ab5aebb161
Extracted modules: - Matrix homeserver (matrix-continuwuity.nix) - mautrix bridges (slack, whatsapp, gmessages) - Security modules (fail2ban, ssh-hardening) - Development services module - Matrix secrets module All modules sanitized to remove personal information: - Domains: example.com, matrix.example.org - IPs: 10.0.0.x, 203.0.113.10 - Paths: /home/user, /path/to/ops-base - Emails: admin@example.com Configuration: - Updated flake.nix with sops-nix and nixpkgs-unstable - Updated hosts/ops-jrz1.nix to import all extracted modules - Added example files (secrets, minimal config) - Generated flake.lock Generated with Claude Code - https://claude.com/claude-code
184 lines
4.3 KiB
Nix
184 lines
4.3 KiB
Nix
# NixOS configuration for Vultr development VPS
|
|
# Optimized for Matrix + Forgejo deployment without federation
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
imports = [
|
|
../modules/dev-services.nix
|
|
./vultr-hardware.nix
|
|
];
|
|
|
|
# sops-nix secrets management
|
|
sops = {
|
|
defaultSopsFile = ../secrets/secrets.yaml;
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
|
|
# Secret declarations
|
|
secrets."matrix-registration-token" = {
|
|
mode = "0400";
|
|
};
|
|
|
|
secrets."acme-email" = {
|
|
mode = "0400";
|
|
# Using direct email value, no secret needed
|
|
};
|
|
};
|
|
|
|
# Boot configuration for Vultr VPS (Legacy BIOS mode)
|
|
boot = {
|
|
loader = {
|
|
grub = {
|
|
enable = true;
|
|
device = "/dev/vda"; # Legacy BIOS - install to MBR
|
|
efiSupport = false;
|
|
useOSProber = false;
|
|
};
|
|
};
|
|
# Vultr uses virtio drivers
|
|
initrd.availableKernelModules = [
|
|
"virtio_pci"
|
|
"virtio_blk"
|
|
"virtio_net"
|
|
"virtio_scsi"
|
|
];
|
|
};
|
|
|
|
# Filesystem configuration managed by vultr-hardware.nix
|
|
# Boot partition, root partition, and swap declared via generated hardware config
|
|
|
|
# Network configuration for Vultr
|
|
networking = {
|
|
hostName = "matrix";
|
|
|
|
# Vultr-specific network interface
|
|
useDHCP = false;
|
|
interfaces.ens3 = { # Vultr uses ens3
|
|
useDHCP = true;
|
|
};
|
|
|
|
enableIPv6 = true;
|
|
|
|
# Firewall - only expose reverse proxy ports
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
22 # SSH
|
|
80 # HTTP (ACME challenges, redirects)
|
|
443 # HTTPS
|
|
];
|
|
allowPing = true;
|
|
logRefusedConnections = false; # Reduce log noise on public VPS
|
|
};
|
|
};
|
|
|
|
# SSH configuration - secure but accessible for development
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "prohibit-password"; # More secure than "yes"
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
X11Forwarding = false;
|
|
};
|
|
# Basic security settings
|
|
extraConfig = ''
|
|
MaxAuthTries 3
|
|
MaxSessions 10
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
'';
|
|
};
|
|
|
|
# SSH key for root and admin users
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
|
|
];
|
|
|
|
users.users.admin = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
|
|
];
|
|
};
|
|
|
|
# Enable sudo without password for development convenience
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
# Enable fail2ban for brute force protection
|
|
security.fail2ban-enhanced = {
|
|
enable = true;
|
|
bantime = "1h";
|
|
maxretry = 3;
|
|
};
|
|
|
|
# Enable ACME for TLS certificates
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "admin@example.com"; # Using direct email as ACME doesn't support emailFile
|
|
};
|
|
|
|
# Dev services stack - simplified without federation
|
|
services.dev-platform = {
|
|
enable = true;
|
|
domain = "example.com";
|
|
|
|
matrix = {
|
|
enable = true;
|
|
port = 8008;
|
|
};
|
|
|
|
forgejo = {
|
|
enable = true;
|
|
subdomain = "git";
|
|
port = 3000;
|
|
};
|
|
|
|
slackBridge = {
|
|
enable = true;
|
|
};
|
|
};
|
|
|
|
# Basic monitoring for development
|
|
services.netdata = {
|
|
enable = true;
|
|
config = {
|
|
global = {
|
|
"bind to" = "127.0.0.1"; # Localhost only for security
|
|
};
|
|
};
|
|
};
|
|
|
|
# Automatic garbage collection to manage disk space
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 7d";
|
|
};
|
|
|
|
# Allow insecure packages needed for Matrix bridges
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
"olm-3.2.16"
|
|
];
|
|
|
|
# NixOS configuration optimized for VPS
|
|
nix.settings = {
|
|
experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
# Optimize for VPS builds and downloads
|
|
max-jobs = "auto";
|
|
cores = 0; # Use all available cores
|
|
substituters = [
|
|
"https://cache.nixos.org"
|
|
];
|
|
trusted-public-keys = [
|
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
|
];
|
|
};
|
|
|
|
# Timezone and locale for VPS
|
|
time.timeZone = "UTC";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
system.stateVersion = "24.11";
|
|
} |