From 2134a2a161c25ffcf1675160a0d64ae8479fdd3f Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <alukard.develop@gmail.com>
Date: Sat, 29 Jan 2022 00:50:24 +0300
Subject: [PATCH] update oracle-cloud config

---
 machines/Oracle-Cloud/default.nix             |  6 +-
 .../Oracle-Cloud/hardware-configuration.nix   |  6 +-
 profiles/boot.nix                             |  2 +-
 profiles/servers/nginx.nix                    | 70 +++++++++++--------
 profiles/workspace/ssh.nix                    |  3 +
 roles/server.nix                              |  8 +--
 6 files changed, 56 insertions(+), 39 deletions(-)

diff --git a/machines/Oracle-Cloud/default.nix b/machines/Oracle-Cloud/default.nix
index dddfab6..f723be7 100644
--- a/machines/Oracle-Cloud/default.nix
+++ b/machines/Oracle-Cloud/default.nix
@@ -9,18 +9,18 @@
       arch = "aarch64";
       vendor = "broadcom";
       clock = 2800;
-      cores = 2;
+      cores = 4;
     };
     drive = {
       type = "ssd";
       speed = 1000;
-      size = 100;
+      size = 150;
     };
     gpu = {
       vendor = "other";
     };
     bigScreen = false;
-    ram = 12;
+    ram = 24;
   };
   deviceSpecific.isHost = false;
   deviceSpecific.isShared = false;
diff --git a/machines/Oracle-Cloud/hardware-configuration.nix b/machines/Oracle-Cloud/hardware-configuration.nix
index c0a44ed..a9c0495 100644
--- a/machines/Oracle-Cloud/hardware-configuration.nix
+++ b/machines/Oracle-Cloud/hardware-configuration.nix
@@ -6,11 +6,11 @@
     efiInstallAsRemovable = true;
     device = "nodev";
   };
-  fileSystems."/boot" = { device = "/dev/disk/by-uuid/C8C5-C634"; fsType = "vfat"; };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/A368-4D28"; fsType = "vfat"; };
   boot.initrd.kernelModules = [ "nvme" ];
   fileSystems."/" = { device = "/dev/sda3"; fsType = "xfs"; };
   swapDevices = [ {
-      device = "/dev/disk/by-partuuid/d4aa8434-9803-45ac-9983-07e10e1409b4";
+      device = "/dev/disk/by-partuuid/87bcc339-3295-4fc0-a219-1c31436b1c51";
       randomEncryption.enable = true;
   } ];
-}
\ No newline at end of file
+}
diff --git a/profiles/boot.nix b/profiles/boot.nix
index a95019d..d5a019d 100644
--- a/profiles/boot.nix
+++ b/profiles/boot.nix
@@ -27,7 +27,7 @@ with config.deviceSpecific; {
       "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
     };
   } else {
-    # kernelPackages = pkgs.linuxPackages_hardened;
+    kernelPackages = pkgs.linuxPackages_5_15_hardened;
     kernelModules = [ "tcp_bbr" ];
     kernel.sysctl = {
       "kernel.sysrq" = 0;
diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix
index fe0e85b..94ce472 100644
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@@ -16,34 +16,48 @@
   ## DNS-over-TLS
   services.stubby = {
     enable = true;
-    listenAddresses = [ "0::1" "127.0.0.1" ];
-    roundRobinUpstreams = false;
-    upstreamServers = ''
-      ## Quad9
-      - address_data: 2620:fe::fe
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 2620:fe::9
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 9.9.9.9
-        tls_auth_name: "dns.quad9.net"
-      - address_data: 149.112.112.112
-        tls_auth_name: "dns.quad9.net"
-      ## Cloudflare
-      - address_data: 2606:4700:4700::1112
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 2606:4700:4700::1002
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 1.1.1.2
-        tls_auth_name: "cloudflare-dns.com"
-      - address_data: 1.0.0.2
-        tls_auth_name: "cloudflare-dns.com"
-    '';
-    extraConfig = ''
-      # Set TLS 1.3 as minimum acceptable version
-      tls_min_version: GETDNS_TLS1_3
-      # Require DNSSEC validation
-      dnssec: GETDNS_EXTENSION_TRUE
-    '';
+    settings = pkgs.stubby.passthru.settingsExample // {
+      dnssec = "GETDNS_EXTENSION_TRUE";
+      listen_addresses = [ "0::1" "127.0.0.1" ];
+      resolution_type = "GETDNS_RESOLUTION_STUB";
+      round_robin_upstreams = 1;
+      tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
+      tls_min_version = "GETDNS_TLS1_3";
+      upstream_recursive_servers = [
+        {
+          address_data = "2620:fe::fe";
+          tls_auth_name = "dns.quad9.net";
+        }
+        {
+          address_data = "2620:fe::9";
+          tls_auth_name = "dns.quad9.net";
+        }
+        {
+          address_data = "9.9.9.9";
+          tls_auth_name = "dns.quad9.net";
+        }
+        {
+          address_data = "149.112.112.112";
+          tls_auth_name = "dns.quad9.net";
+        }
+        {
+          address_data = "2606:4700:4700::1112";
+          tls_auth_name = "cloudflare-dns.com";
+        }
+        {
+          address_data = "2606:4700:4700::1002";
+          tls_auth_name = "cloudflare-dns.com";
+        }
+        {
+          address_data = "1.1.1.2";
+          tls_auth_name = "cloudflare-dns.com";
+        }
+        {
+          address_data = "1.0.0.2";
+          tls_auth_name = "cloudflare-dns.com";
+        }
+      ];
+    };
   };
 
   networking.nameservers = [ "::1" "127.0.0.1" ];
diff --git a/profiles/workspace/ssh.nix b/profiles/workspace/ssh.nix
index ed49eac..3c3b705 100644
--- a/profiles/workspace/ssh.nix
+++ b/profiles/workspace/ssh.nix
@@ -21,6 +21,9 @@
           compression = false;
         };
       };
+      extraConfig = ''
+        Match host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"
+      '';
     };
   };
 }
diff --git a/roles/server.nix b/roles/server.nix
index e55a06c..463737e 100644
--- a/roles/server.nix
+++ b/roles/server.nix
@@ -9,10 +9,10 @@
     direnv
     kitty
 
-    coturn
-    gitea
-    mailserver
-    matrix-synapse
+    #coturn
+    #gitea
+    #mailserver
+    #matrix-synapse
     nginx
     vscode-server
   ];