From 6d318bddaacf545d96047bc7f5c333d2d882ffdf Mon Sep 17 00:00:00 2001 From: Emelie Date: Mon, 27 Sep 2021 14:55:55 +0200 Subject: [PATCH] Add testbench and rudiger --- .../pubkeys/despondos_host_ed25519_key.pub | 1 + config/common/services/nginx.nix | 43 +++++ .../common/services/{openssh.nix => ssh.nix} | 12 ++ config/hosts/grondahl/configuration.nix | 8 +- config/hosts/grondahl/services/nginx.nix | 80 +++------ config/hosts/grondahl/services/restic.nix | 2 + config/hosts/grondahl/services/sshguard.nix | 7 - config/hosts/nixos-testbed/configuration.nix | 49 ++++++ .../nixos-testbed/hardware-configuration.nix | 26 +++ .../nixos-testbed/services/nextcloud.nix | 9 ++ config/hosts/rudiger/configuration.nix | 81 ++++++++++ .../hosts/rudiger/hardware-configuration.nix | 42 +++++ config/hosts/rudiger/services/nextcloud.nix | 20 +++ config/hosts/rudiger/services/nginx.nix | 4 + config/hosts/rudiger/services/postgres.nix | 12 ++ config/hosts/wind/configuration.nix | 9 +- config/hosts/wind/services/nginx.nix | 152 ++++++++---------- config/hosts/wind/services/restic.nix | 6 +- config/hosts/wind/services/sshguard.nix | 7 - config/sources/nix/sources.json | 12 +- deploy/default.nix | 6 + 21 files changed, 415 insertions(+), 173 deletions(-) create mode 100644 config/common/data/pubkeys/despondos_host_ed25519_key.pub create mode 100644 config/common/services/nginx.nix rename config/common/services/{openssh.nix => ssh.nix} (64%) delete mode 100644 config/hosts/grondahl/services/sshguard.nix create mode 100644 config/hosts/nixos-testbed/configuration.nix create mode 100644 config/hosts/nixos-testbed/hardware-configuration.nix create mode 100644 config/hosts/nixos-testbed/services/nextcloud.nix create mode 100644 config/hosts/rudiger/configuration.nix create mode 100644 config/hosts/rudiger/hardware-configuration.nix create mode 100644 config/hosts/rudiger/services/nextcloud.nix create mode 100644 config/hosts/rudiger/services/nginx.nix create mode 100644 config/hosts/rudiger/services/postgres.nix delete mode 100644 config/hosts/wind/services/sshguard.nix diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub new file mode 100644 index 0000000..6367ffa --- /dev/null +++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7 diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix new file mode 100644 index 0000000..ed902f3 --- /dev/null +++ b/config/common/services/nginx.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; +} diff --git a/config/common/services/openssh.nix b/config/common/services/ssh.nix similarity index 64% rename from config/common/services/openssh.nix rename to config/common/services/ssh.nix index 0bc6c22..2a918d9 100644 --- a/config/common/services/openssh.nix +++ b/config/common/services/ssh.nix @@ -9,4 +9,16 @@ kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; }; + + programs.ssh.knownHosts = { + despondos = { + hostNames = [ "despondos.nao.sh" ]; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + }; + }; + + services.sshguard = { + enable = true; + blocktime = 300; + }; } diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index 2464bd1..c7a1ea9 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -5,12 +5,11 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./data/secrets/secrets.nix - ../../common/services/openssh.nix + ../../common/services/ssh.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix ./services/restic.nix - ./services/sshguard.nix ./services/synapse.nix ./services/postgres.nix ]; @@ -18,7 +17,7 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; - + boot.kernelPackages = pkgs.linuxPackages_5_10; networking = { hostName = "grondahl"; useDHCP = false; @@ -65,8 +64,7 @@ }; users.groups.acme.members = [ "nginx" "turnserver" ]; - users.groups.postgres.members = [ "restic" ]; - users.groups.matrix-synapse.members = [ "restic" ]; + users.groups.backup.members = [ "matrix-synapse" "postgres" ]; # List packages installed in system profile. To search, run: # $ nix search wget diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix index 77885a7..464f803 100644 --- a/config/hosts/grondahl/services/nginx.nix +++ b/config/hosts/grondahl/services/nginx.nix @@ -1,64 +1,24 @@ { - services.nginx = { - enable = true; - - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "anarkafem.dev" = { - useACMEHost = "anarkafem.dev"; - forceSSL = true; - locations."/".root = "/var/www/anarkafem.dev/public"; - locations."/_matrix/".proxyPass = "http://127.0.0.1:8008"; - locations."/_matrix/federation".return = "403"; - locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; - locations."/.well-known/matrix/" = { - root = "/var/www/matrix/public"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Strict-Transport-Security $hsts_header; - add_header Referrer-Policy "origin-when-cross-origin"; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - ''; - }; + imports = [ ../../../common/services/nginx.nix ]; + services.nginx.virtualHosts = { + "anarkafem.dev" = { + useACMEHost = "anarkafem.dev"; + forceSSL = true; + locations."/".root = "/var/www/anarkafem.dev/public"; + locations."/_matrix/".proxyPass = "http://127.0.0.1:8008"; + locations."/_matrix/federation".return = "403"; + locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + locations."/.well-known/matrix/" = { + root = "/var/www/matrix/public"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "origin-when-cross-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; }; }; }; diff --git a/config/hosts/grondahl/services/restic.nix b/config/hosts/grondahl/services/restic.nix index 35de8fc..f92203e 100644 --- a/config/hosts/grondahl/services/restic.nix +++ b/config/hosts/grondahl/services/restic.nix @@ -9,6 +9,7 @@ timerConfig = { "OnCalendar" = "03:15"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "postgres"; }; "synapse" = { paths = [ "/var/lib/matrix-synapse" ]; @@ -18,6 +19,7 @@ timerConfig = { "OnCalendar" = "03:45"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "matrix-synapse"; }; }; } diff --git a/config/hosts/grondahl/services/sshguard.nix b/config/hosts/grondahl/services/sshguard.nix deleted file mode 100644 index a36708e..0000000 --- a/config/hosts/grondahl/services/sshguard.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - services.sshguard = { - enable = true; - blocktime = 300; - }; -} diff --git a/config/hosts/nixos-testbed/configuration.nix b/config/hosts/nixos-testbed/configuration.nix new file mode 100644 index 0000000..72b774f --- /dev/null +++ b/config/hosts/nixos-testbed/configuration.nix @@ -0,0 +1,49 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../common/services/ssh.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + networking.hostName = "nixos-testbed"; + time.timeZone = "Europe/Copenhagen"; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ]; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + vim + htop + iotop + dig + ]; + + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; + + # Use hetzner firewall instead + networking.firewall.enable = false; + + system.stateVersion = "21.05"; + +} diff --git a/config/hosts/nixos-testbed/hardware-configuration.nix b/config/hosts/nixos-testbed/hardware-configuration.nix new file mode 100644 index 0000000..27c490b --- /dev/null +++ b/config/hosts/nixos-testbed/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b5f08f96-c7aa-4c02-86a2-15cfe4134f4d"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/f36e61f8-337f-4b77-bd63-9b1d0146d73d"; } + ]; + +} diff --git a/config/hosts/nixos-testbed/services/nextcloud.nix b/config/hosts/nixos-testbed/services/nextcloud.nix new file mode 100644 index 0000000..a0bc602 --- /dev/null +++ b/config/hosts/nixos-testbed/services/nextcloud.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.nextcloud = { + enable = true; + https = true; + webfinger = true; + hostname = "cloud-test.graven.dev"; + + }; +} diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix new file mode 100644 index 0000000..6a54de8 --- /dev/null +++ b/config/hosts/rudiger/configuration.nix @@ -0,0 +1,81 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./data/secrets/secrets.nix + ../../common/services/ssh.nix + ./services/nextcloud.nix + ./services/nginx.nix + ./services/postgres.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; + + time.timeZone = "Europe/Copenhagen"; + + networking = { + hostName = "rudiger"; + hostId = "8c7b66a4"; + useDHCP = false; + tempAddresses = "disabled"; + interfaces = { + "ens3" = { + ipv4.addresses = [ { + address = "202.61.202.170"; + prefixLength = 22; + } ]; + ipv6.addresses = [ { + address = "2a03:4000:5a:c61::1"; + prefixLength = 64; + } ]; + }; + }; + defaultGateway = "202.61.200.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens3"; + }; + nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; + }; + + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + environment.systemPackages = with pkgs; [ + vim + wget + htop + iotop + dig + ]; + security.sudo.wheelNeedsPassword = false; + + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + system.stateVersion = "21.05"; + +} diff --git a/config/hosts/rudiger/hardware-configuration.nix b/config/hosts/rudiger/hardware-configuration.nix new file mode 100644 index 0000000..1e82882 --- /dev/null +++ b/config/hosts/rudiger/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F220-781F"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "rpool/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/nextcloud" = + { device = "rpool/safe/nextcloud"; + fsType = "zfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/52f7db16-b51b-4b8c-bfea-46184bb3099e"; } + ]; +} diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix new file mode 100644 index 0000000..eb61b4b --- /dev/null +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: +{ + services.nextcloud = { + enable = true; + hostName = "cloud.graven.dev"; + #https = true; + package = pkgs.nextcloud22; + autoUpdateApps.enable = true; + maxUploadSize = "10G"; + webfinger = true; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; + adminuser = "root"; + }; + }; +} diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix new file mode 100644 index 0000000..57cb8a5 --- /dev/null +++ b/config/hosts/rudiger/services/nginx.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + imports = [ ../../../common/services/nginx.nix ]; +} diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix new file mode 100644 index 0000000..92e4732 --- /dev/null +++ b/config/hosts/rudiger/services/postgres.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; +} diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index 6424ce1..4645a59 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -3,7 +3,7 @@ { imports = [ ./hardware-configuration.nix - ../../common/services/openssh.nix + ../../common/services/ssh.nix ./services/acme.nix ./services/coturn.nix ./services/nginx.nix @@ -12,7 +12,6 @@ ./services/ttrss.nix ./services/gitea.nix ./services/restic.nix - ./services/sshguard.nix ./services/vaultwarden.nix ./data/secrets/secrets.nix ]; @@ -20,6 +19,7 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; + boot.kernelPackages = pkgs.linuxPackages_5_10; boot.supportedFilesystems = ["zfs"]; services.zfs.autoSnapshot.enable = true; services.zfs.autoScrub.enable = true; @@ -65,10 +65,7 @@ # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ]; users.groups.acme.members = [ "nginx" "turnserver" "gitea" ]; - users.groups.postgres.members = [ "restic" ]; - users.groups.gitea.members = [ "restic" ]; - users.groups.matrix-synapse.members = [ "restic" ]; - + users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ]; system.stateVersion = "21.05"; diff --git a/config/hosts/wind/services/nginx.nix b/config/hosts/wind/services/nginx.nix index 5bfb6fb..21cbea1 100644 --- a/config/hosts/wind/services/nginx.nix +++ b/config/hosts/wind/services/nginx.nix @@ -1,89 +1,79 @@ { - services.nginx = { - enable = true; - - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; - locations."/".root = "/var/www/graven.dev/public"; - locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; - locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; - locations."/.well-known/matrix/" = { - root = "/var/www/matrix/public"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Strict-Transport-Security $hsts_header; - add_header Referrer-Policy "origin-when-cross-origin"; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options "nosniff"; - add_header X-XSS-Protection "1; mode=block"; - ''; - }; + imports = [ ../../../common/services/nginx.nix ]; + services.nginx.virtualHosts = { + "graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + locations."/".root = "/var/www/graven.dev/public"; + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; + locations."/.well-known/matrix/" = { + root = "/var/www/matrix/public"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Strict-Transport-Security $hsts_header; + add_header Referrer-Policy "origin-when-cross-origin"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + ''; }; - "rss.graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; + }; + "rss.graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + }; + "git.graven.dev" = { + useACMEHost = "graven.dev"; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; + }; + "vault.graven.dev" = { + forceSSL = true; + useACMEHost = "graven.dev"; + locations."/" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; }; - "git.graven.dev" = { - useACMEHost = "graven.dev"; - forceSSL = true; - locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; }; - "vault.graven.dev" = { - forceSSL = true; - useACMEHost = "graven.dev"; - locations."/" = { - proxyPass = "http://localhost:8812"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://localhost:3012"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://localhost:8812"; - proxyWebsockets = true; - }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; }; }; + "mta-sts.graven.dev" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.graven.se" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.nao.sh" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.amandag.net" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.queersin.space" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; + "mta-sts.anarkafem.dev" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mta-sts/public"; + }; }; } diff --git a/config/hosts/wind/services/restic.nix b/config/hosts/wind/services/restic.nix index cc97cb4..083e4cc 100644 --- a/config/hosts/wind/services/restic.nix +++ b/config/hosts/wind/services/restic.nix @@ -11,6 +11,7 @@ timerConfig = { "OnCalendar" = "02:15"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "gitea"; }; "postgres" = { paths = [ "/var/lib/postgresql/backup" ]; @@ -20,6 +21,7 @@ timerConfig = { "OnCalendar" = "03:00"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "postgres"; }; "synapse" = { paths = [ "/var/lib/matrix-synapse" ]; @@ -29,15 +31,17 @@ timerConfig = { "OnCalendar" = "03:30"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "matrix-synapse"; }; "vaultwarden" = { - paths = [ "/var/lib/vaultwarden" ]; + paths = [ "/var/lib/bitwarden_rs" ]; repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden"; initialize = true; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "23:45"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "vaultwarden"; }; }; } diff --git a/config/hosts/wind/services/sshguard.nix b/config/hosts/wind/services/sshguard.nix deleted file mode 100644 index a36708e..0000000 --- a/config/hosts/wind/services/sshguard.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - services.sshguard = { - enable = true; - blocktime = 300; - }; -} diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index bd9d728..0f298e0 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -17,10 +17,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "16fca9df230408608846940981b4037762420b1b", - "sha256": "0nvak6dmlcgc4m5s6di82c06c95cmc4iys1ky14y5di27r7qnrma", + "rev": "3cc8c47af31798040ea62499090540413279f832", + "sha256": "0l4pflis99q0095rrmxahp1w8jz38znq5pyni4x8n7cgcrv5gwq2", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/16fca9df230408608846940981b4037762420b1b.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/3cc8c47af31798040ea62499090540413279f832.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { @@ -29,10 +29,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6b683c0527a7f777b5f2b4db2555891cd5a85f5", - "sha256": "0mkinbg2s4mg1ngh773h7rqc898siyigwy2wfz8jaai8k9srpx1n", + "rev": "d0220562772b787d58c48df3434f36da1f552bdc", + "sha256": "1nhh4afidrq7crb82ax3f5gqn17scxi7rl6zlxnzcplnwr0waczq", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/d6b683c0527a7f777b5f2b4db2555891cd5a85f5.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/d0220562772b787d58c48df3434f36da1f552bdc.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { diff --git a/deploy/default.nix b/deploy/default.nix index 0384c91..6a356cb 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -24,6 +24,12 @@ in import "${sources.nixus}" {} ({ config, ... }: { switchTimeout = 300; successTimeout = 300; }; + rudiger = { lib, config, ... }: { + host = "emelie@cloud.graven.dev"; + configuration = ../config/hosts/rudiger/configuration.nix; + switchTimeout = 300; + successTimeout = 300; + }; }; })