add anarkafem.dev, minor tweaks

This commit is contained in:
Emelie 2021-09-23 16:45:06 +02:00
parent 3ed18d33fc
commit 0969b36564
Signed by: emelie
GPG key ID: 49D33365A7E22D12
18 changed files with 374 additions and 15 deletions

View file

@ -0,0 +1,12 @@
{ ... }:
{
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
challengeResponseAuthentication = false;
hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
};
}

View file

@ -0,0 +1,87 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./data/secrets/secrets.nix
../../common/services/openssh.nix
./services/acme.nix
./services/coturn.nix
./services/nginx.nix
./services/restic.nix
./services/sshguard.nix
./services/synapse.nix
./services/postgres.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
networking = {
hostName = "grondahl";
useDHCP = false;
interfaces = {
"ens3" = {
ipv4.addresses = [ {
address = "107.189.30.157";
prefixLength = 24;
} ];
ipv6.addresses = [ {
address = "2605:6400:30:ef32::1";
prefixLength = 48;
} ];
};
};
defaultGateway = "107.189.30.1";
defaultGateway6 = {
address = "2605:6400:30::1";
interface = "ens3";
};
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
};
time.timeZone = "Europe/Copenhagen";
security.sudo.wheelNeedsPassword = false;
nix = {
autoOptimiseStore = true;
trustedUsers = [
"root"
"@wheel"
];
};
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
users.groups.acme.members = [ "nginx" "turnserver" ];
users.groups.postgres.members = [ "restic" ];
users.groups.matrix-synapse.members = [ "restic" ];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
htop
iotop
dig
];
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
system.stateVersion = "21.05";
}

View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8c343c61-87b5-493c-984c-634f59814f3d";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2cd0615d-c517-4153-907e-6d8dd9d0e7fc"; }
];
}

View file

@ -0,0 +1,14 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
email = "admin+certs@anarkafem.dev";
certs."anarkafem.dev" = {
extraDomainNames = [ "*.anarkafem.dev" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
};
};
}

View file

@ -0,0 +1,25 @@
{ config, ... }:
{
services.coturn = {
enable = true;
lt-cred-mech = true;
use-auth-secret = true;
static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
realm = "turn.anarkafem.dev";
relay-ips = [
"107.189.30.157"
"2605:6400:30:ef32::1"
];
no-tcp-relay = true;
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
secure-stun = true;
cert = "/var/lib/acme/anarkafem.dev/fullchain.pem";
pkey = "/var/lib/acme/anarkafem.dev/key.pem";
min-port = 49152;
max-port = 49999;
};
}

View file

@ -0,0 +1,65 @@
{
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"anarkafem.dev" = {
useACMEHost = "anarkafem.dev";
forceSSL = true;
locations."/".root = "/var/www/anarkafem.dev/public";
locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
locations."/_matrix/federation".return = "403";
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
};
};
}

View file

@ -0,0 +1,28 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_13;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE synapse;
CREATE DATABASE synapse WITH OWNER synapse
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C"
ENCODING = "UTF8";
'';
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all ::1/128 trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgresql/backup";
databases = [ "synapse" ];
startAt = "02:30";
compression = "none";
};
}

View file

@ -0,0 +1,24 @@
{ config, ... }:
{
services.restic.backups = {
"postgres" = {
paths = [ "/var/lib/postgresql/backup" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "03:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
};
"synapse" = {
paths = [ "/var/lib/matrix-synapse" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "03:45"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
};
};
}

View file

@ -0,0 +1,7 @@
{ ... }:
{
services.sshguard = {
enable = true;
blocktime = 300;
};
}

View file

@ -0,0 +1,74 @@
{ config, ... }:
{
services.matrix-synapse = {
enable = true;
server_name = "anarkafem.dev";
enable_registration = true;
registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
max_upload_size = "20M";
database_type = "psycopg2";
database_user = "synapse";
database_name = "synapse";
turn_uris = [
"turn:turn.anarkafem.dev:3478?transport=udp"
"turn:turn.anarkafem.dev:3478?transport=tcp"
"turn:turn.anarkafem.dev:3479?transport=udp"
"turn:turn.anarkafem.dev:3479?transport=tcp"
"turns:turn.anarkafem.dev:5349?transport=udp"
"turns:turn.anarkafem.dev:5349?transport=tcp"
"turns:turn.anarkafem.dev:5350?transport=udp"
"turns:turn.anarkafem.dev:5350?transport=tcp"
];
report_stats = false;
withJemalloc = true;
servers = { "anarkafem.dev" = {}; };
extraConfig = ''
federation_domain_whitelist:
- anarkafem.dev
auto_join_rooms:
- "#suf-aalborg:anarkafem.dev"
'';
logConfig = ''
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [console]
disable_existing_loggers: false
'';
listeners = [
{
port = 8008;
bind_address = "127.0.0.1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" ];
compress = false;
}
];
}
];
};
}

View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/openssh.nix
./services/acme.nix ./services/acme.nix
./services/coturn.nix ./services/coturn.nix
./services/nginx.nix ./services/nginx.nix
@ -56,12 +57,6 @@
]; ];
}; };
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
challengeResponseAuthentication = false;
};
# Use hetzner firewall instead # Use hetzner firewall instead
networking.firewall.enable = false; networking.firewall.enable = false;

View file

@ -5,7 +5,7 @@
acceptTerms = true; acceptTerms = true;
email = "admin+certs@graven.dev"; email = "admin+certs@graven.dev";
certs."graven.dev" = { certs."graven.dev" = {
extraDomainNames = "*.graven.dev"; extraDomainNames = [ "*.graven.dev" ];
dnsProvider = "hurricane"; dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_dev.file; credentialsFile = config.secrets.files.acme_graven_dev.file;
}; };

View file

@ -4,7 +4,7 @@
enable = true; enable = true;
lt-cred-mech = true; lt-cred-mech = true;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file; static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
realm = "turn.graven.dev"; realm = "turn.graven.dev";
relay-ips = [ relay-ips = [
"65.21.58.38" "65.21.58.38"

View file

@ -20,7 +20,7 @@
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
location = "/var/lib/postgresql/backup"; location = "/var/lib/postgresql/backup";
databases = [ "gitea" "mogger" "synapse" "tt_rss" ]; databases = [ "synapse" ];
startAt = "02:30"; startAt = "02:30";
compression = "none"; compression = "none";
}; };

View file

@ -9,7 +9,7 @@
initialize = true; initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "02:15"; }; timerConfig = { "OnCalendar" = "02:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file; passwordFile = builtins.toString config.secrets.files.restic_pass.file;
}; };
"postgres" = { "postgres" = {
@ -18,7 +18,7 @@
initialize = true; initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "03:00"; }; timerConfig = { "OnCalendar" = "03:00"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file; passwordFile = builtins.toString config.secrets.files.restic_pass.file;
}; };
"synapse" = { "synapse" = {
@ -27,7 +27,7 @@
initialize = true; initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "03:30"; }; timerConfig = { "OnCalendar" = "03:30"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file; passwordFile = builtins.toString config.secrets.files.restic_pass.file;
}; };
"vaultwarden" = { "vaultwarden" = {
@ -36,7 +36,7 @@
initialize = true; initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "23:45"; }; timerConfig = { "OnCalendar" = "23:45"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ]; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file; passwordFile = builtins.toString config.secrets.files.restic_pass.file;
}; };
}; };

View file

@ -6,7 +6,7 @@
server_name = "graven.dev"; server_name = "graven.dev";
enable_registration = false; enable_registration = false;
registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file; registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file; turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
max_upload_size = "100M"; max_upload_size = "100M";
database_type = "psycopg2"; database_type = "psycopg2";
database_user = "synapse"; database_user = "synapse";

View file

@ -6,7 +6,7 @@
backupDir = "/var/lib/bitwarden_rs/backup"; backupDir = "/var/lib/bitwarden_rs/backup";
config = { config = {
domain = "https://vault.graven.dev"; domain = "https://vault.graven.dev";
signupsAllowed = true; signupsAllowed = false;
rocketPort = 8812; rocketPort = 8812;
ipHeader = "X-Real-IP"; ipHeader = "X-Real-IP";
websocketEnabled = true; websocketEnabled = true;

View file

@ -18,6 +18,12 @@ in import "${sources.nixus}" {} ({ config, ... }: {
switchTimeout = 300; switchTimeout = 300;
successTimeout = 300; successTimeout = 300;
}; };
grondahl = { lib, config, ... }: {
host = "emelie@anarkafem.dev";
configuration = ../config/hosts/grondahl/configuration.nix;
switchTimeout = 300;
successTimeout = 300;
};
}; };
}) })