schrottkatze/nix-configs
1
2
Fork 0
Code Issues Pull requests Activity

security improvements among other things

Browse source
This commit is contained in:
Schrottkatze 2023-03-18 17:54:57 +01:00
parent bd85fdb12f
commit 1d2c6bb0f0
8 changed files with 66 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

13
schrottserver/configuration.nix
View file

@ -16,7 +16,8 @@
./microbin.nix
../modules/neovim.nix
../modules/zsh.nix
./synapse.nix
../modules/firewall.nix
#./synapse.nix
./penpot.nix
];
@ -28,6 +29,14 @@
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
};
services = {
openssh.permitRootLogin = "no";
fail2ban = {
enable = true;
bantime-increment.enable = true;
};
};
jade = {
neovim.enable = true;
zsh.enable = true;
@ -43,8 +52,6 @@
networking.hostName = "schrottserver"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.firewall.enable = false;
# default settings for stateful data; don't change unless reinstall with newer version
system.stateVersion = "22.11"; # Did you read the comment?

17
schrottserver/penpot.nix
View file

@ -9,8 +9,7 @@
services = {
"penpot-backend".service = {
image = "penpotapp/backend:latest";
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
restart = "always";
volumes = [ "/penpot_assets:/opt/data/assets" ];
depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ];
environment = {
@ -25,31 +24,29 @@
"PENPOT_REDIS_URI" = "redis://penpot-redis/0";
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
"PENPOT_TELEMETRY_ENABLED" = "false";
"PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_HOST" = "smtp.migadu.com";
"PENPOT_SMTP_PORT" = "587";
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
"PENPOT_SMTP_TLS" = "true";
"PENPOT_SMTP_SSL" = "false";
};
};
"penpot-frontend".service = {
image = "penpotapp/frontend:latest";
restart = "always";
ports = [ "9001:80" ];
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
volumes = [ "/penpot_assets:/opt/data/assets" ];
depends_on = [ "penpot-backend" "penpot-exporter" ];
networks = [ "penpot" ];
};
"penpot-exporter".service = {
image = "penpotapp/exporter:latest";
restart = "always";
networks = [ "penpot" ];
environment = {
"PENPOT_PUBLIC_URI" = "http://penpot-frontend";
@ -58,7 +55,6 @@
};
"penpot-postgres".service = {
image = "postgres:15";
restart = "always";
stop_signal = "SIGINT";
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
networks = [ "penpot" ];
@ -71,7 +67,6 @@
};
"penpot-redis".service = {
image = "redis:7";
restart = "always";
networks = [ "penpot" ];
};
};

12
schrottserver/proxy.nix
View file

@ -6,27 +6,27 @@
certs = {
"schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"vw.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"wolke.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"s10e.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"synapse.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"pp.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
};
};