emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Add testbench and rudiger

Browse source
This commit is contained in:
Emelie 2021-09-27 14:55:55 +02:00
parent 0969b36564
commit 6d318bddaa
Signed by: emelie
GPG key ID: 49D33365A7E22D12
21 changed files with 415 additions and 173 deletions
Download patch file Download diff file Expand all files Collapse all files

9
config/hosts/wind/configuration.nix
View file

@ -3,7 +3,7 @@
{
imports = [
./hardware-configuration.nix
../../common/services/openssh.nix
../../common/services/ssh.nix
./services/acme.nix
./services/coturn.nix
./services/nginx.nix
@ -12,7 +12,6 @@
./services/ttrss.nix
./services/gitea.nix
./services/restic.nix
./services/sshguard.nix
./services/vaultwarden.nix
./data/secrets/secrets.nix
];
@ -20,6 +19,7 @@
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = pkgs.linuxPackages_5_10;
boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
@ -65,10 +65,7 @@
# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
users.groups.postgres.members = [ "restic" ];
users.groups.gitea.members = [ "restic" ];
users.groups.matrix-synapse.members = [ "restic" ];
users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
system.stateVersion = "21.05";

152
config/hosts/wind/services/nginx.nix
View file

@ -1,89 +1,79 @@
{
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
}

6
config/hosts/wind/services/restic.nix
View file

@ -11,6 +11,7 @@
timerConfig = { "OnCalendar" = "02:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "gitea";
};
"postgres" = {
paths = [ "/var/lib/postgresql/backup" ];
@ -20,6 +21,7 @@
timerConfig = { "OnCalendar" = "03:00"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "postgres";
};
"synapse" = {
paths = [ "/var/lib/matrix-synapse" ];
@ -29,15 +31,17 @@
timerConfig = { "OnCalendar" = "03:30"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "matrix-synapse";
};
"vaultwarden" = {
paths = [ "/var/lib/vaultwarden" ];
paths = [ "/var/lib/bitwarden_rs" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "23:45"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "vaultwarden";
};
};
}

7
config/hosts/wind/services/sshguard.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
services.sshguard = {
enable = true;
blocktime = 300;
};
}