diff options
Diffstat (limited to 'os/kay/modules')
| -rw-r--r-- | os/kay/modules/acme.nix | 40 | ||||
| -rw-r--r-- | os/kay/modules/dns/ddns.nix | 2 | ||||
| -rw-r--r-- | os/kay/modules/dns/default.nix | 78 | ||||
| -rw-r--r-- | os/kay/modules/dns/sinanmohd.com.zone | 31 | ||||
| -rw-r--r-- | os/kay/modules/internal/acme.nix | 24 | ||||
| -rw-r--r-- | os/kay/modules/internal/postgresql.nix | 28 | ||||
| -rw-r--r-- | os/kay/modules/internal/www.nix | 323 | ||||
| -rw-r--r-- | os/kay/modules/network/default.nix (renamed from os/kay/modules/network.nix) | 25 | ||||
| -rw-r--r-- | os/kay/modules/network/headscale.nix | 200 | ||||
| -rw-r--r-- | os/kay/modules/network/hurricane.nix (renamed from os/kay/modules/hurricane.nix) | 47 | ||||
| -rw-r--r-- | os/kay/modules/network/router.nix (renamed from os/kay/modules/router.nix) | 43 | ||||
| -rw-r--r-- | os/kay/modules/observability/prometheus.nix | 59 | ||||
| -rw-r--r-- | os/kay/modules/postgresql.nix | 22 | ||||
| -rw-r--r-- | os/kay/modules/services/alina.nix (renamed from os/kay/modules/alina.nix) | 22 | ||||
| -rw-r--r-- | os/kay/modules/services/cgit.nix (renamed from os/kay/modules/cgit.nix) | 0 | ||||
| -rw-r--r-- | os/kay/modules/services/github-runner.nix (renamed from os/kay/modules/github-runner.nix) | 0 | ||||
| -rw-r--r-- | os/kay/modules/services/home-assistant.nix (renamed from os/kay/modules/home-assistant.nix) | 27 | ||||
| -rw-r--r-- | os/kay/modules/services/immich.nix (renamed from os/kay/modules/immich.nix) | 0 | ||||
| -rw-r--r-- | os/kay/modules/services/iperf3.nix (renamed from os/kay/modules/iperf3.nix) | 0 | ||||
| -rw-r--r-- | os/kay/modules/services/mail.nix (renamed from os/kay/modules/mail.nix) | 114 | ||||
| -rw-r--r-- | os/kay/modules/services/matrix/default.nix (renamed from os/kay/modules/matrix/default.nix) | 8 | ||||
| -rw-r--r-- | os/kay/modules/services/matrix/dendrite.nix (renamed from os/kay/modules/matrix/dendrite.nix) | 50 | ||||
| -rw-r--r-- | os/kay/modules/services/matrix/matrix-sliding-sync.nix (renamed from os/kay/modules/matrix/matrix-sliding-sync.nix) | 33 | ||||
| -rw-r--r-- | os/kay/modules/services/minio.nix | 36 | ||||
| -rw-r--r-- | os/kay/modules/services/nix-cache.nix (renamed from os/kay/modules/nix-cache.nix) | 0 | ||||
| -rw-r--r-- | os/kay/modules/services/sftp.nix (renamed from os/kay/modules/sftp.nix) | 7 | ||||
| -rw-r--r-- | os/kay/modules/sshfwd.nix | 29 | ||||
| -rw-r--r-- | os/kay/modules/wireguard.nix | 72 | ||||
| -rw-r--r-- | os/kay/modules/www.nix | 256 |
29 files changed, 931 insertions, 645 deletions
diff --git a/os/kay/modules/acme.nix b/os/kay/modules/acme.nix deleted file mode 100644 index 86ae165..0000000 --- a/os/kay/modules/acme.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: let - email = config.global.userdata.email; - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - secret_path_angelo = "misc/angelo_cloudflare_dns_api_token"; - - environmentFile = - pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; -in { - sops.secrets.${secret_path_angelo} = {}; - - security.acme = { - acceptTerms = true; - defaults.email = email; - - certs = { - ${domain_angelo} = { - domain = domain_angelo; - extraDomainNames = [ "*.${domain_angelo}" ]; - - dnsProvider = "cloudflare"; - credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets.${secret_path_angelo}.path; - - group = config.services.nginx.group; - }; - - ${domain} = { - inherit domain; - extraDomainNames = [ "*.${domain}" ]; - - dnsProvider = "rfc2136"; - dnsPropagationCheck = false; # local DNS server - - inherit environmentFile; - group = config.services.nginx.group; - }; - }; - }; -} diff --git a/os/kay/modules/dns/ddns.nix b/os/kay/modules/dns/ddns.nix index 4a8fe5d..9e1b6ec 100644 --- a/os/kay/modules/dns/ddns.nix +++ b/os/kay/modules/dns/ddns.nix @@ -10,7 +10,7 @@ ]; text = '' - while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1')"; do + while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1337')"; do sleep 0.2 done diff --git a/os/kay/modules/dns/default.nix b/os/kay/modules/dns/default.nix index ee0437a..6179527 100644 --- a/os/kay/modules/dns/default.nix +++ b/os/kay/modules/dns/default.nix @@ -1,5 +1,9 @@ -{ config, pkgs, ... }: let - listen_addr = "2001:470:ee65::1"; +{ config, pkgs, ... }: +let + listen_addr = [ + "137.59.84.126" + "2001:470:ee65::1" + ]; acmeSOA = pkgs.writeText "acmeSOA" '' $TTL 2d @@ -13,7 +17,8 @@ IN NS ns1.sinanmohd.com. ''; -in { +in +{ imports = [ ./ddns.nix ]; networking.firewall = { @@ -36,54 +41,72 @@ in { remote = [ { id = "ns1.he.net"; - address = [ "2001:470:100::2" "216.218.130.2" ]; + address = [ + "2001:470:100::2" + "216.218.130.2" + ]; via = "2001:470:ee65::1"; } { id = "m.gtld-servers.net"; - address = [ "2001:501:b1f9::30" "192.55.83.30" ]; + address = [ + "2001:501:b1f9::30" + "192.55.83.30" + ]; } ]; - submission = [{ - id = "gtld-servers.net"; - parent = "m.gtld-servers.net"; - }]; + submission = [ + { + id = "gtld-servers.net"; + parent = "m.gtld-servers.net"; + } + ]; - policy = [{ - id = "gtld-servers.net"; - algorithm = "ecdsap384sha384"; - ksk-lifetime = "365d"; - ksk-submission = "gtld-servers.net"; - }]; + policy = [ + { + id = "gtld-servers.net"; + algorithm = "ecdsap384sha384"; + ksk-lifetime = "365d"; + ksk-submission = "gtld-servers.net"; + } + ]; # generate TSIG key with keymgr -t name acl = [ { id = "ns1.he.net"; key = "ns1.he.net"; - address = [ "2001:470:600::2" "216.218.133.2" ]; + address = [ + "2001:470:600::2" + "216.218.133.2" + ]; action = "transfer"; } { - id = "localhost"; - address = [ listen_addr ]; - update-type = [ "A" "AAAA" ]; + id = "ddns"; + address = listen_addr; + update-type = [ + "A" + "AAAA" + ]; action = "update"; } { id = "acme"; - address = [ listen_addr ]; + address = listen_addr; update-type = [ "TXT" ]; action = "update"; } ]; - mod-rrl = [{ - id = "default"; - rate-limit = 200; - slip = 2; - }]; + mod-rrl = [ + { + id = "default"; + rate-limit = 200; + slip = 2; + } + ]; template = [ { @@ -99,7 +122,10 @@ in { dnssec-policy = "gtld-servers.net"; notify = [ "ns1.he.net" ]; - acl = [ "ns1.he.net" "localhost" ]; + acl = [ + "ns1.he.net" + "ddns" + ]; zonefile-sync = "-1"; zonefile-load = "difference"; diff --git a/os/kay/modules/dns/sinanmohd.com.zone b/os/kay/modules/dns/sinanmohd.com.zone index 5c1dddf..dcbdf6c 100644 --- a/os/kay/modules/dns/sinanmohd.com.zone +++ b/os/kay/modules/dns/sinanmohd.com.zone @@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com. $TTL 2d @ IN SOA ns1 hostmaster ( - 2025030900 ; serial + 2025101400 ; serial 2h ; refresh 5m ; retry 1d ; expire @@ -25,10 +25,11 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:reports@sinanmohd.com; ruf=mailto: ed25519._domainkey IN TXT "v=DKIM1; k=ed25519; p=EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU=" rsa._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4HEqO63fSC0cUnJt9vAQBssTkPfT4QefmAK/1BtAIRIOdGakf7PI7p3A1ETgwfYxuHj7BUSzUtESsHMThbhB1Wko79+AR+5ZBDBmD8CE0dOnZfzeG8xIaGfYkaL4gana6YZWiBT2oi/CimJfc22wacF01SufOs4R8cDpy4BZIgDD/zfF4bFTORQ0vMSJQJkp1zdQelERDU5CEezgxgVYgoSmdEpgkhc23PJSyj4Z7hA69N0amsb3cVVrfVXcYvSqTK3S2vLLA89ws4CUjCCpUW40gVIP8QP6CqTL76936Oo7OVWgmV3Sn3wa8FMN6IATY+fbMlrdOMsPY5PauJyEoQIDAQAB" +ns1 IN A 137.59.84.126 ns1 IN AAAA 2001:470:ee65::1 - -mail 30 IN A 137.59.84.126 +mail IN A 137.59.84.126 mail IN AAAA 2001:470:ee65::1337 + smtp IN CNAME @ imap IN CNAME @ mta-sts IN CNAME @ @@ -36,16 +37,18 @@ mta-sts IN CNAME @ _mta-sts IN TXT "v=STSv1; id=2024022500" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:reports@sinanmohd.com" -www IN CNAME @ -git IN CNAME @ -bin IN CNAME @ -static IN CNAME @ -home IN CNAME @ -nixbin IN CNAME @ -immich IN CNAME @ -sliding IN CNAME @ -grafana IN CNAME @ - -lia IN A 65.0.3.127 +www IN CNAME @ +git IN CNAME @ +bin IN CNAME @ +static IN CNAME @ +home IN CNAME @ +nixbin IN CNAME @ +immich IN CNAME @ +sliding IN CNAME @ +grafana IN CNAME @ +stalwart IN CNAME @ +minio IN CNAME @ +s3 IN CNAME @ +headscale IN CNAME @ _acme-challenge IN NS ns1 diff --git a/os/kay/modules/internal/acme.nix b/os/kay/modules/internal/acme.nix new file mode 100644 index 0000000..60e40a8 --- /dev/null +++ b/os/kay/modules/internal/acme.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: +let + email = config.global.userdata.email; + domain = config.global.userdata.domain; + + environmentFile = pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in +{ + security.acme = { + acceptTerms = true; + defaults.email = email; + + certs.${domain} = { + inherit domain; + extraDomainNames = [ "*.${domain}" ]; + + dnsProvider = "rfc2136"; + dnsPropagationCheck = false; # local DNS server + + inherit environmentFile; + group = config.services.nginx.group; + }; + }; +} diff --git a/os/kay/modules/internal/postgresql.nix b/os/kay/modules/internal/postgresql.nix new file mode 100644 index 0000000..6ba5398 --- /dev/null +++ b/os/kay/modules/internal/postgresql.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + services.postgresql = { + enable = true; + package = with pkgs; postgresql_15; + authentication = lib.mkForce '' + #type database DBuser origin-address auth-method + # unix socket + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust + # ipv6 + host all all ::1/128 trust + ''; + + settings.log_timezone = config.time.timeZone; + }; + + services.prometheus.exporters.postgres = { + enable = true; + listenAddress = "127.0.0.1"; + }; +} diff --git a/os/kay/modules/internal/www.nix b/os/kay/modules/internal/www.nix new file mode 100644 index 0000000..dd0a1ef --- /dev/null +++ b/os/kay/modules/internal/www.nix @@ -0,0 +1,323 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + domain = config.global.userdata.domain; + storage = "/hdd/users/sftp/shr"; +in +{ + security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ 443 ]; + }; + + services.prometheus.exporters = { + nginxlog = { + enable = true; + listenAddress = "127.0.0.1"; + }; + nginx = { + enable = true; + listenAddress = "127.0.0.1"; + }; + }; + + services.nginx = { + enable = true; + statusPage = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; + + recommendedTlsSettings = true; + # breaks home-assistant proxy for some reason + # only the first request goes through, then site hangs + # recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedBrotliSettings = true; + eventsConfig = "worker_connections 1024;"; + appendHttpConfig = '' + quic_retry on; + quic_gso on; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + + virtualHosts = + let + defaultOpts = { + # reuseport = true; + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in + { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; + + "/.well-known/matrix/client".return = '' + 200 '${ + builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; + "m.identity_server".base_url = "https://vector.im"; + } + }' + ''; + + "/.well-known/".proxyPass = "http://127.0.0.1:8085"; + + "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = + "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + }; + + "sliding.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + }; + }; + + "headscale.${domain}" = defaultOpts // { + locations = { + "/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + }; + "= /".return = "307 https://headscale.${domain}/admin"; + "/admin".proxyPass = "http://localhost:${toString config.services.headplane.settings.server.port}"; + }; + }; + + "${config.services.grafana.settings.server.domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + + "www.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + + root = "/var/www/${domain}"; + }; + + "git.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + }; + + "bin.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; + + "static.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; + + "home.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.home-assistant.config.http.server_port}"; + }; + }; + + "stalwart.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8085"; + }; + }; + + "s3.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9000"; + extraConfig = '' + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "minio.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9003"; + extraConfig = '' + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "mta-sts.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; + }; + + "immich.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + + "nixbin.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "= /files".return = "301 https://nixbin.${domain}/files/"; + "/files/" = { + alias = "/nix/store/"; + extraConfig = "autoindex on;"; + }; + + "= /" = { + extraConfig = '' + add_header Content-Type text/html; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + return = '' + 200 + '<!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <title>Nix Cache</title> + </head> + <body> + <center> + <h1 style="font-size: 8em"> + ❄️ Nix Cache + </h1> + <p style="font-weight: bold"> + Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= + </p> + </center> + </body> + </html>' + ''; + }; + + "/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + + "www.alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + globalRedirect = "alinafs.com/home"; + extraConfig = '' + ssl_early_data on; + ''; + }; + "alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations = { + "/metrics".return = "307 /home/"; + "/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; + }; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; +} diff --git a/os/kay/modules/network.nix b/os/kay/modules/network/default.nix index 22d132b..281751a 100644 --- a/os/kay/modules/network.nix +++ b/os/kay/modules/network/default.nix @@ -1,20 +1,24 @@ -{ config, ... }: +{ config, pkgs, ... }: let inetVlan = 1003; wanInterface = "enp3s0"; - nameServer = [ "1.0.0.1" "1.1.1.1" ]; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; in { imports = [ ./router.nix ./hurricane.nix + ./headscale.nix ]; sops.secrets = { - "ppp/chap-secrets" = {}; - "ppp/pap-secrets" = {}; - "ppp/username" = {}; + "ppp/chap-secrets" = { }; + "ppp/pap-secrets" = { }; + "ppp/username" = { }; }; networking = { @@ -43,7 +47,7 @@ in nic-wan defaultroute - ipv6 ::1, + ipv6 ::1337, noauth persist @@ -52,6 +56,15 @@ in lcp-echo-failure 5 ''; + script."01-ipv6-ra" = { + type = "ip-up"; + runtimeInputs = [ pkgs.procps ]; + + text = '' + sysctl net.ipv6.conf.ppp0.accept_ra=2 + ''; + }; + peers.keralavision = { enable = true; autostart = true; diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix new file mode 100644 index 0000000..39007a4 --- /dev/null +++ b/os/kay/modules/network/headscale.nix @@ -0,0 +1,200 @@ +{ + config, + pkgs, + lib, + headplane, + namescale, + ... +}: +let + url = "https://headscale.${config.global.userdata.domain}"; + stunPort = 3478; + + # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. + settings = lib.recursiveUpdate config.services.headscale.settings { + tls_cert_path = "/dev/null"; + tls_key_path = "/dev/null"; + policy.path = "/dev/null"; + }; + format = pkgs.formats.yaml { }; + headscaleConfig = format.generate "headscale.yml" settings; + + policyFormat = pkgs.formats.json { }; + policy = { + groups = { + "group:owner" = [ "sinan@" ]; + "group:bud" = [ + "sinan@" + "ann@" + ]; + }; + tagOwners = { + "tag:namescale" = [ "group:owner" ]; + "tag:internal" = [ "group:owner" ]; + "tag:bud_clients" = [ "group:bud" ]; + "tag:cusat" = [ "group:owner" ]; + "tag:gaijin" = [ "group:owner" ]; + }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; + acls = [ + { + action = "accept"; + src = [ "*" ]; + dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ]; + } + { + action = "accept"; + src = [ "headplane@" ]; + dst = [ "*:*" ]; + } + + { + action = "accept"; + src = [ "group:owner" ]; + dst = [ "*:*" ]; + } + { + action = "accept"; + src = [ "nazer@" ]; + dst = [ "autogroup:internet:*" ]; + } + + { + action = "accept"; + src = [ "group:bud" ]; + dst = [ "tag:bud_clients:*" ]; + } + { + action = "accept"; + src = [ "tag:bud_clients" ]; + dst = [ "tag:bud_clients:80,443" ]; + } + ]; + }; +in +{ + imports = [ + headplane.nixosModules.headplane + namescale.nixosModules.namescale + ]; + + nixpkgs.overlays = [ headplane.overlays.default ]; + environment.systemPackages = [ config.services.headscale.package ]; + + sops.secrets = { + # server + "headplane/cookie_secret".owner = config.services.headscale.user; + "headplane/preauth_key".owner = config.services.headscale.user; + "headscale/noise_private_key".owner = config.services.headscale.user; + "headscale/derp_private_key".owner = config.services.headscale.user; + # client + "headscale/pre_auth_key" = { }; + }; + + networking = { + nameservers = [ "100.100.100.100" ]; + search = [ config.services.headscale.settings.dns.base_domain ]; + + firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; + }; + # for exit node only + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + services = { + headscale = { + enable = true; + port = 8139; + + settings = { + logtail.enabled = false; + server_url = url; + noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; + dns = { + base_domain = "tsnet.${config.global.userdata.domain}"; + override_local_dns = false; + nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [ + config.services.namescale.settings.host + ]; + }; + derp = { + server = { + enabled = true; + private_key_path = config.sops.secrets."headscale/derp_private_key".path; + region_code = config.networking.hostName; + region_name = config.networking.hostName; + stun_listen_addr = "0.0.0.0:${toString stunPort}"; + region_id = 6969; + automatically_add_embedded_derp_region = true; + }; + urls = [ ]; + }; + policy = { + mode = "file"; + path = policyFormat.generate "acl.json" policy; + }; + }; + }; + + headplane = { + enable = true; + settings = { + server = { + port = 8140; + cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; + }; + headscale = { + inherit url; + config_path = "${headscaleConfig}"; + }; + integration.agent = { + enabled = true; + pre_authkey_path = config.sops.secrets."headplane/preauth_key".path; + }; + }; + }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + "--advertise-tags=tag:internal,tag:namescale" + ]; + }; + + namescale = { + enable = true; + settings = { + host = "100.64.0.6"; + port = 53; + base_domain = config.services.headscale.settings.dns.base_domain; + }; + }; + }; +} diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/network/hurricane.nix index 511b213..e815136 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/network/hurricane.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let iface = "hurricane"; @@ -10,12 +15,15 @@ let prefix64 = "2001:470:36:72a::/64"; prefix48 = "2001:470:ee65::/48"; - makeAddr = prefix: host: let - split = lib.strings.splitString "/" prefix; - in { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; in { networking = { @@ -43,17 +51,15 @@ in }; firewall = { - extraCommands = - "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = - "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; }; }; sops.secrets = { - "hurricane/username" = {}; - "hurricane/update_key" = {}; - "hurricane/tunnel_id" = {}; + "hurricane/username" = { }; + "hurricane/update_key" = { }; + "hurricane/tunnel_id" = { }; }; systemd.services."network-route-${iface}" = { @@ -64,7 +70,10 @@ in ]; before = [ "network-setup.service" ]; bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ "network-pre.target" "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; # restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; @@ -95,9 +104,13 @@ in ''; }; - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ curl coreutils iproute2 iputils ]; + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; text = '' wan_ip="$4" username="$(cat ${config.sops.secrets."hurricane/username".path})" diff --git a/os/kay/modules/router.nix b/os/kay/modules/network/router.nix index 2e01789..aeb008c 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/network/router.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wanInterface = "ppp0"; gponInterface = "enp3s0"; @@ -15,12 +16,8 @@ wapMac = "40:86:cb:d7:40:49"; wapIp = "192.168.43.2"; -in { - imports = [ - ./wireguard.nix - ./iperf3.nix - ]; - +in +{ networking = { bridges.${bridgeInterface}.interfaces = [ lanInterface ]; @@ -30,43 +27,41 @@ in { internalInterfaces = [ bridgeInterface ]; }; interfaces = { - ${bridgeInterface}.ipv4.addresses = [{ + ${bridgeInterface}.ipv4.addresses = [ + { address = host; - prefixLength = prefix; - }]; - ${gponInterface}.ipv4.addresses = [{ + prefixLength = prefix; + } + ]; + ${gponInterface}.ipv4.addresses = [ + { address = gponHost; - prefixLength = gponPrefix; - }]; + prefixLength = gponPrefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; extraCommands = '' iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -N inetfilter - iptables -A inetfilter -s 192.168.43.124/32 -m mac --mac-source 08:02:3c:d4:d9:f2 -j ACCEPT - iptables -A inetfilter -s 192.168.43.119/32 -m mac --mac-source a8:93:4a:50:c8:b3 -j ACCEPT - iptables -A inetfilter -j DROP - iptables -I FORWARD -i lan -o ppp0 -j inetfilter ''; extraStopCommands = '' iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -w -t filter -F inetfilter - iptables -w -t filter -X inetfilter ''; }; }; services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - dhcp-host= "${wapMac},${wapIp}"; + dhcp-host = "${wapMac},${wapIp}"; interface = [ bridgeInterface ]; }; diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix index d9b6071..9ca73da 100644 --- a/os/kay/modules/observability/prometheus.nix +++ b/os/kay/modules/observability/prometheus.nix @@ -4,36 +4,35 @@ enable = true; port = 9001; - scrapeConfigs = [{ - job_name = "kay"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "kay"; + scrape_interval = "1s"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + } + ]; + } + ]; exporters = { node = { diff --git a/os/kay/modules/postgresql.nix b/os/kay/modules/postgresql.nix deleted file mode 100644 index 79d0b12..0000000 --- a/os/kay/modules/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, pkgs, ... }: { - services.postgresql = { - enable = true; - package = with pkgs; postgresql_15; - authentication = lib.mkForce '' - #type database DBuser origin-address auth-method - # unix socket - local all all trust - # ipv4 - host all all 127.0.0.1/32 trust - # ipv6 - host all all ::1/128 trust - ''; - - settings.log_timezone = config.time.timeZone; - }; - - services.prometheus.exporters.postgres = { - enable = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/alina.nix b/os/kay/modules/services/alina.nix index ef6331b..c567953 100644 --- a/os/kay/modules/alina.nix +++ b/os/kay/modules/services/alina.nix @@ -1,14 +1,20 @@ -{ config, pkgs, ... }: let +{ config, alina, ... }: +let domain = "alinafs.com"; -in { - sops.secrets."misc/alina" = {}; +in +{ + imports = [ alina.nixosModules.alina ]; + + sops.secrets."misc/alina" = { }; services.postgresql = { ensureDatabases = [ "alina" ]; - ensureUsers = [{ - name = "alina"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; }; services.alina = { @@ -17,7 +23,7 @@ in { environmentFile = config.sops.secrets."misc/alina".path; settings.server = { data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; /* 1GB */ + file_size_limit = 1024 * 1024 * 1024; # 1GB public_url = "https://${domain}"; }; }; diff --git a/os/kay/modules/cgit.nix b/os/kay/modules/services/cgit.nix index 254cc80..254cc80 100644 --- a/os/kay/modules/cgit.nix +++ b/os/kay/modules/services/cgit.nix diff --git a/os/kay/modules/github-runner.nix b/os/kay/modules/services/github-runner.nix index dd4d48d..dd4d48d 100644 --- a/os/kay/modules/github-runner.nix +++ b/os/kay/modules/services/github-runner.nix diff --git a/os/kay/modules/home-assistant.nix b/os/kay/modules/services/home-assistant.nix index 2376997..65807f7 100644 --- a/os/kay/modules/home-assistant.nix +++ b/os/kay/modules/services/home-assistant.nix @@ -1,21 +1,26 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { enable = true; ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; services.home-assistant = { enable = true; - package = (pkgs.home-assistant.override { - extraPackages = py: with py; [ psycopg2 ]; - }).overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [ psycopg2 ]; + }).overrideAttrs + (oldAttrs: { + doInstallCheck = false; + }); extraComponents = [ "analytics" @@ -29,7 +34,7 @@ ]; config = { - default_config = {}; + default_config = { }; recorder.db_url = "postgresql://@/hass"; http = { diff --git a/os/kay/modules/immich.nix b/os/kay/modules/services/immich.nix index 5e5eaf4..5e5eaf4 100644 --- a/os/kay/modules/immich.nix +++ b/os/kay/modules/services/immich.nix diff --git a/os/kay/modules/iperf3.nix b/os/kay/modules/services/iperf3.nix index 2c8afef..2c8afef 100644 --- a/os/kay/modules/iperf3.nix +++ b/os/kay/modules/services/iperf3.nix diff --git a/os/kay/modules/mail.nix b/os/kay/modules/services/mail.nix index a418a86..685461f 100644 --- a/os/kay/modules/mail.nix +++ b/os/kay/modules/services/mail.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let ipv6 = "2001:470:ee65::1337"; domain = config.global.userdata.domain; username = config.global.userdata.name; @@ -15,12 +16,13 @@ ]; credentials_directory = "/run/credentials/stalwart-mail.service"; -in { +in +{ security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; sops.secrets = { - "mail.${domain}/dkim_rsa" = {}; - "mail.${domain}/dkim_ed25519" = {}; - "mail.${domain}/password" = {}; + "mail.${domain}/dkim_rsa" = { }; + "mail.${domain}/dkim_ed25519" = { }; + "mail.${domain}/password" = { }; }; systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ @@ -35,61 +37,54 @@ in { services.postgresql = { ensureDatabases = [ "stalwart" ]; - ensureUsers = [{ - name = "stalwart"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; }; services.stalwart-mail = { enable = true; openFirewall = true; - # foundation db is too big to build on a 32GB ram machine, good job - # trillion dollar company, proud of you - package = pkgs.stalwart-mail.overrideAttrs { - buildNoDefaultFeatures = true; - buildFeatures = [ "postgres" ]; - buildInputs = with pkgs; [ - bzip2 - openssl - zstd - ]; - # some tests fails with -lfdb_c: No such file, just disable this for row - # probably because of not including foundationdb, upstream has this - # enabled so it's not the end of the world - doCheck = false; - }; - settings = { queue.outbound = { ip-strategy = "ipv6_then_ipv4"; source-ip.v6 = "['${ipv6}']"; tls.starttls = "optional"; }; - - server.listener = { - smtp = { - bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; - protocol = "smtp"; - }; - submission = { - bind = "[::]:587"; - protocol = "smtp"; - }; - submissions = { - bind = "[::]:465"; - protocol = "smtp"; - tls.implicit = true; - }; - imaptls = { - bind = "[::]:993"; - protocol = "imap"; - tls.implicit = true; - }; - http = { - bind = "[::]:8085"; - protocol = "http"; + http.url = "'https://stalwart.${domain}'"; + + server = { + hostname = "mail.${domain}"; + listener = { + smtp = { + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; + protocol = "smtp"; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + imaptls = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = "[::]:8085"; + protocol = "http"; + }; }; }; @@ -98,7 +93,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_rsa}%"; inherit domain; selector = "rsa"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "rsa-sha-256"; canonicalization = "simple/simple"; @@ -110,7 +111,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; inherit domain; selector = "ed25519"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "ed25519-sha256"; canonicalization = "simple/simple"; @@ -148,13 +155,14 @@ in { principals = [ { class = "admin"; - name = username; + name = "${username}@${domain}"; secret = "%{file:${credentials_directory}/password}%"; inherit email; } - { # for mta-sts & dmarc reports + { + # for mta-sts & dmarc reports class = "individual"; - name = "reports"; + name = "reports@${domain}"; secret = "%{file:${credentials_directory}/password}%"; email = [ "reports@${domain}" ]; } diff --git a/os/kay/modules/matrix/default.nix b/os/kay/modules/services/matrix/default.nix index f81d0d9..1b9564d 100644 --- a/os/kay/modules/matrix/default.nix +++ b/os/kay/modules/services/matrix/default.nix @@ -1,12 +1,14 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ imports = [ ./dendrite.nix ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = {}; + sops.secrets."matrix-${domain}/sliding_sync" = { }; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/matrix/dendrite.nix b/os/kay/modules/services/matrix/dendrite.nix index 3f4a879..e66c5a5 100644 --- a/os/kay/modules/matrix/dendrite.nix +++ b/os/kay/modules/services/matrix/dendrite.nix @@ -10,16 +10,18 @@ let }; in { - sops.secrets."matrix-${domain}/key" = {}; + sops.secrets."matrix-${domain}/key" = { }; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { postgresql = { ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "dendrite"; + ensureDBOwnership = true; + } + ]; }; dendrite = { @@ -43,10 +45,12 @@ in ]; inherit database; }; - logging = [{ - type = "std"; - level = "warn"; - }]; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; mscs = { inherit database; mscs = [ "msc2836" ]; @@ -63,19 +67,21 @@ in federation_api = { inherit database; send_max_retries = 8; - key_perspectives = [{ - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - }]; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; }; app_service_api = { diff --git a/os/kay/modules/matrix/matrix-sliding-sync.nix b/os/kay/modules/services/matrix/matrix-sliding-sync.nix index f4c1426..253ec4d 100644 --- a/os/kay/modules/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/services/matrix/matrix-sliding-sync.nix @@ -1,12 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix {}; + matrix-sliding-sync = pkgs.callPackage ../../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ - (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + (lib.mkRenamedOptionModule + [ "services" "matrix-synapse" "sliding-sync" ] + [ "services" "matrix-sliding-sync" ] + ) ]; options.services.matrix-sliding-sync-dirty = { @@ -40,7 +48,14 @@ in }; SYNCV3_LOG_LEVEL = lib.mkOption { - type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; + type = lib.types.enum [ + "trace" + "debug" + "info" + "warn" + "error" + "fatal" + ]; default = "info"; description = "The level of verbosity for messages logged."; }; @@ -77,10 +92,12 @@ in services.postgresql = lib.optionalAttrs cfg.createDatabase { enable = true; ensureDatabases = [ "matrix-sliding-sync" ]; - ensureUsers = [ { - name = "matrix-sliding-sync"; - ensureDBOwnership = true; - } ]; + ensureUsers = [ + { + name = "matrix-sliding-sync"; + ensureDBOwnership = true; + } + ]; }; systemd.services.matrix-sliding-sync = rec { diff --git a/os/kay/modules/services/minio.nix b/os/kay/modules/services/minio.nix new file mode 100644 index 0000000..d440e50 --- /dev/null +++ b/os/kay/modules/services/minio.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: +let + email = config.global.userdata.email; +in +{ + sops.secrets."misc/default_password" = { }; + systemd.services.minio.serviceConfig.LoadCredential = [ + "password:${config.sops.secrets."misc/default_password".path}" + ]; + + services.minio = { + enable = true; + consoleAddress = ":9003"; + + package = pkgs.stdenv.mkDerivation { + name = "minio-with-secrets"; + dontUnpack = true; + buildInputs = with pkgs; [ + makeWrapper + minio + ]; + installPhase = '' + mkdir -p $out/bin + makeWrapper ${lib.getExe pkgs.minio} $out/bin/minio \ + --run 'echo "Seting Minio Secrets"' \ + --set MINIO_ROOT_USER ${email} \ + --run 'export MINIO_ROOT_PASSWORD="$(cat "$CREDENTIALS_DIRECTORY"/password)"' + ''; + }; + }; +} diff --git a/os/kay/modules/nix-cache.nix b/os/kay/modules/services/nix-cache.nix index 9c81b56..9c81b56 100644 --- a/os/kay/modules/nix-cache.nix +++ b/os/kay/modules/services/nix-cache.nix diff --git a/os/kay/modules/sftp.nix b/os/kay/modules/services/sftp.nix index 45ed151..f75abc4 100644 --- a/os/kay/modules/sftp.nix +++ b/os/kay/modules/services/sftp.nix @@ -7,7 +7,7 @@ let in { users = { - groups."sftp".members = []; + groups."sftp".members = [ ]; users."sftp" = { group = "sftp"; @@ -20,7 +20,8 @@ in # samsung files only support PEM, hence RSA key # https://r1.community.samsung.com/t5/galaxy-s/unable-to-remotely-connect-to-sftp-server-through-my-files/m-p/16347552/highlight/true#M105871 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqe7CcXJw+dhXKUVeuj1iGOcV7KhyiJ55PxhGDXfQdu1YS5gi/pBnOk39pL22+QBFZX0trU/JNHpCMZWyFp/Fz9GBxp2LJERHwkANu0lk0PJ7QZdg79YN5lKpWTo2GpA3gHHC555Rm5V5BknwbZwVXWvGhSR93g/2b6AjcSZn4ZUwFF8soSb2EYsRa7blVbBv2njV2SGI9FezfHBF+N3CNOP7kxk63Pilk9NEUQuvYF1tmF7z/zIXbyLNaLT1MJE8KCbayM7E/WZuonSBqFf3fsmQge0La/LveRehQHb503uHNHzlFHXdMMZQrzOAHHyFQUHhYECvhLNDhGJb1KrjZcEiKmqCMmvHCG4JssRdJB5mq6J0g05ZmMrKt0srIT6lginkHy89AKkqt83xHHvXhZEw40zoGcq2rZD1dPN3toNZL/uGaIK0u1eMxFbuVKK3OjMg2UwzaHX1DDZyJdRes5huG/uXTgN7xamUu/TIBOK+WgibJeNf93i3GbsYezTs= sftp@paq" - ] ++ pubKeys; + ] + ++ pubKeys; }; users."nazer" = { @@ -42,7 +43,7 @@ in }; # sandboxing - extraConfig = '' + extraConfig = '' Match Group sftp # chroot dir should be owned by root # and sub dirs by %u diff --git a/os/kay/modules/sshfwd.nix b/os/kay/modules/sshfwd.nix deleted file mode 100644 index d70b893..0000000 --- a/os/kay/modules/sshfwd.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: let - group = "sshfwd"; -in { - networking.firewall.allowedTCPPorts = [ 2222 ]; - - users = { - groups.${group}.members = []; - - users."lia" = { - inherit group; - isSystemUser = true; - - openssh.authorizedKeys.keys - = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; - }; - }; - - services.openssh.extraConfig = '' - Match Group ${group} - ForceCommand echo 'this account is only usable for remote forwarding' - PermitTunnel no - AllowAgentForwarding no - X11Forwarding no - - AllowTcpForwarding remote - GatewayPorts clientspecified - PermitListen *:2222 - ''; -} diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix deleted file mode 100644 index 21cec06..0000000 --- a/os/kay/modules/wireguard.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: let - wgInterface = "wg"; - wanInterface = "ppp0"; - subnet = "10.0.1.0"; - prefix = 24; - port = 51820; - - wgConf = pkgs.writeText "wg.conf" '' - [interface] - Address = 10.0.1.1/24 - MTU = 1412 - ListenPort = 51820 - PostUp = ${lib.getExe (pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - })} - - [Peer] - # friendly_name = cez - PublicKey = IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8= - AllowedIPs = 10.0.1.2/32 - - [Peer] - # friendly_name = exy - PublicKey = bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8= - AllowedIPs = 10.0.1.3/32 - - [Peer] - # friendly_name = dad - PublicKey = q70IyOS2IpubIRWqo5sL3SeEjtUy2V/PT8yqVExiHTQ= - AllowedIPs = 10.0.1.4/32 - - [Peer] - # friendly_name = pradeep - PublicKey = BAOdbgUd53ZmQWkZP3N+zAsxdBpqv6icEwmmjRFEmxI= - AllowedIPs = 10.0.1.5/32 - - [Peer] - # friendly_name = angelo - PublicKey = U6+PzFuM6lKVx0TnDWuWJMsP6Tj8o1a9zjRcD7gV53o= - AllowedIPs = 10.0.1.6/32 - ''; -in { - sops.secrets."misc/wireguard" = {}; - - networking = { - nat = { - enable = true; - externalInterface = wanInterface; - internalInterfaces = [ wgInterface ]; - }; - - firewall.allowedUDPPorts = [ port ]; - wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf; - }; - - services.dnsmasq.settings = { - no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; - }; - - services.prometheus.exporters.wireguard = { - enable = true; - withRemoteIp = true; - wireguardConfig = builtins.toString wgConf; - singleSubnetPerField = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix deleted file mode 100644 index 39e5b4b..0000000 --- a/os/kay/modules/www.nix +++ /dev/null @@ -1,256 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - ip_angelo = "10.0.1.6"; - - storage = "/hdd/users/sftp/shr"; -in -{ - imports = [ - ./matrix - ./cgit.nix - ]; - - security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 443 ]; - }; - - services.prometheus.exporters = { - nginxlog = { - enable = true; - listenAddress = "127.0.0.1"; - }; - nginx = { - enable = true; - listenAddress = "127.0.0.1"; - }; - }; - - services.nginx = { - enable = true; - statusPage = true; - package = pkgs.nginxQuic; - enableQuicBPF = true; - - recommendedTlsSettings = true; - # breaks home-assistant proxy for some reason - # only the first request goes through, then site hangs - # recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - eventsConfig = "worker_connections 1024;"; - - virtualHosts = let - defaultOpts = { - quic = true; - http3 = true; - forceSSL = true; - useACMEHost = domain; - }; - in { - "${domain}" = defaultOpts // { - default = true; - globalRedirect = "www.${domain}"; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "/.well-known/matrix/server".return = '' - 200 '{ "m.server": "${domain}:443" }' - ''; - - "/.well-known/matrix/client".return = '' - 200 '${builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; - "m.identity_server".base_url = "https://vector.im"; - }}' - ''; - - "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:${toString - config.services.dendrite.httpPort - }"; - }; - }; - - "sliding.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; - }; - }; - - ".${domain_angelo}" = defaultOpts // { - useACMEHost = domain_angelo; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${ip_angelo}"; - }; - }; - - "${config.services.grafana.settings.server.domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; - }; - }; - - "www.${domain}" = defaultOpts // { - root = "/var/www/${domain}"; - }; - - "git.${domain}" = defaultOpts; - - "bin.${domain}" = defaultOpts // { - root = "${storage}/bin"; - locations."= /".return = "307 https://www.${domain}"; - }; - - "static.${domain}" = defaultOpts // { - root = "${storage}/static"; - locations."= /".return = "301 https://www.${domain}"; - }; - - "home.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${ - builtins.toString config.services.home-assistant.config.http.server_port - }"; - }; - }; - - "mail.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8085"; - }; - }; - - "mta-sts.${domain}" = defaultOpts // { - locations."= /.well-known/mta-sts.txt".return = ''200 "${ - lib.strings.concatStringsSep "\\n" [ - "version: STSv1" - "mode: enforce" - "mx: mail.${domain}" - "max_age: 86400" - ] - }"''; - }; - - "immich.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - - "nixbin.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "= /files".return = "301 https://nixbin.${domain}/files/"; - "/files/" = { - alias = "/nix/store/"; - extraConfig = "autoindex on;"; - }; - - "= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - - "/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - }; - }; - - - "www.alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - globalRedirect = "alinafs.com/home"; - }; - "alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - - locations = { - "/metrics".return = "307 /home/"; - "/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; - }; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; -} |