# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "yevaud"; networking.hostId = "09673d65"; # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. time.timeZone = "Etc/UTC"; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; # useXkbConfig = true; # use xkb.options in tty. # }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.bluebird = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on bluebird@tohru" ]; }; # List packages installed in system profile. To search, run: # $ nix search wget # environment.systemPackages = with pkgs; [ # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget # ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; }; }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; services.fail2ban.enable = true; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; virtualHosts = let base = { forceSSL = true; enableACME = true; }; proxy = port: { locations."/".proxyPass = "http://[::1]:${toString(port)}/"; }; in { "git.katherina.rocks" = base // proxy 3000; }; }; security.acme = { acceptTerms = true; defaults.email = "accounts@katherina.rocks"; }; services.forgejo = { enable = true; stateDir = "/data/forgejo"; settings = { DEFAULT.APP_NAME = "git.katherina.rocks"; cache = { ADAPTER = "twoqueue"; HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; }; database = { DB_TYPE = "sqlite3"; SQLITE_JOURNAL_MODE = "WAL"; }; security.LOGIN_REMEMBER_DAYS = 365; server = { DOMAIN = "git.katherina.rocks"; HTTP_PORT = 3000; ROOT_URL = "https://git.katherina.rocks/"; }; service.DISABLE_REGISTRATION = true; }; }; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. # system.copySystemConfiguration = true; system.stateVersion = "23.11"; # Did you read the comment? }