From 4de118b741eaf38c9a5faff5a8dd7d373efc6119 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Sat, 27 Nov 2021 22:48:34 +0100
Subject: [PATCH] Add new wildcard certs for graven.se, openpgpkey WKD

---
 .../config/hosts/grondahl/configuration.nix   |   1 -
 .../config/hosts/grondahl/services/mail.nix   |  25 ---
 .../hosts/grondahl/services/synapse.nix       |   1 +
 unstable/config/hosts/wind/configuration.nix  |   1 +
 .../wind/data/secrets/acme_graven_se.env      | Bin 0 -> 116 bytes
 .../hosts/wind/data/secrets/secrets.nix       | Bin 814 -> 946 bytes
 .../config/hosts/wind/data/secrets/wg_key     | Bin 0 -> 67 bytes
 unstable/config/hosts/wind/services/acme.nix  |  17 +-
 unstable/config/hosts/wind/services/nginx.nix | 186 ++++++++++--------
 .../config/hosts/wind/services/wireguard.nix  |  48 +++++
 unstable/config/sources/nix/sources.json      |   6 +-
 11 files changed, 174 insertions(+), 111 deletions(-)
 delete mode 100644 unstable/config/hosts/grondahl/services/mail.nix
 create mode 100644 unstable/config/hosts/wind/data/secrets/acme_graven_se.env
 create mode 100644 unstable/config/hosts/wind/data/secrets/wg_key
 create mode 100644 unstable/config/hosts/wind/services/wireguard.nix

diff --git a/unstable/config/hosts/grondahl/configuration.nix b/unstable/config/hosts/grondahl/configuration.nix
index 4282811..c7a1ea9 100644
--- a/unstable/config/hosts/grondahl/configuration.nix
+++ b/unstable/config/hosts/grondahl/configuration.nix
@@ -12,7 +12,6 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
-    ./services/mail.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/unstable/config/hosts/grondahl/services/mail.nix b/unstable/config/hosts/grondahl/services/mail.nix
deleted file mode 100644
index 3591384..0000000
--- a/unstable/config/hosts/grondahl/services/mail.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, ... }:
-{
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
-      # And set its hash
-      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
-    })
-  ];
-
-  mailserver = {
-    enable = true;
-    fqdn = "anarkafem.dev";
-    domains = [ "anarkafem.dev" ];
-    loginAccounts = {
-      "noreply@anarkafem.dev" = {
-        hashedPasswordFile = config.secrets.files.email_noreply.file;
-
-      };
-    };
-    certificateScheme = 3;
-  };
-}
-
diff --git a/unstable/config/hosts/grondahl/services/synapse.nix b/unstable/config/hosts/grondahl/services/synapse.nix
index a50b15a..8e96cb5 100644
--- a/unstable/config/hosts/grondahl/services/synapse.nix
+++ b/unstable/config/hosts/grondahl/services/synapse.nix
@@ -25,6 +25,7 @@
     withJemalloc = true;
     servers = { "anarkafem.dev" = {}; };
     extraConfig = ''
+      default_room_version: "9"
       auto_join_rooms:
         - "#suf-aalborg:anarkafem.dev"
     '';
diff --git a/unstable/config/hosts/wind/configuration.nix b/unstable/config/hosts/wind/configuration.nix
index c86d71a..5444365 100644
--- a/unstable/config/hosts/wind/configuration.nix
+++ b/unstable/config/hosts/wind/configuration.nix
@@ -13,6 +13,7 @@
     ./services/gitea.nix
     ./services/restic.nix
     ./services/vaultwarden.nix
+		./services/wireguard.nix
     ./data/secrets/secrets.nix
     ];
 
diff --git a/unstable/config/hosts/wind/data/secrets/acme_graven_se.env b/unstable/config/hosts/wind/data/secrets/acme_graven_se.env
new file mode 100644
index 0000000000000000000000000000000000000000..7ac992bb3ff98e1e615d6a10f8dfa88b17b1f1c4
GIT binary patch
literal 116
zcmV-)0E_<sM@dveQdv+`0LE?>;zBrUQn93iF$K9C_5H*1knVo3Z?tPODMc-ij#aTY
ze0@6dPUVv34Z@Qwm^_W;_TUVV;`P3eM`)461hMmBcEAk8n2y-%F5&@he*JmbxY_6P
Wz*+5fiS8M((C<(?(YP*Tk(K4@**)R_

literal 0
HcmV?d00001

diff --git a/unstable/config/hosts/wind/data/secrets/secrets.nix b/unstable/config/hosts/wind/data/secrets/secrets.nix
index c27234a517c7f3a6cbd7ed8304eca051b4fbf918..75790f5334b5fc708c3e04b172965785344026f5 100644
GIT binary patch
literal 946
zcmV;j15Nw@M@dveQdv+`006=O2uC8E&V8GvT|j%pMdx-TZ6#93Y`5<%sg^*8fqY!{
zNSpTI<Nrt`J=>|?xy(76gHjs4;>0sQ<+K{3?Ojxyu^304tNhy(0t|F1LsbzDf*QCy
zu99~T`LCkuTN4!v({V-OSGdnMud|F57^84w!PQol6~y73`4E{lYkDwkgOWewnb-41
zZ?_TTujf5=t7KCvC~u>n;N0q#kV_}vset#nd|?A<7bzYGa7S%qxQ>jI69_HHT1!~T
z0P}sv9ozA>(MU74=s<*D834b+c$8u3&sjnlmX%-=p{x4k?|!JYW_}>y8GTwGJ(aiN
zaW2_s_yNpsW=5TRswf4FhPD{y`PqwICJxZ?GMF6SG7yyv)DFtxFQ96q9zPvEDO~I?
zcdhttMameWejn~oZ-@z0CocmH*~!s=yHFvN?BySz$ugMtg6fVb2~vHlkZg%_{+06f
zY;5Qsx(SQYKXY5?lwR$BL^e=5&+2J{%+H3gibN5em-U>Yxmh1XSn_bw#nze1xeJL~
zaVO>Q_J%~9Q(bYPeyr2Za?S-qb(-U>zKq9$mZvzG652#UbRO(UM6E=v8@&DdMFdba
zEKp7I)i_6Gbx<LZlRqQFx%_UKuatR&x-5PPU}oBw!k8UUtI6c*aApoSP6Tzk=lb0I
zNCuUB<WxPzhM}bO=pBXe7n^1m#VmzMo7p3Vgx(jdwsk@M6nP)%k<(re&Q+v~VnP{Q
z|E~jE&o#V66FbNYJ2HF$m>mO7K@+?=6cK_syI<tR)qL^@C!u_K5HrqdyV;L<Q_E*H
z$xgh4o+q4QC)}_^!fzkV6){4s<!w;v_z3d9-leq%gS5nt&l8VBKV19NAu9}Aq^&BP
zd|H2+z<LLIOB1!%@IBIP(IfTRomfPzc4${ypUQEd=yt+<c~0ah&mq6sSb}pB+Iz!4
zTsY<&1R59L2|*cWQ1C8lLsNQU3eI!?U>S_|Is7#QQ=A<B#p)X+=!}jp=75p&*<VtU
zb?o~XUbcM@!x?r;?<~i6ROIeNi=WUgA^2e(!XBuQi8{8=Qng5q09?mC_Yl-E(2;w=
z^36bFxmBrAAi3ND8>7a=oh?=-HmJ-G^ZDqZaKHgb;WV5XC{$^-YvVdQuwjZ#aD((x
z{@c%-*s54S)EcBltE(X=4fngO#>q1#&8!6-f;&pajQHt>!&@)<$G=x)BufMXDyFoa
Usmd2R7mm(>R8M7SgRTcsn{!IgeE<Le

literal 814
zcmV+}1JV2dM@dveQdv+`04b|^^vrnU)qAUC4oLPi@ls`Q$k8lBSZV*!6<5K0Ku?4T
zGn@w4HzO29K7ZTz$#HAqvt@bs?;fyO$zFF)NkU$r+AmQ9l$g95UeR0Nra=>tC7+Jz
zLM-V(I^NfUTsVXucTO&-QlY4C*bRFojzcl?J|FS!7F6P*Wxz28rlh+mM7YM7m8NDT
zn?z?2pOthdCt^uhZHKso3*PbR)mg9lL)GjhREta@jjC3i{2!14h^KU+(vEq-_a%q6
z812Jgtuif?RBb|Cp~~4^*42{9fGDyu_cLw@yB%t8rqlWB7~$<k+cO!5ZZt>=v3gUO
zn-?}6oxm|P@+~>4Vezk>0BQiwiw-}*ccEr1hDNfYz5)YClurX>yDEkLS~?X;3f3O%
zxyn@_?98fNO*6E8Lb40Pyn&IYI@Oqa?&}L(9km)%eSd%f8lt*z?HB0^fE>R-OOOm}
zEdP-GNv&eF1ZdYLh-~31Pf8<o90V@emR`<lnw(;{l?`Diu#tgd5=#O2aYcbaDF+T;
zv<p1^-N$NNdDDp1F39XGb3|swi~$Jn?OG>C1(%COM4ImNYA^~ItF_J~r7bYc6Lj7M
z$p7BLXqvyB1Pf6J_``WB>n=Bq6;4XUUQjgt6h|pBMHkh~y55R@;#47$*BZ#jGt}4u
zU(S`9unsHdg<;hHzPDW`CQ4L&E#VH@Ic!*#S=%mMqZeWl7GbD5=|Y#~&zV(w2Me*E
zPib4}79_k#1tJ3tWeOa>%<ZPy{EiM21d5w%CnC*UfChvuR2gWhc8rF1Coa6@n@>&^
zX(V{fvY1f7fqWi(Q8^mL%>?eKc&Frgdl10-zKno>78u-yrexnHX#kLo9fF<xyftvH
z%li~rsp8Z-7epiYE{&jjp}sYnosR0VI>gC`GF11f7I_^&2gK<rRc>pxy}GOj5(RN8
zdj%l3z?cPqmhI=v)|LYK<$XbYh00PJQ{g3&WLFA=v9w~)eIjozYqfn!BC0z#xJ&P*
sjNwXWfS)Qb5!%$GpKev3k&ezG-%^55K1ME~m?3Tx;0=ierpGs`^d2^Rs{jB1

diff --git a/unstable/config/hosts/wind/data/secrets/wg_key b/unstable/config/hosts/wind/data/secrets/wg_key
new file mode 100644
index 0000000000000000000000000000000000000000..6df1e90330532e00fc87acf89e4bfdd9cd842004
GIT binary patch
literal 67
zcmV-J0KESIM@dveQdv+`01mUCD==esqgw0~tXdZBDg}$-lRg4ZzSe~x-idcg)ZOy+
ZV5UG<(*^YGS^MGv<01^YqJx_*iSe#BABO+{

literal 0
HcmV?d00001

diff --git a/unstable/config/hosts/wind/services/acme.nix b/unstable/config/hosts/wind/services/acme.nix
index 2935014..862d516 100644
--- a/unstable/config/hosts/wind/services/acme.nix
+++ b/unstable/config/hosts/wind/services/acme.nix
@@ -4,11 +4,18 @@
   security.acme = {
     acceptTerms = true;
     email = "admin+certs@graven.dev";
-    certs."graven.dev" = {
-      extraDomainNames = [ "*.graven.dev" ];
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_graven_dev.file;
-    };
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
   };
 }
 
diff --git a/unstable/config/hosts/wind/services/nginx.nix b/unstable/config/hosts/wind/services/nginx.nix
index 21cbea1..39efb7e 100644
--- a/unstable/config/hosts/wind/services/nginx.nix
+++ b/unstable/config/hosts/wind/services/nginx.nix
@@ -1,79 +1,111 @@
 {
-  imports = [ ../../../common/services/nginx.nix ];
-  services.nginx.virtualHosts = {
-    "graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-      locations."/".root = "/var/www/graven.dev/public";
-      locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
-      locations."/.well-known/matrix/" = {
-        root = "/var/www/matrix/public";
-        extraConfig = ''
-          default_type application/json;
-          add_header Access-Control-Allow-Origin "*";
-          add_header Strict-Transport-Security $hsts_header;
-          add_header Referrer-Policy "origin-when-cross-origin";
-          add_header X-Frame-Options "DENY";
-          add_header X-Content-Type-Options "nosniff";
-          add_header X-XSS-Protection "1; mode=block";
-        '';
-      };
-    };
-    "rss.graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-    };
-    "git.graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-      locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
-    };
-    "vault.graven.dev" = {
-      forceSSL = true;
-      useACMEHost = "graven.dev";
-      locations."/" = {
-        proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub" = {
-        proxyPass = "http://localhost:3012";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub/negotiate" = {
-        proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
-      };
-    };
-    "mta-sts.graven.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.graven.se" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.nao.sh" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.amandag.net" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.queersin.space" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.anarkafem.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-  };
+	imports = [ ../../../common/services/nginx.nix ];
+	services.nginx.virtualHosts = {
+		"graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".root = "/var/www/graven.dev/public";
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."/.well-known/matrix/" = {
+				root = "/var/www/matrix/public";
+				extraConfig = ''
+					default_type application/json;
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"rss.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+		};
+		"git.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+		};
+		"vault.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub" = {
+				proxyPass = "http://localhost:3012";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub/negotiate" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+		};
+		"openpgpkey.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/openpgpkey/graven.dev";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"openpgpkey.graven.se" = {
+			forceSSL = true;
+			useACMEHost = "graven.se";
+			locations."/" = {
+				root = "/var/www/openpgpkey/graven.se";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"mta-sts.graven.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.graven.se" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.nao.sh" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.amandag.net" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.queersin.space" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.anarkafem.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
 }
diff --git a/unstable/config/hosts/wind/services/wireguard.nix b/unstable/config/hosts/wind/services/wireguard.nix
new file mode 100644
index 0000000..7e5d539
--- /dev/null
+++ b/unstable/config/hosts/wind/services/wireguard.nix
@@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+{
+networking.nat.enable = true;
+	networking.nat.externalInterface = "ens3";
+	networking.nat.internalInterfaces = [ "wg0" ];
+	networking.firewall = {
+		allowedUDPPorts = [ 51820 ];
+	};
+
+	networking.wireguard.interfaces = {
+		# "wg0" is the network interface name. You can name the interface arbitrarily.
+		wg0 = {
+			# Determines the IP address and subnet of the server's end of the tunnel interface.
+			ips = [ "10.100.0.1/24" ];
+
+			# The port that WireGuard listens to. Must be accessible by the client.
+			listenPort = 51820;
+
+			# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+			# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+			postSetup = ''
+				${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# This undoes the above command
+			postShutdown = ''
+				${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# Path to the private key file.
+			#
+			# Note: The private key can also be included inline via the privateKey option,
+			# but this makes the private key world-readable; thus, using privateKeyFile is
+			# recommended.
+			privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
+
+			peers = [
+				# List of allowed peers.
+				{ # Feel free to give a meaning full name
+					# Public key of the peer (not a file path).
+					publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
+					# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+					allowedIPs = [ "10.100.0.2/32" ];
+				}
+			];
+		};
+	};
+}
diff --git a/unstable/config/sources/nix/sources.json b/unstable/config/sources/nix/sources.json
index 946ef40..c02530c 100644
--- a/unstable/config/sources/nix/sources.json
+++ b/unstable/config/sources/nix/sources.json
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851",
-        "sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf",
+        "rev": "db22325869a05e376dbab1c31ea7664dd5fcf860",
+        "sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {