Add testbench and rudiger

2021-09-27 14:55:55 +02:00 · 2021-09-27 14:55:55 +02:00 · 6d318bddaa
commit 6d318bddaa
parent 0969b36564
21 changed files with 415 additions and 173 deletions
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@ -5,12 +5,11 @@
    [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./data/secrets/secrets.nix
-    ../../common/services/openssh.nix
+    ../../common/services/ssh.nix
    ./services/acme.nix
    ./services/coturn.nix
    ./services/nginx.nix
    ./services/restic.nix
-    ./services/sshguard.nix
    ./services/synapse.nix
    ./services/postgres.nix
    ];
@ -18,7 +17,7 @@
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";
-
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
  networking = {
    hostName = "grondahl";
    useDHCP = false;
@ -65,8 +64,7 @@
  };

  users.groups.acme.members = [ "nginx" "turnserver" ];
-  users.groups.postgres.members = [ "restic" ];
-  users.groups.matrix-synapse.members = [ "restic" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" ];

  # List packages installed in system profile. To search, run:
  # $ nix search wget
--- a/config/hosts/grondahl/services/nginx.nix
+++ b/config/hosts/grondahl/services/nginx.nix
@ -1,64 +1,24 @@
 {
-  services.nginx = {
-    enable = true;
-
-    # Use recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-
-    virtualHosts = {
-      "anarkafem.dev" = {
-        useACMEHost = "anarkafem.dev";
-        forceSSL = true;
-        locations."/".root = "/var/www/anarkafem.dev/public";
-        locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
-        locations."/_matrix/federation".return = "403";
-        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
-        locations."/.well-known/matrix/" = {
-          root = "/var/www/matrix/public";
-          extraConfig = ''
-            default_type application/json;
-            add_header Access-Control-Allow-Origin "*";
-            add_header Strict-Transport-Security $hsts_header;
-            add_header Referrer-Policy "origin-when-cross-origin";
-            add_header X-Frame-Options "DENY";
-            add_header X-Content-Type-Options "nosniff";
-            add_header X-XSS-Protection "1; mode=block";
-          '';
-        };
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts = {
+    "anarkafem.dev" = {
+      useACMEHost = "anarkafem.dev";
+      forceSSL = true;
+      locations."/".root = "/var/www/anarkafem.dev/public";
+      locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
+      locations."/_matrix/federation".return = "403";
+      locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+      locations."/.well-known/matrix/" = {
+        root = "/var/www/matrix/public";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Strict-Transport-Security $hsts_header;
+          add_header Referrer-Policy "origin-when-cross-origin";
+          add_header X-Frame-Options "DENY";
+          add_header X-Content-Type-Options "nosniff";
+          add_header X-XSS-Protection "1; mode=block";
+        '';
      };
    };
  };
--- a/config/hosts/grondahl/services/restic.nix
+++ b/config/hosts/grondahl/services/restic.nix
@ -9,6 +9,7 @@
      timerConfig = { "OnCalendar" = "03:15"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
    };
    "synapse" = {
      paths = [ "/var/lib/matrix-synapse" ];
@ -18,6 +19,7 @@
      timerConfig = { "OnCalendar" = "03:45"; };
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
    };
  };
 }
--- a/config/hosts/grondahl/services/sshguard.nix
+++ b/config/hosts/grondahl/services/sshguard.nix
@ -1,7 +0,0 @@
-{ ... }:
-{
-  services.sshguard = {
-    enable = true;
-    blocktime = 300;
-  };
-}