emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Add testbench and rudiger

Browse source
This commit is contained in:
Emelie 2021-09-27 14:55:55 +02:00
parent 0969b36564
commit 6d318bddaa
Signed by: emelie
GPG key ID: 49D33365A7E22D12
21 changed files with 415 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/common/data/pubkeys/despondos_host_ed25519_key.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7

43
config/common/services/nginx.nix Normal file
View file

@ -0,0 +1,43 @@
{ ... }:
{
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
}

12
config/common/services/openssh.nix → config/common/services/ssh.nix
View file

@ -9,4 +9,16 @@
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
};
programs.ssh.knownHosts = {
despondos = {
hostNames = [ "despondos.nao.sh" ];
publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
};
};
services.sshguard = {
enable = true;
blocktime = 300;
};
}

8
config/hosts/grondahl/configuration.nix
View file

@ -5,12 +5,11 @@
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./data/secrets/secrets.nix
../../common/services/openssh.nix
../../common/services/ssh.nix
./services/acme.nix
./services/coturn.nix
./services/nginx.nix
./services/restic.nix
./services/sshguard.nix
./services/synapse.nix
./services/postgres.nix
];
@ -18,7 +17,7 @@
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
boot.kernelPackages = pkgs.linuxPackages_5_10;
networking = {
hostName = "grondahl";
useDHCP = false;
@ -65,8 +64,7 @@
};
users.groups.acme.members = [ "nginx" "turnserver" ];
users.groups.postgres.members = [ "restic" ];
users.groups.matrix-synapse.members = [ "restic" ];
users.groups.backup.members = [ "matrix-synapse" "postgres" ];
# List packages installed in system profile. To search, run:
# $ nix search wget

44
config/hosts/grondahl/services/nginx.nix
View file

@ -1,45 +1,6 @@
{
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"anarkafem.dev" = {
useACMEHost = "anarkafem.dev";
forceSSL = true;
@ -61,5 +22,4 @@
};
};
};
};
}

2
config/hosts/grondahl/services/restic.nix
View file

@ -9,6 +9,7 @@
timerConfig = { "OnCalendar" = "03:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "postgres";
};
"synapse" = {
paths = [ "/var/lib/matrix-synapse" ];
@ -18,6 +19,7 @@
timerConfig = { "OnCalendar" = "03:45"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "matrix-synapse";
};
};
}

7
config/hosts/grondahl/services/sshguard.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
services.sshguard = {
enable = true;
blocktime = 300;
};
}

49
config/hosts/nixos-testbed/configuration.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../common/services/ssh.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "nixos-testbed";
time.timeZone = "Europe/Copenhagen";
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true;
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [
vim
htop
iotop
dig
];
nix = {
autoOptimiseStore = true;
trustedUsers = [
"root"
"@wheel"
];
};
# Use hetzner firewall instead
networking.firewall.enable = false;
system.stateVersion = "21.05";
}

26
config/hosts/nixos-testbed/hardware-configuration.nix Normal file
View file

@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b5f08f96-c7aa-4c02-86a2-15cfe4134f4d";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f36e61f8-337f-4b77-bd63-9b1d0146d73d"; }
];
}

9
config/hosts/nixos-testbed/services/nextcloud.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
services.nextcloud = {
enable = true;
https = true;
webfinger = true;
hostname = "cloud-test.graven.dev";
};
}

81
config/hosts/rudiger/configuration.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./data/secrets/secrets.nix
../../common/services/ssh.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
time.timeZone = "Europe/Copenhagen";
networking = {
hostName = "rudiger";
hostId = "8c7b66a4";
useDHCP = false;
tempAddresses = "disabled";
interfaces = {
"ens3" = {
ipv4.addresses = [ {
address = "202.61.202.170";
prefixLength = 22;
} ];
ipv6.addresses = [ {
address = "2a03:4000:5a:c61::1";
prefixLength = 64;
} ];
};
};
defaultGateway = "202.61.200.1";
defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
};
nix = {
autoOptimiseStore = true;
trustedUsers = [
"root"
"@wheel"
];
};
users.users.emelie = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
];
};
environment.systemPackages = with pkgs; [
vim
wget
htop
iotop
dig
];
security.sudo.wheelNeedsPassword = false;
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
system.stateVersion = "21.05";
}

42
config/hosts/rudiger/hardware-configuration.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/safe/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F220-781F";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "rpool/safe/home";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "rpool/local/nix";
fsType = "zfs";
};
fileSystems."/var/lib/nextcloud" =
{ device = "rpool/safe/nextcloud";
fsType = "zfs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/52f7db16-b51b-4b8c-bfea-46184bb3099e"; }
];
}

20
config/hosts/rudiger/services/nextcloud.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
services.nextcloud = {
enable = true;
hostName = "cloud.graven.dev";
#https = true;
package = pkgs.nextcloud22;
autoUpdateApps.enable = true;
maxUploadSize = "10G";
webfinger = true;
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
adminuser = "root";
};
};
}

4
config/hosts/rudiger/services/nginx.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }:
{
imports = [ ../../../common/services/nginx.nix ];
}

12
config/hosts/rudiger/services/postgres.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{ name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
}

9
config/hosts/wind/configuration.nix
View file

@ -3,7 +3,7 @@
{
imports = [
./hardware-configuration.nix
../../common/services/openssh.nix
../../common/services/ssh.nix
./services/acme.nix
./services/coturn.nix
./services/nginx.nix
@ -12,7 +12,6 @@
./services/ttrss.nix
./services/gitea.nix
./services/restic.nix
./services/sshguard.nix
./services/vaultwarden.nix
./data/secrets/secrets.nix
];
@ -20,6 +19,7 @@
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = pkgs.linuxPackages_5_10;
boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
@ -65,10 +65,7 @@
# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
users.groups.postgres.members = [ "restic" ];
users.groups.gitea.members = [ "restic" ];
users.groups.matrix-synapse.members = [ "restic" ];
users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
system.stateVersion = "21.05";

72
config/hosts/wind/services/nginx.nix
View file

@ -1,45 +1,6 @@
{
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
@ -84,6 +45,35 @@
proxyWebsockets = true;
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
}

6
config/hosts/wind/services/restic.nix
View file

@ -11,6 +11,7 @@
timerConfig = { "OnCalendar" = "02:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "gitea";
};
"postgres" = {
paths = [ "/var/lib/postgresql/backup" ];
@ -20,6 +21,7 @@
timerConfig = { "OnCalendar" = "03:00"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "postgres";
};
"synapse" = {
paths = [ "/var/lib/matrix-synapse" ];
@ -29,15 +31,17 @@
timerConfig = { "OnCalendar" = "03:30"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "matrix-synapse";
};
"vaultwarden" = {
paths = [ "/var/lib/vaultwarden" ];
paths = [ "/var/lib/bitwarden_rs" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "23:45"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "vaultwarden";
};
};
}

7
config/hosts/wind/services/sshguard.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
services.sshguard = {
enable = true;
blocktime = 300;
};
}

12
config/sources/nix/sources.json
View file

@ -17,10 +17,10 @@
"homepage": "",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "16fca9df230408608846940981b4037762420b1b",
"sha256": "0nvak6dmlcgc4m5s6di82c06c95cmc4iys1ky14y5di27r7qnrma",
"rev": "3cc8c47af31798040ea62499090540413279f832",
"sha256": "0l4pflis99q0095rrmxahp1w8jz38znq5pyni4x8n7cgcrv5gwq2",
"type": "tarball",
"url": "https://github.com/NixOS/nixos-hardware/archive/16fca9df230408608846940981b4037762420b1b.tar.gz",
"url": "https://github.com/NixOS/nixos-hardware/archive/3cc8c47af31798040ea62499090540413279f832.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs": {
@ -29,10 +29,10 @@
"homepage": "",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d6b683c0527a7f777b5f2b4db2555891cd5a85f5",
"sha256": "0mkinbg2s4mg1ngh773h7rqc898siyigwy2wfz8jaai8k9srpx1n",
"rev": "d0220562772b787d58c48df3434f36da1f552bdc",
"sha256": "1nhh4afidrq7crb82ax3f5gqn17scxi7rl6zlxnzcplnwr0waczq",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/d6b683c0527a7f777b5f2b4db2555891cd5a85f5.tar.gz",
"url": "https://github.com/NixOS/nixpkgs/archive/d0220562772b787d58c48df3434f36da1f552bdc.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixus": {

6
deploy/default.nix
View file

@ -24,6 +24,12 @@ in import "${sources.nixus}" {} ({ config, ... }: {
switchTimeout = 300;
successTimeout = 300;
};
rudiger = { lib, config, ... }: {
host = "emelie@cloud.graven.dev";
configuration = ../config/hosts/rudiger/configuration.nix;
switchTimeout = 300;
successTimeout = 300;
};
};
})