diff --git a/.sops.yaml b/.sops.yaml index 5440fce..22aa91b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,6 @@ keys: - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 creation_rules: @@ -26,10 +25,3 @@ creation_rules: - age: - *host_defiant - *user_felixalb - - - path_regex: secrets/sarek/[^/]+\.yaml$ - key_groups: - - age: - - *host_sarek - - *user_felixalb_old - - *user_felixalb diff --git a/flake.nix b/flake.nix index d05abf1..25639fe 100644 --- a/flake.nix +++ b/flake.nix @@ -92,24 +92,6 @@ } ]; }; - sarek = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - # Overlays-module makes "pkgs.unstable" available in configuration.nix - ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - ./hosts/sarek/configuration.nix - sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users."felixalb" = import ./hosts/sarek/home.nix; - } - ]; - }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 2be9052..776c5c0 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -10,6 +10,9 @@ ./services/postgresql.nix ./services/nginx.nix ./services/matrix-synapse.nix + ./services/flame.nix + ./services/hedgedoc.nix + ./services/pihole.nix ]; networking = { diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix index 48638cd..05ce9bc 100644 --- a/hosts/defiant/hardware-configuration.nix +++ b/hosts/defiant/hardware-configuration.nix @@ -4,26 +4,29 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/DDDC-5C0C"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/DDDC-5C0C"; + fsType = "vfat"; + }; - swapDevices = [ ]; + swapDevices = [ { + device = "/swapfile"; + size = 8*1024; + } ]; networking.useDHCP = lib.mkDefault false; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; diff --git a/hosts/defiant/services/flame.nix b/hosts/defiant/services/flame.nix new file mode 100644 index 0000000..c7e7659 --- /dev/null +++ b/hosts/defiant/services/flame.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let + domain = "flame.home.feal.no"; + host = "127.0.1.2"; + port = "5005"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + flame = { + image = "pawelmalak/flame"; + ports = [ "${host}:${port}:5005" ]; + volumes = [ + "/var/lib/flame/data:/app/data/" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${host}:${port}"; + }; +} + diff --git a/hosts/defiant/services/hedgedoc.nix b/hosts/defiant/services/hedgedoc.nix new file mode 100644 index 0000000..e5b50ce --- /dev/null +++ b/hosts/defiant/services/hedgedoc.nix @@ -0,0 +1,117 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.hedgedoc.settings; + domain = "md.feal.no"; + port = 3300; + host = "127.0.1.2"; + authServerUrl = "https://auth.feal.no"; +in { + # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET + sops.secrets."hedgedoc/env" = { + restartUnits = [ "hedgedoc.service" ]; + }; + + services.hedgedoc = { + enable = true; + environmentFile = config.sops.secrets."hedgedoc/env".path; + settings = { + inherit domain port host; + protocolUseSSL = true; + sessionSecret = "$CMD_SESSION_SECRET"; + + allowFreeURL = true; + allowAnonymous = false; + allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission + + # dbURL = "postgres://hedgedoc@localhost/hedgedoc"; + db = { + username = "hedgedoc"; + database = "hedgedoc"; + host = "/run/postgresql"; + dialect = "postgresql"; + }; + + email = false; + oauth2 = { + baseURL = "${authServerUrl}/oauth2"; + tokenURL = "${authServerUrl}/oauth2/token"; + authorizationURL = "${authServerUrl}/ui/oauth2"; + userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; + + clientID = "hedgedoc"; + clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + scope = "openid email profile"; + userProfileUsernameAttr = "name"; + userProfileEmailAttr = "email"; + userProfileDisplayNameAttr = "displayname"; + + providerName = "KaniDM"; + }; + }; + }; + + systemd.services.hedgedoc = { + requires = [ + "postgresql.service" + # "kanidm.service" + ]; + serviceConfig = let + workDir = "/var/lib/hedgedoc"; + in { + WorkingDirectory = lib.mkForce workDir; + StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; + + # Better safe than sorry :) + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ workDir ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = [{ + name = "hedgedoc"; + ensureDBOwnership = true; + }]; + }; + + services.nginx.virtualHosts."${domain}" = { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://${host}:${toString port}"; + }; + "/socket.io" = { + proxyPass = "http://${host}:${toString port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index 8ef3566..e15e7c5 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -12,7 +12,7 @@ defaultListen = [ { addr = "192.168.10.175"; - port = "80"; + port = 80; ssl = false; } ]; @@ -27,4 +27,22 @@ acceptTerms = true; defaults.email = "felix@albrigtsen.it"; }; + + # Publicly exposed services: + + services.nginx.virtualHosts = let + publicProxy = upstream: { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "${upstream}"; + }; + in { + "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; + # "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; + }; } diff --git a/hosts/defiant/services/pihole.nix b/hosts/defiant/services/pihole.nix new file mode 100644 index 0000000..b869826 --- /dev/null +++ b/hosts/defiant/services/pihole.nix @@ -0,0 +1,30 @@ +{ config, pkgs, lib, ... }: +let + domain = "pihole.home.feal.no"; + dnsHost = "192.168.10.175"; + webuiListen = "127.0.1.2:5053"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + pihole = { + image = "pihole/pihole"; + ports = [ + "${dnsHost}:53:53/tcp" + "${dnsHost}:53:53/udp" + "${webuiListen}:80" + ]; + + environment.TZ = "Europe/Oslo"; + + volumes = [ + "/var/lib/pihole/etc:/etc/pihole" + "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${webuiListen}"; + }; +} + diff --git a/hosts/defiant/services/postgresql.nix b/hosts/defiant/services/postgresql.nix index 83b4285..a8d8d4f 100644 --- a/hosts/defiant/services/postgresql.nix +++ b/hosts/defiant/services/postgresql.nix @@ -6,12 +6,11 @@ }; services.postgresqlBackup = { - enable = true; + # enable = true; location = "/data/backup/postgresql/"; startAt = "*-*-* 03:15:00"; backupAll = true; }; - environment.systemPackages = [ config.services.postgresql.package ]; } diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix deleted file mode 100644 index 22eebbe..0000000 --- a/hosts/sarek/configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../../base.nix - ../../common/metrics-exporters.nix - - ./services/flame.nix - ./services/hedgedoc.nix - ./services/nginx.nix - ./services/postgresql.nix - ]; - - # Boot and console is handled by proxmoxLXC. - boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. - - # Override proxmox networking - proxmoxLXC.manageNetwork = true; - networking = { - hostName = "sarek"; - defaultGateway = "192.168.10.1"; - interfaces."eth0".ipv4 = { - addresses = [ - { address = "192.168.10.181"; prefixLength = 24; } - ]; - }; - hostId = "15dd36bc"; - }; - - sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; - virtualisation.docker.enable = true; - virtualisation.oci-containers.backend = "docker"; - - # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers - system.activationScripts.var = lib.mkForce '' - # Various log/runtime directories. - mkdir -p /var/tmp - chmod 1777 /var/tmp - # Empty, immutable home directory of many system accounts. - mkdir -p /var/empty - # Make sure it's really empty - ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true - find /var/empty -mindepth 1 -delete - chmod 0555 /var/empty - chown root:root /var/empty - ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true - ''; - systemd.tmpfiles.rules = lib.mkForce []; - - system.stateVersion = "23.05"; -} - diff --git a/hosts/sarek/home.nix b/hosts/sarek/home.nix deleted file mode 100644 index bb390ad..0000000 --- a/hosts/sarek/home.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, lib, ... }: -{ - home.packages = with pkgs; [ - bat - bottom - ncdu - neofetch - nix-index - ]; - - imports = [ - ./../../home/base.nix - ]; - - programs = { - zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; - }; - - home.stateVersion = "23.05"; -} diff --git a/hosts/sarek/services/flame.nix b/hosts/sarek/services/flame.nix deleted file mode 100644 index 455f8d1..0000000 --- a/hosts/sarek/services/flame.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: -let - domain = "flame.home.feal.no"; - host = "127.0.1.2"; - port = "5005"; -in { - # Flame - Homelab dashboard/linktree - virtualisation.oci-containers.containers = { - flame = { - image = "pawelmalak/flame"; - ports = [ "${host}:${port}:5005" ]; - volumes = [ - "/var/lib/flame/data:/app/data/" - ]; - }; - }; - - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://${host}:${port}"; - }; - }; - } - diff --git a/hosts/sarek/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix deleted file mode 100644 index a63a238..0000000 --- a/hosts/sarek/services/hedgedoc.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.hedgedoc.settings; - domain = "md.feal.no"; - port = 3300; - host = "0.0.0.0"; - authServerUrl = "https://auth.feal.no"; -in { - # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET - sops.secrets."hedgedoc/env" = { - restartUnits = [ "hedgedoc.service" ]; - }; - - services.hedgedoc = { - enable = true; - environmentFile = config.sops.secrets."hedgedoc/env".path; - settings = { - inherit domain port host; - protocolUseSSL = true; - sessionSecret = "$CMD_SESSION_SECRET"; - - allowFreeURL = true; - allowAnonymous = false; - allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission - - dbURL = "postgres://hedgedoc:@localhost/hedgedoc"; - - email = false; - oauth2 = { - baseURL = "${authServerUrl}/oauth2"; - tokenURL = "${authServerUrl}/oauth2/token"; - authorizationURL = "${authServerUrl}/ui/oauth2"; - userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; - - clientID = "hedgedoc"; - clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - scope = "openid email profile"; - userProfileUsernameAttr = "name"; - userProfileEmailAttr = "email"; - userProfileDisplayNameAttr = "displayname"; - - providerName = "KaniDM"; - }; - - }; - }; - - systemd.services.hedgedoc = { - requires = [ - "postgresql.service" - # "kanidm.service" - ]; - serviceConfig = let - workDir = "/var/lib/hedgedoc"; - in { - WorkingDirectory = lib.mkForce workDir; - StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; - - # Better safe than sorry :) - CapabilityBoundingSet = ""; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ReadWritePaths = [ workDir ]; - RemoveIPC = true; - RestrictSUIDSGID = true; - UMask = "0007"; - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - SystemCallArchitectures = "native"; - # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; - }; - }; - - networking.firewall.allowedTCPPorts = [ port ]; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [{ - name = "hedgedoc"; - ensureDBOwnership = true; - }]; - }; -} diff --git a/hosts/sarek/services/nginx.nix b/hosts/sarek/services/nginx.nix deleted file mode 100644 index 4c376d7..0000000 --- a/hosts/sarek/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - /* security.acme = { */ - /* acceptTerms = true; */ - /* email = "felix@albrigtsen.it"; */ - /* }; */ -} diff --git a/hosts/sarek/services/postgresql.nix b/hosts/sarek/services/postgresql.nix deleted file mode 100644 index c7c804b..0000000 --- a/hosts/sarek/services/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - services.postgresql = { - enable = true; - enableTCPIP = true; # Expose on the network - authentication = pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - - services.postgresqlBackup = { - enable = true; - location = "/backup/postgresql/"; - startAt = "*-*-* 03:15:00"; - backupAll = true; - }; - - - environment.systemPackages = [ config.services.postgresql.package ]; -} diff --git a/hosts/worf/configuration.nix b/hosts/worf/configuration.nix index b8f6351..6b7af8d 100644 --- a/hosts/worf/configuration.nix +++ b/hosts/worf/configuration.nix @@ -34,7 +34,7 @@ sshKey = "/var/root/.ssh/nix-builder"; } { - hostName = "sarek.home.feal.no"; + hostName = "defiant.home.feal.no"; system = "x86_64-linux"; maxJobs = 6; diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index eb1e2a5..7678531 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -1,6 +1,8 @@ matrix: synapse: registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str] +hedgedoc: + env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +27,8 @@ sops: RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-24T17:26:56Z" - mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str] + lastmodified: "2023-12-24T23:15:29Z" + mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1