1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
---
title: web-server
weight: 7
---
In order to host anything online nowdays, everybody needs a couple of things. The first is a [domain](/notes/self-sufficiency/domain.md), and the second is a web server to handle the different domains/subdomains and the HTTP(S) requests, and deal with the SSL certificates.
Here we will use [`nginx`](https://nginx.org); [`caddy`](https://caddyserver.com) is also an option (so is `apache`, etc) that automates SSL, but before moving to `NixOS` I was using `nginx`, so I am more familiar with the syntax
We will put the following at the root of our own `modules/server/` folder, since it is the aggregation point for all the following services.
## nix decleration
Make a default.nix at `<PATH-TO-NIX-CONFIG>/modules/server`
```sh
$ touch <PATH-TO-NIX-CONFIG>/modules/server/default.nix
```
(or use the file explorer of your choice)
### configuration
Open `default.nix` in any text editor, and copy the following
```nix
{
imports = [
# ... all the services will go here
];
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
sshguard.enable = true;
openssh = {
enable = true;
settings = {
PermitRootLogin = false;
PasswordAuthentication = false;
AllowTcpForwarding = false;
X11Forwarding = false;
};
};
};
networking = {
firewall.allowedTCPPorts = [ 80 443 ];
};
security.acme = {
acceptTerms = true;
defaults.email = "<YOUR-EMAIL>";
}
}
```
and you're done.
Let's break the config file down.
### explanation
1) We declare `nginx` as enabled, and set it to use the recommended options.
2) We enable `sshguard`, which protects hosts from brute-force attacks, among other things.
3) We enable `openssh`, so that we can access the server via SSH, but configure it so that nobody can use a password to log in, and root login is disabled.
4) We open ports `80 (HTTP)` and `443(HTTPS)` to the internet.
5) We set up the `acme` service which fetches SSL certificates from LetsEncrypt. Certificates require to accept the terms and an email for communication, so we accept the terms and provide an email.
{{% hint warning %}}
Before you enable the openssh config as is, make sure you have an `authorizedKey` on your user, otherwise you can be locked out of your machine.
To set an SSH authorized key add this tou your `user` config
```nix
users = {
users = {
<YOUR-USER> = {
# ...
openssh.authorizedKeys.keys = [
<YOUR-KEY-1>
<YOUR-KEY-2>
# ...
]
# ...
}
}
}
```
{{% /hint %}}
{{% hint info %}}
By default nixos sets a daily interval to renew the Let'sEncrypt SSL certificates, so we don't need to worry.
{{% /hint %}}
Now we can start adding services.
|
