add anarkafem.dev, minor tweaks

config/common/services/openssh.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+  };
+}

config/hosts/grondahl/configuration.nix

@@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./data/secrets/secrets.nix
+    ../../common/services/openssh.nix
+    ./services/acme.nix
+    ./services/coturn.nix
+    ./services/nginx.nix
+    ./services/restic.nix
+    ./services/sshguard.nix
+    ./services/synapse.nix
+    ./services/postgres.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking = {
+    hostName = "grondahl";
+    useDHCP = false;
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "107.189.30.157";
+          prefixLength = 24;
+        } ];
+        ipv6.addresses = [ {
+          address = "2605:6400:30:ef32::1";
+          prefixLength = 48;
+        } ];
+      };
+    };
+    defaultGateway = "107.189.30.1";
+    defaultGateway6 = {
+      address = "2605:6400:30::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };
+
+  time.timeZone = "Europe/Copenhagen";
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.groups.acme.members = [ "nginx" "turnserver" ];
+  users.groups.postgres.members = [ "restic" ];
+  users.groups.matrix-synapse.members = [ "restic" ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+
+  system.stateVersion = "21.05";
+
+}

config/hosts/grondahl/hardware-configuration.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8c343c61-87b5-493c-984c-634f59814f3d";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/2cd0615d-c517-4153-907e-6d8dd9d0e7fc"; }
+    ];
+
+}

config/hosts/grondahl/services/acme.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@anarkafem.dev";
+    certs."anarkafem.dev" = {
+      extraDomainNames = [ "*.anarkafem.dev" ];
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
+    };
+  };
+}
+

config/hosts/grondahl/services/coturn.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    realm = "turn.anarkafem.dev";
+    relay-ips = [
+      "107.189.30.157"
+      "2605:6400:30:ef32::1"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+    cipher-list=\"HIGH\"
+    no-loopback-peers
+    no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/anarkafem.dev/fullchain.pem";
+    pkey = "/var/lib/acme/anarkafem.dev/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+}

config/hosts/grondahl/services/nginx.nix

@@ -0,0 +1,65 @@
+{
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+
+    virtualHosts = {
+      "anarkafem.dev" = {
+        useACMEHost = "anarkafem.dev";
+        forceSSL = true;
+        locations."/".root = "/var/www/anarkafem.dev/public";
+        locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
+        locations."/_matrix/federation".return = "403";
+        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+        locations."/.well-known/matrix/" = {
+          root = "/var/www/matrix/public";
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "*";
+            add_header Strict-Transport-Security $hsts_header;
+            add_header Referrer-Policy "origin-when-cross-origin";
+            add_header X-Frame-Options "DENY";
+            add_header X-Content-Type-Options "nosniff";
+            add_header X-XSS-Protection "1; mode=block";
+          '';
+        };
+      };
+    };
+  };
+}

config/hosts/grondahl/services/postgres.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+                      CREATE ROLE synapse;
+                      CREATE DATABASE synapse WITH OWNER synapse
+                          TEMPLATE template0
+                          LC_COLLATE = "C"
+                          LC_CTYPE = "C"
+                          ENCODING = "UTF8";
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+}
+

config/hosts/grondahl/services/restic.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+    };
+  };
+}
+

config/hosts/grondahl/services/sshguard.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
+}

config/hosts/grondahl/services/synapse.nix

@@ -0,0 +1,74 @@
+{ config, ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "anarkafem.dev";
+    enable_registration = true;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "20M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.anarkafem.dev:3478?transport=udp"
+      "turn:turn.anarkafem.dev:3478?transport=tcp"
+      "turn:turn.anarkafem.dev:3479?transport=udp"
+      "turn:turn.anarkafem.dev:3479?transport=tcp"
+      "turns:turn.anarkafem.dev:5349?transport=udp"
+      "turns:turn.anarkafem.dev:5349?transport=tcp"
+      "turns:turn.anarkafem.dev:5350?transport=udp"
+      "turns:turn.anarkafem.dev:5350?transport=tcp"
+    ];
+    report_stats = false;
+    withJemalloc = true;
+    servers = { "anarkafem.dev" = {}; };
+    extraConfig = ''
+      federation_domain_whitelist: 
+        - anarkafem.dev
+      auto_join_rooms:
+        - "#suf-aalborg:anarkafem.dev"
+    '';
+    logConfig = ''
+      version: 1
+
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: INFO
+
+      root:
+          level: INFO
+          handlers: [console]
+
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}
+    

config/hosts/wind/configuration.nix

@@ -3,6 +3,7 @@
 {
   imports = [ 
     ./hardware-configuration.nix 
+    ../../common/services/openssh.nix
     ./services/acme.nix
     ./services/coturn.nix
     ./services/nginx.nix
@@ -56,12 +57,6 @@
     ];
   };
 
-  services.openssh = {
-    enable = true;
-    passwordAuthentication = false;
-    permitRootLogin = "no";
-    challengeResponseAuthentication = false;
-  };
 
   # Use hetzner firewall instead
   networking.firewall.enable = false;

config/hosts/wind/services/acme.nix

@@ -5,7 +5,7 @@
     acceptTerms = true;
     email = "admin+certs@graven.dev";
     certs."graven.dev" = {
-      extraDomainNames = "*.graven.dev";
+      extraDomainNames = [ "*.graven.dev" ];
       dnsProvider = "hurricane";
       credentialsFile = config.secrets.files.acme_graven_dev.file;
     };

config/hosts/wind/services/coturn.nix

@@ -4,7 +4,7 @@
     enable = true;
     lt-cred-mech = true;
     use-auth-secret = true;
-    static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
     realm = "turn.graven.dev";
     relay-ips = [
       "65.21.58.38"

config/hosts/wind/services/postgres.nix

@@ -20,7 +20,7 @@
   services.postgresqlBackup = {
     enable = true;
     location = "/var/lib/postgresql/backup";
-    databases = [ "gitea" "mogger" "synapse" "tt_rss" ];
+    databases = [ "synapse" ];
     startAt = "02:30";
     compression = "none";
   };

config/hosts/wind/services/restic.nix

@@ -9,7 +9,7 @@
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
     };
     "postgres" = {
@@ -18,7 +18,7 @@
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
     };
     "synapse" = {
@@ -27,7 +27,7 @@
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
     };
     "vaultwarden" = {
@@ -36,7 +36,7 @@
       initialize = true;
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
       timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
       passwordFile = builtins.toString config.secrets.files.restic_pass.file;
     };
   };

config/hosts/wind/services/synapse.nix

@@ -6,7 +6,7 @@
     server_name = "graven.dev";
     enable_registration = false;
     registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-    turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
     max_upload_size = "100M";
     database_type = "psycopg2";
     database_user = "synapse";

config/hosts/wind/services/vaultwarden.nix

@@ -6,7 +6,7 @@
     backupDir = "/var/lib/bitwarden_rs/backup";
     config = {
       domain = "https://vault.graven.dev";
-      signupsAllowed = true;
+      signupsAllowed = false;
       rocketPort = 8812;
       ipHeader = "X-Real-IP";
       websocketEnabled = true;

deploy/default.nix

@@ -18,6 +18,12 @@ in import "${sources.nixus}" {} ({ config, ... }: {
       switchTimeout = 300;
       successTimeout = 300;
     };
+    grondahl = { lib, config, ... }: {
+      host = "emelie@anarkafem.dev";
+      configuration = ../config/hosts/grondahl/configuration.nix;
+      switchTimeout = 300;
+      successTimeout = 300;
+    };
   };
 })