Add new wildcard certs for graven.se, openpgpkey WKD

unstable/config/hosts/grondahl/configuration.nix

@@ -12,7 +12,6 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
-    ./services/mail.nix
     ];
 
   boot.loader.grub.enable = true;

unstable/config/hosts/grondahl/services/mail.nix

@@ -1,25 +0,0 @@
-{ config, ... }:
-{
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
-      # And set its hash
-      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
-    })
-  ];
-
-  mailserver = {
-    enable = true;
-    fqdn = "anarkafem.dev";
-    domains = [ "anarkafem.dev" ];
-    loginAccounts = {
-      "noreply@anarkafem.dev" = {
-        hashedPasswordFile = config.secrets.files.email_noreply.file;
-
-      };
-    };
-    certificateScheme = 3;
-  };
-}
-

unstable/config/hosts/grondahl/services/synapse.nix

@@ -25,6 +25,7 @@
     withJemalloc = true;
     servers = { "anarkafem.dev" = {}; };
     extraConfig = ''
+      default_room_version: "9"
       auto_join_rooms:
         - "#suf-aalborg:anarkafem.dev"
     '';

unstable/config/hosts/wind/configuration.nix

@@ -13,6 +13,7 @@
     ./services/gitea.nix
     ./services/restic.nix
     ./services/vaultwarden.nix
+		./services/wireguard.nix
     ./data/secrets/secrets.nix
     ];
 

unstable/config/hosts/wind/services/acme.nix

@@ -4,11 +4,18 @@
   security.acme = {
     acceptTerms = true;
     email = "admin+certs@graven.dev";
-    certs."graven.dev" = {
+		certs = {
-      extraDomainNames = [ "*.graven.dev" ];
+			"graven.dev" = {
-      dnsProvider = "hurricane";
+				extraDomainNames = [ "*.graven.dev" ];
-      credentialsFile = config.secrets.files.acme_graven_dev.file;
+				dnsProvider = "hurricane";
-    };
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
   };
 }
 

unstable/config/hosts/wind/services/nginx.nix

@@ -1,79 +1,111 @@
 {
-  imports = [ ../../../common/services/nginx.nix ];
+	imports = [ ../../../common/services/nginx.nix ];
-  services.nginx.virtualHosts = {
+	services.nginx.virtualHosts = {
-    "graven.dev" = {
+		"graven.dev" = {
-      useACMEHost = "graven.dev";
+			useACMEHost = "graven.dev";
-      forceSSL = true;
+			forceSSL = true;
-      locations."/".root = "/var/www/graven.dev/public";
+			locations."/".root = "/var/www/graven.dev/public";
-      locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
-      locations."/.well-known/matrix/" = {
+			locations."/.well-known/matrix/" = {
-        root = "/var/www/matrix/public";
+				root = "/var/www/matrix/public";
-        extraConfig = ''
+				extraConfig = ''
-          default_type application/json;
+					default_type application/json;
-          add_header Access-Control-Allow-Origin "*";
+					add_header Access-Control-Allow-Origin "*";
-          add_header Strict-Transport-Security $hsts_header;
+					add_header Strict-Transport-Security $hsts_header;
-          add_header Referrer-Policy "origin-when-cross-origin";
+					add_header Referrer-Policy "same-origin";
-          add_header X-Frame-Options "DENY";
+					add_header X-Frame-Options "DENY";
-          add_header X-Content-Type-Options "nosniff";
+					add_header X-Content-Type-Options "nosniff";
-          add_header X-XSS-Protection "1; mode=block";
+					add_header X-XSS-Protection "1; mode=block";
-        '';
+				'';
-      };
+			};
-    };
+		};
-    "rss.graven.dev" = {
+		"rss.graven.dev" = {
-      useACMEHost = "graven.dev";
+			useACMEHost = "graven.dev";
-      forceSSL = true;
+			forceSSL = true;
-    };
+		};
-    "git.graven.dev" = {
+		"git.graven.dev" = {
-      useACMEHost = "graven.dev";
+			useACMEHost = "graven.dev";
-      forceSSL = true;
+			forceSSL = true;
-      locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
-    };
+		};
-    "vault.graven.dev" = {
+		"vault.graven.dev" = {
-      forceSSL = true;
+			forceSSL = true;
-      useACMEHost = "graven.dev";
+			useACMEHost = "graven.dev";
-      locations."/" = {
+			locations."/" = {
-        proxyPass = "http://localhost:8812";
+				proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
+				proxyWebsockets = true;
-      };
+			};
-      locations."/notifications/hub" = {
+			locations."/notifications/hub" = {
-        proxyPass = "http://localhost:3012";
+				proxyPass = "http://localhost:3012";
-        proxyWebsockets = true;
+				proxyWebsockets = true;
-      };
+			};
-      locations."/notifications/hub/negotiate" = {
+			locations."/notifications/hub/negotiate" = {
-        proxyPass = "http://localhost:8812";
+				proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
+				proxyWebsockets = true;
-      };
+			};
-    };
+		};
-    "mta-sts.graven.dev" = {
+		"openpgpkey.graven.dev" = {
-      forceSSL = true;
+			forceSSL = true;
-      enableACME = true;
+			useACMEHost = "graven.dev";
-      root = "/var/www/mta-sts/public";
+			locations."/" = {
-    };
+				root = "/var/www/openpgpkey/graven.dev";
-    "mta-sts.graven.se" = {
+				extraConfig = ''
-      forceSSL = true;
+					default_type "application/octet-stream";
-      enableACME = true;
+					add_header Access-Control-Allow-Origin "*";
-      root = "/var/www/mta-sts/public";
+					add_header Strict-Transport-Security $hsts_header;
-    };
+					add_header Referrer-Policy "same-origin";
-    "mta-sts.nao.sh" = {
+					add_header X-Frame-Options "DENY";
-      forceSSL = true;
+					add_header X-Content-Type-Options "nosniff";
-      enableACME = true;
+					add_header X-XSS-Protection "1; mode=block";
-      root = "/var/www/mta-sts/public";
+				'';
-    };
+			};
-    "mta-sts.amandag.net" = {
+		};
-      forceSSL = true;
+		"openpgpkey.graven.se" = {
-      enableACME = true;
+			forceSSL = true;
-      root = "/var/www/mta-sts/public";
+			useACMEHost = "graven.se";
-    };
+			locations."/" = {
-    "mta-sts.queersin.space" = {
+				root = "/var/www/openpgpkey/graven.se";
-      forceSSL = true;
+				extraConfig = ''
-      enableACME = true;
+					default_type "application/octet-stream";
-      root = "/var/www/mta-sts/public";
+					add_header Access-Control-Allow-Origin "*";
-    };
+					add_header Strict-Transport-Security $hsts_header;
-    "mta-sts.anarkafem.dev" = {
+					add_header Referrer-Policy "same-origin";
-      forceSSL = true;
+					add_header X-Frame-Options "DENY";
-      enableACME = true;
+					add_header X-Content-Type-Options "nosniff";
-      root = "/var/www/mta-sts/public";
+					add_header X-XSS-Protection "1; mode=block";
-    };
+				'';
-  };
+			};
+		};
+		"mta-sts.graven.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.graven.se" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.nao.sh" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.amandag.net" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.queersin.space" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.anarkafem.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
 }

unstable/config/hosts/wind/services/wireguard.nix

@@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+{
+networking.nat.enable = true;
+	networking.nat.externalInterface = "ens3";
+	networking.nat.internalInterfaces = [ "wg0" ];
+	networking.firewall = {
+		allowedUDPPorts = [ 51820 ];
+	};
+
+	networking.wireguard.interfaces = {
+		# "wg0" is the network interface name. You can name the interface arbitrarily.
+		wg0 = {
+			# Determines the IP address and subnet of the server's end of the tunnel interface.
+			ips = [ "10.100.0.1/24" ];
+
+			# The port that WireGuard listens to. Must be accessible by the client.
+			listenPort = 51820;
+
+			# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+			# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+			postSetup = ''
+				${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# This undoes the above command
+			postShutdown = ''
+				${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# Path to the private key file.
+			#
+			# Note: The private key can also be included inline via the privateKey option,
+			# but this makes the private key world-readable; thus, using privateKeyFile is
+			# recommended.
+			privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
+
+			peers = [
+				# List of allowed peers.
+				{ # Feel free to give a meaning full name
+					# Public key of the peer (not a file path).
+					publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
+					# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+					allowedIPs = [ "10.100.0.2/32" ];
+				}
+			];
+		};
+	};
+}

unstable/config/sources/nix/sources.json

@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851",
+        "rev": "db22325869a05e376dbab1c31ea7664dd5fcf860",
-        "sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf",
+        "sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {