hosts/buer/default.nix at afab583d429dac39debb6a8ededa84f649f1d655 · nekomimi.pet/nixcfg

nekomimi.pet / nixcfg
my nix configs for my servers and desktop
nixcfg / hosts / buer / default.nix
at afab583d429dac39debb6a8ededa84f649f1d655 4.5 kB view raw
  1# hosts/buer/configuration.nix (or default.nix)
  2{ config, lib, pkgs, modulesPath, inputs, ... }:
  3{
  4  # =============================================================================
  5  # IMPORTS
  6  # =============================================================================
  7  imports = [
  8    # Host-specific hardware
  9    ./hardware.nix
 10    ./secrets.nix
 11    
 12    # Common modules shared across hosts
 13    ../../common/system.nix
 14    ../../common/users.nix
 15    ../../common/services.nix
 16    
 17    # Common secrets
 18    ../../host-secrets.nix
 19  ];
 20
 21  # =============================================================================
 22  # SYSTEM CONFIGURATION
 23  # =============================================================================
 24  system.stateVersion = "24.11";
 25  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 26  
 27  # Intel microcode updates
 28  hardware.cpu.intel.updateMicrocode = lib.mkDefault
 29    config.hardware.enableRedistributableFirmware;
 30
 31  # =============================================================================
 32  # CUSTOM MODULES
 33  # =============================================================================
 34  modules.garage.enable = true;
 35  modules.seaweedfs.clusters.default = {
 36    package = pkgs.seaweedfs;
 37
 38    masters.main = {
 39      openFirewall = true;
 40      ip = "fs.nkp.pet";
 41      volumePreallocate = true;
 42
 43      defaultReplication = {
 44        dataCenter = 0;
 45        rack = 0;
 46        server = 0;
 47      };
 48    };
 49  };
 50
 51  # =============================================================================
 52  # BOOT CONFIGURATION
 53  # =============================================================================
 54  boot.loader.grub = {
 55    enable = true;
 56    device = "/dev/vda";
 57  };
 58
 59  # =============================================================================
 60  # NETWORKING
 61  # =============================================================================
 62  networking = {
 63    hostName = "buer";
 64    hostId = "1418d29e";
 65    firewall.enable = false;
 66    useDHCP = false;
 67  };
 68
 69    services.fail2ban = {
 70    enable = true;
 71    # Ban IP after 5 failures
 72    maxretry = 5;
 73    ignoreIP = [
 74      "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
 75    ];
 76    bantime = "24h"; # Ban IPs for one day on the first ban
 77    bantime-increment = {
 78      enable = true; # Enable increment of bantime after each violation
 79      multipliers = "1 2 4 8 16 32 64";
 80      maxtime = "168h"; # Do not ban for more than 1 week
 81      overalljails = true; # Calculate the bantime based on all the violations
 82    };
 83    jails = {
 84      apache-nohome-iptables.settings = {
 85        # Block an IP address if it accesses a non-existent
 86        # home directory more than 5 times in 10 minutes,
 87        # since that indicates that it's scanning.
 88        filter = "apache-nohome";
 89        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
 90        logpath = "/var/log/httpd/error_log*";
 91        backend = "auto";
 92        findtime = 600;
 93        bantime  = 600;
 94        maxretry = 5;
 95      };
 96    };
 97  };
 98
 99  # Static IP configuration via systemd-networkd
100  systemd.network = {
101    enable = true;
102    networks."10-wan" = {
103      matchConfig.Name = "ens3";
104      address = [
105        "103.251.165.107/24"
106        "2a04:52c0:0135:48d1::2/48"
107      ];
108      gateway = [
109        "103.251.165.1"
110        "2a04:52c0:0135::1"
111      ];
112      dns = [
113        "2a01:6340:1:20:4::10"
114        "2a04:52c0:130:2a5c::10"
115        "185.31.172.240"
116        "5.255.125.240"
117      ];
118    };
119  };
120
121  # =============================================================================
122  # VIRTUALIZATION
123  # =============================================================================
124  virtualisation.docker = {
125    enable = true;
126    enableOnBoot = true;
127  };
128
129  # =============================================================================
130  # PACKAGES
131  # =============================================================================
132  environment.systemPackages = with pkgs; [
133    inputs.agenix.packages.x86_64-linux.default
134  ];
135
136  # =============================================================================
137  # COMMENTED OUT / DISABLED
138  # =============================================================================
139  # ZFS support (not needed for this VPS)
140  # boot.supportedFilesystems = [ "zfs" ];
141  # boot.kernelModules = [ "nct6775" "coretemp" ];
142  # services.zfs.autoScrub.enable = true;
143  # services.zfs.trim.enable = true;
144  
145  # Additional packages (not needed)
146  # lm_sensors
147  # code-server
148}