diff --git a/] b/] new file mode 100644 index 0000000..683e050 --- /dev/null +++ b/] @@ -0,0 +1,88 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./data/secrets/secrets.nix + ../../common/services/ssh.nix + ../../common/services/tailscale.nix + ../../common/users.nix + ./services/acme.nix + ./services/coturn.nix + ./services/nginx.nix + ./services/restic.nix + ./services/synapse.nix + ./services/postgres.nix + #./services/mail.nix + #./services/containers.nix + #./services/redis.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + boot.kernelPackages = pkgs.linuxPackages_5_10; + networking = { + hostName = "grondahl"; + useDHCP = false; + interfaces = { + "ens3" = { + ipv4.addresses = [ { + address = "107.189.30.157"; + prefixLength = 24; + } ]; + ipv6.addresses = [ { + address = "2605:6400:30:ef32::1"; + prefixLength = 48; + } ]; + }; + }; + defaultGateway = "107.189.30.1"; + defaultGateway6 = { + address = "2605:6400:30::1"; + interface = "ens3"; + }; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; + + time.timeZone = "Europe/Copenhagen"; + + security.sudo.wheelNeedsPassword = false; + + nix.settings = { + auto-optimise-store = true; + trusted-users = [ + "root" + "@wheel" + ]; + }; + + + + users.groups.acme.members = [ "nginx" "turnserver" ]; + users.groups.backup.members = [ "matrix-synapse" "postgres" ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + htop + iotop + dig + ]; + + networking.firewall = { + enable = true; + checkReversePaths = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + allowedTCPPorts = [ 22 80 443 ]; + allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; + allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + }; + + system.stateVersion = "21.05"; + +} diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index 6c375a6..ece567c 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -29,7 +29,7 @@ add_header 'Referrer-Policy' 'same-origin'; # Disable embedding as a frame - add_header X-Frame-Options DENY; + #add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; diff --git a/config/common/services/tailscale.nix b/config/common/services/tailscale.nix new file mode 100644 index 0000000..c5bd6d5 --- /dev/null +++ b/config/common/services/tailscale.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: +{ +environment.systemPackages = [ pkgs.tailscale ]; + +services.tailscale.enable = true; + + # ... + + # create a oneshot job to authenticate to Tailscale + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey CHANGEME + ''; + }; + +} diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index 9303bed..c693a9f 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -6,7 +6,8 @@ ./hardware-configuration.nix ./data/secrets/secrets.nix ../../common/services/ssh.nix - ../../common/users.nix + ../../common/services/tailscale.nix + ../../common/users.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix @@ -72,9 +73,15 @@ dig ]; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; - networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + networking.firewall = { + enable = true; + checkReversePath = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + allowedTCPPorts = [ 22 80 443 ]; + allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; + allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; + }; system.stateVersion = "21.05"; diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index cede05c..0b7f6f5 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -6,7 +6,8 @@ ./hardware-configuration.nix ./data/secrets/secrets.nix ../../common/services/ssh.nix - ../../common/users.nix + ../../common/services/tailscale.nix + ../../common/users.nix ./services/acme.nix ./services/nextcloud.nix ./services/nginx.nix @@ -65,6 +66,7 @@ htop iotop dig + tailscale ]; security.sudo.wheelNeedsPassword = false; @@ -76,7 +78,13 @@ users.groups.redis.members = [ "nextcloud" ]; users.groups.backup.members = [ "nextcloud" "postgres" ]; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall = { + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + trustedInterfaces = [ "tailscale0" ]; + enable = true; + checkReversePath = "loose"; + }; # networking.firewall.allowedUDPPorts = [ ... ]; system.stateVersion = "21.05"; diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index 1698b1e..a7c83f7 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ../../common/services/ssh.nix + ../../common/services/tailscale.nix ../../common/users.nix ./services/acme.nix ./services/coturn.nix @@ -51,6 +52,7 @@ htop iotop dig + tailscale ]; nix.settings = { diff --git a/config/hosts/wind/services/grocy.nix b/config/hosts/wind/services/grocy.nix index 6a296be..d6c31ef 100644 --- a/config/hosts/wind/services/grocy.nix +++ b/config/hosts/wind/services/grocy.nix @@ -2,9 +2,10 @@ { services.grocy = { enable = true; - hostName = grocy.graven.dev; + hostName = "grocy.graven.dev"; settings = { currency = "DKK"; - calendar.firstDayOfWeek = 1 - } - } + calendar.firstDayOfWeek = 1; + }; + }; +} diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix index a440332..f9253bb 100644 --- a/config/hosts/wind/services/nginx.nix +++ b/config/hosts/wind/services/nginx.nix @@ -14,7 +14,6 @@ add_header Access-Control-Allow-Origin "*"; add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy "same-origin"; - add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; ''; diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 5ada689..098e2b1 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41", - "sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7", + "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e", + "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz", + "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,10 +17,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "1fec8fda86dac5701146c77d5f8a414b14ed1ff6", - "sha256": "18z2v5id3sad22f4nk8yjpablk9c693nwl5vix2n06h6s3kfmr10", + "rev": "0e6593630071440eb89cd97a52921497482b22c6", + "sha256": "01rnzb4qv53q7rf0vw2mxybryl5xgad26ww73fgsg2nihhhmmy9j", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/1fec8fda86dac5701146c77d5f8a414b14ed1ff6.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/0e6593630071440eb89cd97a52921497482b22c6.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { @@ -29,10 +29,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ccafeb2aff99ec505d35fcfafd212c424c5359fd", - "sha256": "0q9kxp7n7394f8s7nqm8852gmwka0xn973q2vf3qh5qrwkv441qj", + "rev": "6b8ce46f34a9b3db1267f615463cd27548889ec2", + "sha256": "1minhg4q7vgbf69lf85blmamjxl1r7c1j26n7f80as9b0dn4aj7a", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/ccafeb2aff99ec505d35fcfafd212c424c5359fd.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/6b8ce46f34a9b3db1267f615463cd27548889ec2.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "aa276744ba7dcebeac40da37d7bf4d9d5409f17e", - "sha256": "1wfx055h1765zq7s1zzy06im8f715ydvp8qbhfcn6bpg44qr591b", + "rev": "329bf6bae94f54d5e4cac35253b1359f7b4f997a", + "sha256": "0g6k2r446a8vcqzab76qzvfw5k1kzk6i8m4032jmkdr1w5rhlg4b", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/aa276744ba7dcebeac40da37d7bf4d9d5409f17e.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/329bf6bae94f54d5e4cac35253b1359f7b4f997a.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }