From 0969b36564d70b160fb4314c2208c923033b50a7 Mon Sep 17 00:00:00 2001 From: Emelie Date: Thu, 23 Sep 2021 16:45:06 +0200 Subject: [PATCH] add anarkafem.dev, minor tweaks --- config/common/services/openssh.nix | 12 +++ config/hosts/grondahl/configuration.nix | 87 +++++++++++++++++++ .../hosts/grondahl/hardware-configuration.nix | 22 +++++ config/hosts/grondahl/services/acme.nix | 14 +++ config/hosts/grondahl/services/coturn.nix | 25 ++++++ config/hosts/grondahl/services/nginx.nix | 65 ++++++++++++++ config/hosts/grondahl/services/postgres.nix | 28 ++++++ config/hosts/grondahl/services/restic.nix | 24 +++++ config/hosts/grondahl/services/sshguard.nix | 7 ++ config/hosts/grondahl/services/synapse.nix | 74 ++++++++++++++++ config/hosts/wind/configuration.nix | 7 +- config/hosts/wind/services/acme.nix | 2 +- config/hosts/wind/services/coturn.nix | 2 +- config/hosts/wind/services/postgres.nix | 2 +- config/hosts/wind/services/restic.nix | 8 +- config/hosts/wind/services/synapse.nix | 2 +- config/hosts/wind/services/vaultwarden.nix | 2 +- deploy/default.nix | 6 ++ 18 files changed, 374 insertions(+), 15 deletions(-) create mode 100644 config/common/services/openssh.nix create mode 100644 config/hosts/grondahl/configuration.nix create mode 100644 config/hosts/grondahl/hardware-configuration.nix create mode 100644 config/hosts/grondahl/services/acme.nix create mode 100644 config/hosts/grondahl/services/coturn.nix create mode 100644 config/hosts/grondahl/services/nginx.nix create mode 100644 config/hosts/grondahl/services/postgres.nix create mode 100644 config/hosts/grondahl/services/restic.nix create mode 100644 config/hosts/grondahl/services/sshguard.nix create mode 100644 config/hosts/grondahl/services/synapse.nix diff --git a/config/common/services/openssh.nix b/config/common/services/openssh.nix new file mode 100644 index 0000000..0bc6c22 --- /dev/null +++ b/config/common/services/openssh.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ]; + kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + }; +} diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix new file mode 100644 index 0000000..2464bd1 --- /dev/null +++ b/config/hosts/grondahl/configuration.nix @@ -0,0 +1,87 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./data/secrets/secrets.nix + ../../common/services/openssh.nix + ./services/acme.nix + ./services/coturn.nix + ./services/nginx.nix + ./services/restic.nix + ./services/sshguard.nix + ./services/synapse.nix + ./services/postgres.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + networking = { + hostName = "grondahl"; + useDHCP = false; + interfaces = { + "ens3" = { + ipv4.addresses = [ { + address = "107.189.30.157"; + prefixLength = 24; + } ]; + ipv6.addresses = [ { + address = "2605:6400:30:ef32::1"; + prefixLength = 48; + } ]; + }; + }; + defaultGateway = "107.189.30.1"; + defaultGateway6 = { + address = "2605:6400:30::1"; + interface = "ens3"; + }; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; + + time.timeZone = "Europe/Copenhagen"; + + security.sudo.wheelNeedsPassword = false; + + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; + + + + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + + users.groups.acme.members = [ "nginx" "turnserver" ]; + users.groups.postgres.members = [ "restic" ]; + users.groups.matrix-synapse.members = [ "restic" ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + htop + iotop + dig + ]; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; + networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + + system.stateVersion = "21.05"; + +} diff --git a/config/hosts/grondahl/hardware-configuration.nix b/config/hosts/grondahl/hardware-configuration.nix new file mode 100644 index 0000000..1460245 --- /dev/null +++ b/config/hosts/grondahl/hardware-configuration.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8c343c61-87b5-493c-984c-634f59814f3d"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/2cd0615d-c517-4153-907e-6d8dd9d0e7fc"; } + ]; + +} diff --git a/config/hosts/grondahl/services/acme.nix b/config/hosts/grondahl/services/acme.nix new file mode 100644 index 0000000..a69f94e --- /dev/null +++ b/config/hosts/grondahl/services/acme.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + email = "admin+certs@anarkafem.dev"; + certs."anarkafem.dev" = { + extraDomainNames = [ "*.anarkafem.dev" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_anarkafem_dev.file; + }; + }; +} + diff --git a/config/hosts/grondahl/services/coturn.nix b/config/hosts/grondahl/services/coturn.nix new file mode 100644 index 0000000..b1991e3 --- /dev/null +++ b/config/hosts/grondahl/services/coturn.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + services.coturn = { + enable = true; + lt-cred-mech = true; + use-auth-secret = true; + static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file; + realm = "turn.anarkafem.dev"; + relay-ips = [ + "107.189.30.157" + "2605:6400:30:ef32::1" + ]; + no-tcp-relay = true; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + secure-stun = true; + cert = "/var/lib/acme/anarkafem.dev/fullchain.pem"; + pkey = "/var/lib/acme/anarkafem.dev/key.pem"; + min-port = 49152; + max-port = 49999; + }; +} diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix new file mode 100644 index 0000000..77885a7 --- /dev/null +++ b/config/hosts/grondahl/services/nginx.nix @@ -0,0 +1,65 @@ +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + + virtualHosts = { + "anarkafem.dev" = { + useACMEHost = "anarkafem.dev"; + forceSSL = true; + locations."/".root = "/var/www/anarkafem.dev/public"; + locations."/_matrix/".proxyPass = "http://127.0.0.1:8008"; + locations."/_matrix/federation".return = "403"; + locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + locations."/.well-known/matrix/" = { + root = "/var/www/matrix/public"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "origin-when-cross-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + }; + }; + }; +} diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix new file mode 100644 index 0000000..e092165 --- /dev/null +++ b/config/hosts/grondahl/services/postgres.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + services.postgresql = { + enable = true; + package = pkgs.postgresql_13; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE synapse; + CREATE DATABASE synapse WITH OWNER synapse + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C" + ENCODING = "UTF8"; + ''; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all ::1/128 trust + ''; + }; + + services.postgresqlBackup = { + enable = true; + location = "/var/lib/postgresql/backup"; + databases = [ "synapse" ]; + startAt = "02:30"; + compression = "none"; + }; +} + diff --git a/config/hosts/grondahl/services/restic.nix b/config/hosts/grondahl/services/restic.nix new file mode 100644 index 0000000..35de8fc --- /dev/null +++ b/config/hosts/grondahl/services/restic.nix @@ -0,0 +1,24 @@ +{ config, ... }: +{ + services.restic.backups = { + "postgres" = { + paths = [ "/var/lib/postgresql/backup" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + }; + "synapse" = { + paths = [ "/var/lib/matrix-synapse" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:45"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + }; + }; +} + diff --git a/config/hosts/grondahl/services/sshguard.nix b/config/hosts/grondahl/services/sshguard.nix new file mode 100644 index 0000000..a36708e --- /dev/null +++ b/config/hosts/grondahl/services/sshguard.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.sshguard = { + enable = true; + blocktime = 300; + }; +} diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix new file mode 100644 index 0000000..9becf4e --- /dev/null +++ b/config/hosts/grondahl/services/synapse.nix @@ -0,0 +1,74 @@ +{ config, ... }: + +{ + services.matrix-synapse = { + enable = true; + server_name = "anarkafem.dev"; + enable_registration = true; + registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; + max_upload_size = "20M"; + database_type = "psycopg2"; + database_user = "synapse"; + database_name = "synapse"; + turn_uris = [ + "turn:turn.anarkafem.dev:3478?transport=udp" + "turn:turn.anarkafem.dev:3478?transport=tcp" + "turn:turn.anarkafem.dev:3479?transport=udp" + "turn:turn.anarkafem.dev:3479?transport=tcp" + "turns:turn.anarkafem.dev:5349?transport=udp" + "turns:turn.anarkafem.dev:5349?transport=tcp" + "turns:turn.anarkafem.dev:5350?transport=udp" + "turns:turn.anarkafem.dev:5350?transport=tcp" + ]; + report_stats = false; + withJemalloc = true; + servers = { "anarkafem.dev" = {}; }; + extraConfig = '' + federation_domain_whitelist: + - anarkafem.dev + auto_join_rooms: + - "#suf-aalborg:anarkafem.dev" + ''; + logConfig = '' + version: 1 + + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + handlers: + console: + class: logging.StreamHandler + formatter: precise + + loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + root: + level: INFO + handlers: [console] + + disable_existing_loggers: false + ''; + listeners = [ + { + port = 8008; + bind_address = "127.0.0.1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" ]; + compress = false; + } + ]; + } + ]; + }; +} + diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index 98ac12c..6424ce1 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -3,6 +3,7 @@ { imports = [ ./hardware-configuration.nix + ../../common/services/openssh.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix @@ -56,12 +57,6 @@ ]; }; - services.openssh = { - enable = true; - passwordAuthentication = false; - permitRootLogin = "no"; - challengeResponseAuthentication = false; - }; # Use hetzner firewall instead networking.firewall.enable = false; diff --git a/config/hosts/wind/services/acme.nix b/config/hosts/wind/services/acme.nix index a4d02ad..2935014 100644 --- a/config/hosts/wind/services/acme.nix +++ b/config/hosts/wind/services/acme.nix @@ -5,7 +5,7 @@ acceptTerms = true; email = "admin+certs@graven.dev"; certs."graven.dev" = { - extraDomainNames = "*.graven.dev"; + extraDomainNames = [ "*.graven.dev" ]; dnsProvider = "hurricane"; credentialsFile = config.secrets.files.acme_graven_dev.file; }; diff --git a/config/hosts/wind/services/coturn.nix b/config/hosts/wind/services/coturn.nix index e4f25e3..6481466 100644 --- a/config/hosts/wind/services/coturn.nix +++ b/config/hosts/wind/services/coturn.nix @@ -4,7 +4,7 @@ enable = true; lt-cred-mech = true; use-auth-secret = true; - static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file; + static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file; realm = "turn.graven.dev"; relay-ips = [ "65.21.58.38" diff --git a/config/hosts/wind/services/postgres.nix b/config/hosts/wind/services/postgres.nix index be905b2..79cf378 100644 --- a/config/hosts/wind/services/postgres.nix +++ b/config/hosts/wind/services/postgres.nix @@ -20,7 +20,7 @@ services.postgresqlBackup = { enable = true; location = "/var/lib/postgresql/backup"; - databases = [ "gitea" "mogger" "synapse" "tt_rss" ]; + databases = [ "synapse" ]; startAt = "02:30"; compression = "none"; }; diff --git a/config/hosts/wind/services/restic.nix b/config/hosts/wind/services/restic.nix index d791f3f..cc97cb4 100644 --- a/config/hosts/wind/services/restic.nix +++ b/config/hosts/wind/services/restic.nix @@ -9,7 +9,7 @@ initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "02:15"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; }; "postgres" = { @@ -18,7 +18,7 @@ initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:00"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; }; "synapse" = { @@ -27,7 +27,7 @@ initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "03:30"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; }; "vaultwarden" = { @@ -36,7 +36,7 @@ initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "23:45"; }; - extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; }; }; diff --git a/config/hosts/wind/services/synapse.nix b/config/hosts/wind/services/synapse.nix index 1c8c0ef..fa98d4c 100644 --- a/config/hosts/wind/services/synapse.nix +++ b/config/hosts/wind/services/synapse.nix @@ -6,7 +6,7 @@ server_name = "graven.dev"; enable_registration = false; registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; - turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file; + turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; max_upload_size = "100M"; database_type = "psycopg2"; database_user = "synapse"; diff --git a/config/hosts/wind/services/vaultwarden.nix b/config/hosts/wind/services/vaultwarden.nix index bb072a3..bf6c7d3 100644 --- a/config/hosts/wind/services/vaultwarden.nix +++ b/config/hosts/wind/services/vaultwarden.nix @@ -6,7 +6,7 @@ backupDir = "/var/lib/bitwarden_rs/backup"; config = { domain = "https://vault.graven.dev"; - signupsAllowed = true; + signupsAllowed = false; rocketPort = 8812; ipHeader = "X-Real-IP"; websocketEnabled = true; diff --git a/deploy/default.nix b/deploy/default.nix index f46e893..0384c91 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -18,6 +18,12 @@ in import "${sources.nixus}" {} ({ config, ... }: { switchTimeout = 300; successTimeout = 300; }; + grondahl = { lib, config, ... }: { + host = "emelie@anarkafem.dev"; + configuration = ../config/hosts/grondahl/configuration.nix; + switchTimeout = 300; + successTimeout = 300; + }; }; })