	`}`