Skip to main content

Configuration des services courants

377 words 2 min
NixOS Linux Services

Services courants sur NixOS

NixOS facilite l’activation et la configuration des services. Tout se fait dans configuration.nix.

SSH

Configuration de base :

{
  services.openssh.enable = true;
  services.openssh.settings = {
    PermitRootLogin = "no";
    PasswordAuthentication = false;
  };
}

Avec clés autorisées pour un utilisateur :

{
  users.users.admin.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAA... user@machine"
  ];
}

Nginx

Serveur web simple :

{
  services.nginx.enable = true;

  services.nginx.virtualHosts."monsite.com" = {
    root = "/var/www/monsite";
  };
}

Avec HTTPS (Let’s Encrypt) :

{
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "admin@monsite.com";

  services.nginx.enable = true;
  services.nginx.virtualHosts."monsite.com" = {
    enableACME = true;
    forceSSL = true;
    root = "/var/www/monsite";
  };
}

Reverse proxy :

{
  services.nginx.virtualHosts."app.monsite.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
      proxyWebsockets = true;
    };
  };
}

Docker

{
  virtualisation.docker.enable = true;

  # Ajouter l'utilisateur au groupe docker
  users.users.admin.extraGroups = [ "docker" ];
}

Avec Docker Compose :

{
  environment.systemPackages = with pkgs; [
    docker-compose
  ];
}

Podman

{
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerCompat = true;  # alias docker -> podman
}

PostgreSQL

{
  services.postgresql.enable = true;
  services.postgresql.package = pkgs.postgresql_15;

  services.postgresql.ensureDatabases = [ "myapp" ];
  services.postgresql.ensureUsers = [
    {
      name = "myapp";
      ensureDBOwnership = true;
    }
  ];
}

MariaDB / MySQL

{
  services.mysql.enable = true;
  services.mysql.package = pkgs.mariadb;

  services.mysql.ensureDatabases = [ "wordpress" ];
  services.mysql.ensureUsers = [
    {
      name = "wordpress";
      ensurePermissions = {
        "wordpress.*" = "ALL PRIVILEGES";
      };
    }
  ];
}

Fail2ban

{
  services.fail2ban.enable = true;
  services.fail2ban.maxretry = 5;
  services.fail2ban.bantime = "10m";

  services.fail2ban.jails = {
    sshd.settings = {
      enabled = true;
      maxretry = 3;
    };
  };
}

Cron / Tâches planifiées

Avec systemd timers (recommandé) :

{
  systemd.timers."backup-daily" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
  };

  systemd.services."backup-daily" = {
    script = ''
      ${pkgs.rsync}/bin/rsync -av /data /backup/
    '';
    serviceConfig.Type = "oneshot";
  };
}

Grafana

{
  services.grafana.enable = true;
  services.grafana.settings.server = {
    http_addr = "127.0.0.1";
    http_port = 3000;
  };
}

Prometheus

{
  services.prometheus.enable = true;
  services.prometheus.scrapeConfigs = [
    {
      job_name = "node";
      static_configs = [{
        targets = [ "localhost:9100" ];
      }];
    }
  ];

  services.prometheus.exporters.node.enable = true;
}

Vérifier l’état des services

systemctl status nginx
systemctl status docker
journalctl -u nginx -f

Rechercher les options d’un service

Toutes les options sont sur https://search.nixos.org/options

Exemple : chercher “services.nginx” pour voir toutes les options Nginx disponibles.