moved all to subfolder nixos

nixos/system/server/default.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }: {
+
+  imports = [
+    <system/all>
+    ./netdata.nix
+    ./initssh.nix
+    ./graylog-exporter.nix
+    ./prometheus-exporters.nix
+    ./packages.nix
+  ];
+
+  # make sure laptops stay awake when closing the montior
+  services.logind.lidSwitch = "ignore";
+  powerManagement.enable = false;
+  powerManagement.scsiLinkPolicy = "min_power";
+
+  # config vim
+  programs.custom.vim.enable = true;
+
+  services.locate.enable = true;
+
+}
+

nixos/system/server/graylog-exporter.nix

@@ -0,0 +1,139 @@
+{ lib, ... }: {
+
+  # send data to graylog
+  services.SystemdJournal2Gelf.enable = lib.mkDefault false;
+  services.SystemdJournal2Gelf.graylogServer = "workhorse.private:11201";
+
+  services.journalbeat = {
+    enable = true;
+    # https://docs.graylog.org/en/4.0/pages/sending/journald.html
+    extraConfig = ''
+      journalbeat.inputs:
+        # Paths that should be crawled and fetched. Possible values files and directories.
+        # When setting a directory, all journals under it are merged.
+        # When empty starts to read from local journal.
+      - paths: []
+
+        # The number of seconds to wait before trying to read again from journals.
+        #backoff: 1s
+        # The maximum number of seconds to wait before attempting to read again from journals.
+        #max_backoff: 20s
+
+        # Position to start reading from journal. Valid values: head, tail, cursor
+        seek: tail
+
+        # Fallback position if no cursor data is available.
+        #cursor_seek_fallback: tail
+
+        # Exact matching for field values of events.
+        # Matching for nginx entries: "systemd.unit=nginx"
+        #include_matches: []
+
+      output.logstash:
+        # Boolean flag to enable or disable the output module.
+        enabled: true
+
+        # Graylog host and the beats input
+        hosts: ["workhorse.private:5044"]
+
+        # Number of workers per Graylog host.
+        #worker: 1
+
+        # Set gzip compression level.
+        #compression_level: 3
+
+        # Configure escaping HTML symbols in strings.
+        #escape_html: false
+
+        # Optional maximum time to live for a connection to Graylog, after which the
+        # connection will be re-established.  A value of `0s` (the default) will
+        # disable this feature.
+        #
+        # Not yet supported for async connections (i.e. with the "pipelining" option set)
+        ttl: 30s
+
+        # Optionally load-balance events between Graylog hosts. Default is false.
+        #loadbalance: false
+
+        # If enabled only a subset of events in a batch of events is transferred per
+        # transaction.  The number of events to be sent increases up to `bulk_max_size`
+        # if no error is encountered.
+        slow_start: true
+
+        # The number of seconds to wait before trying to reconnect to Graylog
+        # after a network error. After waiting backoff.init seconds, the Beat
+        # tries to reconnect. If the attempt fails, the backoff timer is increased
+        # exponentially up to backoff.max. After a successful connection, the backoff
+        # timer is reset. The default is 1s.
+        backoff.init: 1s
+
+        # The maximum number of seconds to wait before attempting to connect to
+        # Graylog after a network error. The default is 60s.
+        backoff.max: 60s
+
+        # SOCKS5 proxy server URL
+        #proxy_url: socks5://user:password@socks5-server:2233
+
+        # Resolve names locally when using a proxy server. Defaults to false.
+        #proxy_use_local_resolver: false
+
+        # Enable SSL support. SSL is automatically enabled if any SSL setting is set.
+        #ssl.enabled: true
+
+        # Configure SSL verification mode. If `none` is configured, all server hosts
+        # and certificates will be accepted. In this mode, SSL based connections are
+        # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+        # `full`.
+        #ssl.verification_mode: full
+
+        # List of supported/valid TLS versions. By default all TLS versions from 1.1
+        # up to 1.3 are enabled.
+        #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+        # Optional SSL configuration options. SSL is off by default.
+        # List of root certificates for HTTPS server verifications
+        #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+        # Certificate for SSL client authentication
+        #ssl.certificate: "/etc/pki/client/cert.pem"
+
+        # Client certificate key
+        #ssl.key: "/etc/pki/client/cert.key"
+
+        # Optional passphrase for decrypting the Certificate Key.
+        #ssl.key_passphrase: 
+
+        # Configure cipher suites to be used for SSL connections
+        #ssl.cipher_suites: []
+
+        # Configure curve types for ECDHE-based cipher suites
+        #ssl.curve_types: []
+
+        # Configure what types of renegotiation are supported. Valid options are
+        # never, once, and freely. Default is never.
+        #ssl.renegotiation: never
+
+        # Configure a pin that can be used to do extra validation of the verified certificate chain,
+        # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+        #
+        # The pin is a base64 encoded string of the SHA-256 fingerprint.
+        #ssl.ca_sha256: ""
+
+        # The number of times to retry publishing an event after a publishing failure.
+        # After the specified number of retries, the events are typically dropped.
+        # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+        # and retry until all events are published.  Set max_retries to a value less
+        # than 0 to retry until all events are published. The default is 3.
+        #max_retries: 3
+
+        # The maximum number of events to bulk in a single Graylog request. The
+        # default is 2048.
+        bulk_max_size: 2048
+
+        # The number of seconds to wait for responses from the Graylog server before
+        # timing out. The default is 30s.
+        #timeout: 30s
+    '';
+  };
+
+}

nixos/system/server/initssh.nix

@@ -0,0 +1,105 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.configuration.init-ssh;
+
+in {
+
+  options.configuration.init-ssh = {
+
+    enable = mkOption {
+      default = "disable";
+      type = with types; enum [ "disable" "prepare" "enabled" ];
+    };
+
+    kernelModules = mkOption {
+      type = with types; listOf str;
+      description =
+        "lspci -v will tell you which kernel module is used for the ethernet interface";
+    };
+
+    port = mkOption {
+      default = 23;
+      type = with types; int;
+    };
+
+    authorizedKeys = mkOption {
+      type = with types; listOf str;
+      default = config.users.users.root.openssh.authorizedKeys.keys
+        ++ (map (keyFile: lib.fileContents keyFile)
+          config.users.users.root.openssh.authorizedKeys.keyFiles);
+    };
+    hostKey = mkOption {
+      default = "/etc/ssh/ssh_host_ed25519_key";
+      type = with types; path;
+      description = ''
+        To generate keys, use ssh-keygen(1):
+        # ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+        # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
+      '';
+    };
+
+  };
+
+  config = mkMerge [
+
+    (mkIf (cfg.enable != "disable") {
+      services.tor = {
+        enable = true;
+        client.enable = true;
+        relay.onionServices.bootup.map = [{ port = 23; }];
+      };
+    })
+
+    (mkIf (cfg.enable == "enabled") {
+
+      # tor setup
+      boot.initrd.secrets = {
+        "/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup;
+      };
+
+      boot.initrd.extraUtilsCommands = ''
+        copy_bin_and_libs ${pkgs.tor}/bin/tor
+      '';
+
+      boot.initrd.network.postCommands = let
+        torRc = (pkgs.writeText "tor.rc" ''
+          DataDirectory /etc/tor
+          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+          SOCKSPort 127.0.0.1:9063
+          HiddenServiceDir /etc/tor/onion/bootup
+          HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port}
+        '');
+      in ''
+        echo "tor: preparing onion folder"
+        # have to do this otherwise tor does not want to start
+        chmod -R 700 /etc/tor
+
+        echo "make sure localhost is up"
+        ip a a 127.0.0.1/8 dev lo
+        # ifconfig lo up
+        ip link set lo up
+
+        echo "tor: starting tor"
+        tor -f ${torRc} --verify-config
+        tor -f ${torRc} &
+      '';
+
+      # ssh setup
+      # todo add the ssh host fingerprint to your trusted stuff
+      # todo set ssh host key here
+      boot.initrd.network.enable = true;
+      boot.initrd.network.ssh = {
+        enable = true;
+        authorizedKeys = cfg.authorizedKeys;
+        port = cfg.port;
+        hostKeys = [ cfg.hostKey ];
+      };
+      boot.initrd.availableKernelModules = cfg.kernelModules;
+    })
+  ];
+}
+

nixos/system/server/netdata.nix

@@ -0,0 +1,15 @@
+{ lib, pkgs, ... }: {
+  services.netdata = {
+    enable = lib.mkDefault true;
+    # https://docs.netdata.cloud/daemon/config/
+    config = {
+      global = {
+        "memory mode" = "ram";
+        "debug log" = "none";
+        "access log" = "none";
+        "error log" = "syslog";
+      };
+    };
+
+  };
+}

nixos/system/server/packages.nix

@@ -0,0 +1,16 @@
+{ pkgs, config, lib, ... }: {
+
+  # no need to to start a service
+  environment.systemPackages = let
+
+    nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
+      flakeIgnore = [ "E265" "E225" "W292" ];
+    } (lib.fileContents ../../assets/nginx-show-config.sh);
+  in [
+    pkgs.mosh
+
+    # nginxfmt
+    pkgs.nginx-config-formatter
+    nginxShowConfig
+  ];
+}

nixos/system/server/prometheus-exporters.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }: {
+  config = lib.mkMerge [
+    (lib.mkIf config.services.nginx.enable {
+      services.prometheus.exporters.nginx.enable = true;
+      services.nginx.statusPage = true;
+    })
+  ];
+}