Add new wildcard certs for graven.se, openpgpkey WKD

2021-11-27 22:48:34 +01:00 · 2021-11-27 22:48:34 +01:00 · 4de118b741
parent eb91a3beaf
commit 4de118b741
11 changed files with 174 additions and 111 deletions
--- a/unstable/config/hosts/grondahl/configuration.nix
+++ b/unstable/config/hosts/grondahl/configuration.nix
@ -12,7 +12,6 @@
    ./services/restic.nix
    ./services/synapse.nix
    ./services/postgres.nix
-    ./services/mail.nix
    ];

  boot.loader.grub.enable = true;
--- a/unstable/config/hosts/grondahl/services/mail.nix
+++ b/unstable/config/hosts/grondahl/services/mail.nix
@ -1,25 +0,0 @@
-{ config, ... }:
-{
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
-      # And set its hash
-      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
-    })
-  ];
-
-  mailserver = {
-    enable = true;
-    fqdn = "anarkafem.dev";
-    domains = [ "anarkafem.dev" ];
-    loginAccounts = {
-      "noreply@anarkafem.dev" = {
-        hashedPasswordFile = config.secrets.files.email_noreply.file;
-
-      };
-    };
-    certificateScheme = 3;
-  };
-}
-
--- a/unstable/config/hosts/grondahl/services/synapse.nix
+++ b/unstable/config/hosts/grondahl/services/synapse.nix
@ -25,6 +25,7 @@
    withJemalloc = true;
    servers = { "anarkafem.dev" = {}; };
    extraConfig = ''
+      default_room_version: "9"
      auto_join_rooms:
        - "#suf-aalborg:anarkafem.dev"
    '';
--- a/unstable/config/hosts/wind/configuration.nix
+++ b/unstable/config/hosts/wind/configuration.nix
@ -13,6 +13,7 @@
    ./services/gitea.nix
    ./services/restic.nix
    ./services/vaultwarden.nix
+		./services/wireguard.nix
    ./data/secrets/secrets.nix
    ];

--- a/unstable/config/hosts/wind/data/secrets/acme_graven_se.env
+++ b/unstable/config/hosts/wind/data/secrets/acme_graven_se.env
--- a/unstable/config/hosts/wind/data/secrets/secrets.nix
+++ b/unstable/config/hosts/wind/data/secrets/secrets.nix
--- a/unstable/config/hosts/wind/data/secrets/wg_key
+++ b/unstable/config/hosts/wind/data/secrets/wg_key
--- a/unstable/config/hosts/wind/services/acme.nix
+++ b/unstable/config/hosts/wind/services/acme.nix
@ -4,11 +4,18 @@
  security.acme = {
    acceptTerms = true;
    email = "admin+certs@graven.dev";
-    certs."graven.dev" = {
-      extraDomainNames = [ "*.graven.dev" ];
-      dnsProvider = "hurricane";
-      credentialsFile = config.secrets.files.acme_graven_dev.file;
-    };
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
  };
 }

--- a/unstable/config/hosts/wind/services/nginx.nix
+++ b/unstable/config/hosts/wind/services/nginx.nix
@ -1,79 +1,111 @@
 {
-  imports = [ ../../../common/services/nginx.nix ];
-  services.nginx.virtualHosts = {
-    "graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-      locations."/".root = "/var/www/graven.dev/public";
-      locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
-      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
-      locations."/.well-known/matrix/" = {
-        root = "/var/www/matrix/public";
-        extraConfig = ''
-          default_type application/json;
-          add_header Access-Control-Allow-Origin "*";
-          add_header Strict-Transport-Security $hsts_header;
-          add_header Referrer-Policy "origin-when-cross-origin";
-          add_header X-Frame-Options "DENY";
-          add_header X-Content-Type-Options "nosniff";
-          add_header X-XSS-Protection "1; mode=block";
-        '';
-      };
-    };
-    "rss.graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-    };
-    "git.graven.dev" = {
-      useACMEHost = "graven.dev";
-      forceSSL = true;
-      locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
-    };
-    "vault.graven.dev" = {
-      forceSSL = true;
-      useACMEHost = "graven.dev";
-      locations."/" = {
-        proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub" = {
-        proxyPass = "http://localhost:3012";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub/negotiate" = {
-        proxyPass = "http://localhost:8812";
-        proxyWebsockets = true;
-      };
-    };
-    "mta-sts.graven.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.graven.se" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.nao.sh" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.amandag.net" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.queersin.space" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-    "mta-sts.anarkafem.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      root = "/var/www/mta-sts/public";
-    };
-  };
+	imports = [ ../../../common/services/nginx.nix ];
+	services.nginx.virtualHosts = {
+		"graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".root = "/var/www/graven.dev/public";
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."/.well-known/matrix/" = {
+				root = "/var/www/matrix/public";
+				extraConfig = ''
+					default_type application/json;
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"rss.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+		};
+		"git.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+		};
+		"vault.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub" = {
+				proxyPass = "http://localhost:3012";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub/negotiate" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+		};
+		"openpgpkey.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/openpgpkey/graven.dev";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"openpgpkey.graven.se" = {
+			forceSSL = true;
+			useACMEHost = "graven.se";
+			locations."/" = {
+				root = "/var/www/openpgpkey/graven.se";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"mta-sts.graven.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.graven.se" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.nao.sh" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.amandag.net" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.queersin.space" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.anarkafem.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
 }
--- a/unstable/config/hosts/wind/services/wireguard.nix
+++ b/unstable/config/hosts/wind/services/wireguard.nix
@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+{
+networking.nat.enable = true;
+	networking.nat.externalInterface = "ens3";
+	networking.nat.internalInterfaces = [ "wg0" ];
+	networking.firewall = {
+		allowedUDPPorts = [ 51820 ];
+	};
+
+	networking.wireguard.interfaces = {
+		# "wg0" is the network interface name. You can name the interface arbitrarily.
+		wg0 = {
+			# Determines the IP address and subnet of the server's end of the tunnel interface.
+			ips = [ "10.100.0.1/24" ];
+
+			# The port that WireGuard listens to. Must be accessible by the client.
+			listenPort = 51820;
+
+			# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+			# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+			postSetup = ''
+				${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# This undoes the above command
+			postShutdown = ''
+				${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# Path to the private key file.
+			#
+			# Note: The private key can also be included inline via the privateKey option,
+			# but this makes the private key world-readable; thus, using privateKeyFile is
+			# recommended.
+			privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
+
+			peers = [
+				# List of allowed peers.
+				{ # Feel free to give a meaning full name
+					# Public key of the peer (not a file path).
+					publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
+					# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+					allowedIPs = [ "10.100.0.2/32" ];
+				}
+			];
+		};
+	};
+}
--- a/unstable/config/sources/nix/sources.json
+++ b/unstable/config/sources/nix/sources.json
@ -29,10 +29,10 @@
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851",
-        "sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf",
+        "rev": "db22325869a05e376dbab1c31ea7664dd5fcf860",
+        "sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixus": {