diff --git a/unstable/config/hosts/grondahl/configuration.nix b/unstable/config/hosts/grondahl/configuration.nix index 4282811..c7a1ea9 100644 --- a/unstable/config/hosts/grondahl/configuration.nix +++ b/unstable/config/hosts/grondahl/configuration.nix @@ -12,7 +12,6 @@ ./services/restic.nix ./services/synapse.nix ./services/postgres.nix - ./services/mail.nix ]; boot.loader.grub.enable = true; diff --git a/unstable/config/hosts/grondahl/services/mail.nix b/unstable/config/hosts/grondahl/services/mail.nix deleted file mode 100644 index 3591384..0000000 --- a/unstable/config/hosts/grondahl/services/mail.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: -{ - imports = [ - (builtins.fetchTarball { - # Pick a commit from the branch you are interested in - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz"; - # And set its hash - sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5"; - }) - ]; - - mailserver = { - enable = true; - fqdn = "anarkafem.dev"; - domains = [ "anarkafem.dev" ]; - loginAccounts = { - "noreply@anarkafem.dev" = { - hashedPasswordFile = config.secrets.files.email_noreply.file; - - }; - }; - certificateScheme = 3; - }; -} - diff --git a/unstable/config/hosts/grondahl/services/synapse.nix b/unstable/config/hosts/grondahl/services/synapse.nix index a50b15a..8e96cb5 100644 --- a/unstable/config/hosts/grondahl/services/synapse.nix +++ b/unstable/config/hosts/grondahl/services/synapse.nix @@ -25,6 +25,7 @@ withJemalloc = true; servers = { "anarkafem.dev" = {}; }; extraConfig = '' + default_room_version: "9" auto_join_rooms: - "#suf-aalborg:anarkafem.dev" ''; diff --git a/unstable/config/hosts/wind/configuration.nix b/unstable/config/hosts/wind/configuration.nix index c86d71a..5444365 100644 --- a/unstable/config/hosts/wind/configuration.nix +++ b/unstable/config/hosts/wind/configuration.nix @@ -13,6 +13,7 @@ ./services/gitea.nix ./services/restic.nix ./services/vaultwarden.nix + ./services/wireguard.nix ./data/secrets/secrets.nix ]; diff --git a/unstable/config/hosts/wind/data/secrets/acme_graven_se.env b/unstable/config/hosts/wind/data/secrets/acme_graven_se.env new file mode 100644 index 0000000..7ac992b Binary files /dev/null and b/unstable/config/hosts/wind/data/secrets/acme_graven_se.env differ diff --git a/unstable/config/hosts/wind/data/secrets/secrets.nix b/unstable/config/hosts/wind/data/secrets/secrets.nix index c27234a..75790f5 100644 Binary files a/unstable/config/hosts/wind/data/secrets/secrets.nix and b/unstable/config/hosts/wind/data/secrets/secrets.nix differ diff --git a/unstable/config/hosts/wind/data/secrets/wg_key b/unstable/config/hosts/wind/data/secrets/wg_key new file mode 100644 index 0000000..6df1e90 Binary files /dev/null and b/unstable/config/hosts/wind/data/secrets/wg_key differ diff --git a/unstable/config/hosts/wind/services/acme.nix b/unstable/config/hosts/wind/services/acme.nix index 2935014..862d516 100644 --- a/unstable/config/hosts/wind/services/acme.nix +++ b/unstable/config/hosts/wind/services/acme.nix @@ -4,11 +4,18 @@ security.acme = { acceptTerms = true; email = "admin+certs@graven.dev"; - certs."graven.dev" = { - extraDomainNames = [ "*.graven.dev" ]; - dnsProvider = "hurricane"; - credentialsFile = config.secrets.files.acme_graven_dev.file; - }; + certs = { + "graven.dev" = { + extraDomainNames = [ "*.graven.dev" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_graven_dev.file; + }; + "graven.se" = { + extraDomainNames = [ "*.graven.se" ]; + dnsProvider = "hurricane"; + credentialsFile = config.secrets.files.acme_graven_se.file; + }; + }; }; } diff --git a/unstable/config/hosts/wind/services/nginx.nix b/unstable/config/hosts/wind/services/nginx.nix index 21cbea1..39efb7e 100644 --- a/unstable/config/hosts/wind/services/nginx.nix +++ b/unstable/config/hosts/wind/services/nginx.nix @@ -1,79 +1,111 @@ { - imports = [ ../../../common/services/nginx.nix ]; - services.nginx.virtualHosts = { - "graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; - locations."/".root = "/var/www/graven.dev/public"; - locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; - locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; - locations."/.well-known/matrix/" = { - root = "/var/www/matrix/public"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Strict-Transport-Security $hsts_header; - add_header Referrer-Policy "origin-when-cross-origin"; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - ''; - }; - }; - "rss.graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; - }; - "git.graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; - locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; - }; - "vault.graven.dev" = { - forceSSL = true; - useACMEHost = "graven.dev"; - locations."/" = { - proxyPass = "http://localhost:8812"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://localhost:3012"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://localhost:8812"; - proxyWebsockets = true; - }; - }; - "mta-sts.graven.dev" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - "mta-sts.graven.se" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - "mta-sts.nao.sh" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - "mta-sts.amandag.net" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - "mta-sts.queersin.space" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - "mta-sts.anarkafem.dev" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mta-sts/public"; - }; - }; + imports = [ ../../../common/services/nginx.nix ]; + services.nginx.virtualHosts = { + "graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + locations."/".root = "/var/www/graven.dev/public"; + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; + locations."/.well-known/matrix/" = { + root = "/var/www/matrix/public"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "same-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + }; + "rss.graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + }; + "git.graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; + }; + "vault.graven.dev" = { + forceSSL = true; + useACMEHost = "graven.dev"; + locations."/" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; + }; + }; + "openpgpkey.graven.dev" = { + forceSSL = true; + useACMEHost = "graven.dev"; + locations."/" = { + root = "/var/www/openpgpkey/graven.dev"; + extraConfig = '' + default_type "application/octet-stream"; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "same-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + }; + "openpgpkey.graven.se" = { + forceSSL = true; + useACMEHost = "graven.se"; + locations."/" = { + root = "/var/www/openpgpkey/graven.se"; + extraConfig = '' + default_type "application/octet-stream"; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "same-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; + }; + }; + "mta-sts.graven.dev" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.graven.se" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.nao.sh" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.amandag.net" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.queersin.space" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.anarkafem.dev" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + }; } diff --git a/unstable/config/hosts/wind/services/wireguard.nix b/unstable/config/hosts/wind/services/wireguard.nix new file mode 100644 index 0000000..7e5d539 --- /dev/null +++ b/unstable/config/hosts/wind/services/wireguard.nix @@ -0,0 +1,48 @@ +{ pkgs, config, ... }: +{ +networking.nat.enable = true; + networking.nat.externalInterface = "ens3"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = builtins.toString config.secrets.files.wg_key.file; + + peers = [ + # List of allowed peers. + { # Feel free to give a meaning full name + # Public key of the peer (not a file path). + publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; +} diff --git a/unstable/config/sources/nix/sources.json b/unstable/config/sources/nix/sources.json index 946ef40..c02530c 100644 --- a/unstable/config/sources/nix/sources.json +++ b/unstable/config/sources/nix/sources.json @@ -29,10 +29,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851", - "sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf", + "rev": "db22325869a05e376dbab1c31ea7664dd5fcf860", + "sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": {