Restructure folders

config/hosts/wind/configuration.nix

@@ -0,0 +1,81 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ 
+    ./hardware-configuration.nix 
+    ../../common/services/ssh.nix
+    ./services/acme.nix
+    ./services/coturn.nix
+    ./services/nginx.nix
+    ./services/postgres.nix
+    ./services/synapse.nix
+    ./services/ttrss.nix
+    ./services/gitea.nix
+    ./services/restic.nix
+    ./services/vaultwarden.nix
+		./services/wireguard.nix
+    ./data/secrets/secrets.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "wind";
+  networking.hostId = "929e7fb7";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.users.deploy = {
+    isNormalUser = true;
+    extraGroups = [ "nginx" ];
+    openssh.authorizedKeys.keys = [ 
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+  # networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ];
+  # networking.firewall.allowedUDPPorts = [ 3478 5349 ]
+  # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
+
+  users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
+
+  system.stateVersion = "21.05";
+
+}

config/hosts/wind/hardware-configuration.nix

@@ -0,0 +1,76 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/hardened.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/85B8-9142";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib/matrix-synapse" =
+    { device = "rpool/safe/synapse";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/postgresql" =
+    { device = "rpool/safe/postgres";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/acme" =
+    { device = "rpool/safe/acme";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/www" =
+    { device = "rpool/safe/webroot";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/tt-rss" =
+    { device = "rpool/safe/tt-rss";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/gitea" =
+    { device = "rpool/safe/gitea";
+      fsType = "zfs";
+    };
+  fileSystems."/var/lib/vaultwarden" =
+    { device = "rpool/safe/vaultwarden";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/e70cc088-a54e-4cd8-88ec-91944e5ff989"; }
+    ];
+
+}

config/hosts/wind/services/acme.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
+  };
+}
+

config/hosts/wind/services/coturn.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    realm = "turn.graven.dev";
+    relay-ips = [
+      "65.21.58.38"
+      "2a01:4f9:c010:34cb::1"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+    cipher-list=\"HIGH\"
+    no-loopback-peers
+    no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/graven.dev/fullchain.pem";
+    pkey = "/var/lib/acme/graven.dev/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+}
+

config/hosts/wind/services/gitea.nix

@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+  services.gitea = {
+    enable = true;
+    domain = "git.graven.dev";
+    rootUrl = "https://git.graven.dev";
+    enableUnixSocket = true;
+    cookieSecure = true;
+    appName = "Graven Gitea";
+    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
+    database = {
+      type = "postgres";
+    };
+  };
+}

config/hosts/wind/services/nginx.nix

@@ -0,0 +1,126 @@
+{
+	imports = [ ../../../common/services/nginx.nix ];
+	services.nginx.virtualHosts = {
+		"graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".root = "/var/www/graven.dev/public";
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."/.well-known/matrix/" = {
+				root = "/var/www/matrix/public";
+				extraConfig = ''
+					default_type application/json;
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"rss.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+		};
+		"git.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+		};
+		"vault.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub" = {
+				proxyPass = "http://localhost:3012";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub/negotiate" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+		};
+		"openpgpkey.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/openpgpkey";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"openpgpkey.graven.se" = {
+			forceSSL = true;
+			useACMEHost = "graven.se";
+			locations."/" = {
+				root = "/var/www/openpgpkey";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"tor.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/tor";
+				extraConfig = ''
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"mta-sts.graven.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.graven.se" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.nao.sh" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.amandag.net" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.queersin.space" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.anarkafem.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
+}

config/hosts/wind/services/postgres.nix

@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+                      CREATE ROLE synapse;
+                      CREATE DATABASE synapse WITH OWNER synapse
+                          TEMPLATE template0
+                          LC_COLLATE = "C"
+                          LC_CTYPE = "C"
+                          ENCODING = "UTF8";
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+}

config/hosts/wind/services/restic.nix

@@ -0,0 +1,47 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "gitea" = {
+      paths = [ "/var/lib/gitea" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "gitea";
+    };
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:00"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+    "vaultwarden" = {
+      paths = [ "/var/lib/bitwarden_rs" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "23:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "vaultwarden";
+    };
+  };
+}

config/hosts/wind/services/synapse.nix

@@ -0,0 +1,67 @@
+{ config, ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "graven.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.graven.dev:3478?transport=udp"
+      "turn:turn.graven.dev:3478?transport=tcp"
+      "turn:turn.graven.dev:3479?transport=udp"
+      "turn:turn.graven.dev:3479?transport=tcp"
+      "turns:turn.graven.dev:5349?transport=udp"
+      "turns:turn.graven.dev:5349?transport=tcp"
+      "turns:turn.graven.dev:5350?transport=udp"
+      "turns:turn.graven.dev:5350?transport=tcp"
+    ];
+    report_stats = true;
+    withJemalloc = true;
+    logConfig = ''
+      version: 1
+
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: WARN
+
+      root:
+          level: WARN
+          handlers: [console]
+
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}
+    

config/hosts/wind/services/ttrss.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  services.tt-rss = {
+    enable = true;
+    registration.enable = true;
+    virtualHost = "rss.graven.dev";
+    selfUrlPath = "https://rss.graven.dev";
+  };
+}

config/hosts/wind/services/vaultwarden.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.secrets.files.vaultwarden_env.file;
+    backupDir = "/var/lib/bitwarden_rs/backup";
+    config = {
+      domain = "https://vault.graven.dev";
+      signupsAllowed = false;
+      rocketPort = 8812;
+      ipHeader = "X-Real-IP";
+      websocketEnabled = true;
+      websocketAddress = "127.0.0.1";
+      websocketPort = "3012";
+      #dataDir = "/var/lib/vaultwarden";
+      smtpHost = "smtp.soverin.net";
+      smtpFrom = "vaultwarden@graven.dev";
+      smtpFromName = "Vaultwarden";
+      smtpPort = 465;
+      smtpSsl = true;
+      smtpExplicitTls = true;
+      smtpAuthMechanism = "Login";
+    };
+  };
+}

config/hosts/wind/services/wireguard.nix

@@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+{
+networking.nat.enable = true;
+	networking.nat.externalInterface = "ens3";
+	networking.nat.internalInterfaces = [ "wg0" ];
+	networking.firewall = {
+		allowedUDPPorts = [ 51820 ];
+	};
+
+	networking.wireguard.interfaces = {
+		# "wg0" is the network interface name. You can name the interface arbitrarily.
+		wg0 = {
+			# Determines the IP address and subnet of the server's end of the tunnel interface.
+			ips = [ "10.100.0.1/24" ];
+
+			# The port that WireGuard listens to. Must be accessible by the client.
+			listenPort = 51820;
+
+			# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+			# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+			postSetup = ''
+				${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# This undoes the above command
+			postShutdown = ''
+				${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# Path to the private key file.
+			#
+			# Note: The private key can also be included inline via the privateKey option,
+			# but this makes the private key world-readable; thus, using privateKeyFile is
+			# recommended.
+			privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
+
+			peers = [
+				# List of allowed peers.
+				{ # Feel free to give a meaning full name
+					# Public key of the peer (not a file path).
+					publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
+					# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+					allowedIPs = [ "10.100.0.2/32" ];
+				}
+			];
+		};
+	};
+}