Various fixes; wireguard, vaultwarden, cleanups

This commit is contained in:
Felix Albrigtsen 2023-06-07 20:23:49 +02:00
parent 4e8eacce37
commit 477b38b94c
9 changed files with 174 additions and 7 deletions

View File

@ -7,6 +7,7 @@
../../common/metrics-exporters.nix
./hardware-configuration.nix
./filesystems.nix
./wireguard.nix
./exports.nix
#./vms.nix
@ -21,6 +22,7 @@
./services/flame.nix
./services/gitea.nix
./services/hedgedoc.nix
./services/vaultwarden.nix
./services/code-server.nix
# TODO:
# x Boot

View File

@ -45,9 +45,41 @@ in {
};
};
systemd.services.hedgedoc.serviceConfig = {
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
"kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
networking.firewall.allowedTCPPorts = [ port ];

View File

@ -10,6 +10,7 @@ in {
};
services.nginx.virtualHosts."${domainName}" = {
serverAliases = [ "jf.feal.no" ];
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

View File

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
{
services.mx-puppet-discord = {
enable = true;
serviceDependencies = [
"matrix-synapse.service"
"postgresql.service"
];
settings = {
bridge = {
bindAddress = "localhost";
domain = "feal.no";
homeserverUrl = "https://matrix.feal.no";
# homeserverUrl = "http://127.0.1.2:8008";
port = 8434;
enableGroupSync = true;
};
database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
provisioning.whitelist = [ "@felixalb:feal\\.no" ];
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@felixalb:feal\\.no" ];
};
};
services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
}

View File

@ -5,12 +5,14 @@
/* enableTCPIP = true; # Expose on the network */
authentication = pkgs.lib.mkOverride 10 ''
local gitea all ident map=gitea-users
local vaultwarden all ident map=vaultwarden-users
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
identMap = ''
gitea-users gitea gitea
vaultwarden-users vaultwarden vaultwarden
'';
};

View File

@ -2,8 +2,8 @@
let
host = "127.0.1.2";
port = "5003";
uid = 778;
gid = 778;
uid = config.ids.uids.transmission;
gid = config.ids.gids.transmission;
in {
sops.secrets."transmission/vpncreds" = {
owner = "transmission";

View File

@ -0,0 +1,69 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.feal.no";
address = "127.0.0.1";
port = 3011; # Note! The websocket port is left as default
in {
sops.secrets."vaultwarden/admintoken" = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
config = {
domain = "https://${domain}";
rocketAddress = address;
rocketPort = port;
websocketEnabled = true;
databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
signupsAllowed = false;
rocketLog = "critical";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
/* SMTP_HOST = "127.0.0.1"; */
/* SMTP_PORT = 25; */
/* SMTP_SSL = false; */
/* SMTP_FROM = "admin@bitwarden.example.com"; */
/* SMTP_FROM_NAME = "example.com Bitwarden server"; */
};
};
services.nginx.virtualHosts."${domain}" = {
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
};
services.postgresql = {
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [{
name = "vaultwarden";
ensurePermissions = {
"DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
};
}];
};
}

View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
port = 51820;
endpoint = "vpn.feal.no:51820";
publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
in {
sops.secrets."wireguard/wg0/private" = {};
networking.firewall.allowedUDPPorts = [ port ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.2/24" ];
listenPort = port;
privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
peers = [
{
inherit endpoint publicKey;
allowedIPs = [ "10.100.0.0/24" ];
persistentKeepalive = 25;
}
];
};
}

View File

@ -15,6 +15,12 @@ transmission:
matrix:
synapse:
registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
wireguard:
wg0:
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
vaultwarden:
admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -39,8 +45,8 @@ sops:
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-11T22:37:33Z"
mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str]
lastmodified: "2023-05-19T20:43:42Z"
mac: ENC[AES256_GCM,data:GcQWXYMLlLIdygoiA03VryxVpIeeYn3vvrMmARTyLNmuLniq14Ut/IFP7KB50jDAiUVsgO4gpKDAWx53ZijpJo5JY4Ec49o4TEqfSh764dtRPYhwazrLl/Y+lwAT3H5p2jeTuo0a6k9u2uxwnJ/OV9DFikkRp+yJLMtqwTGj9KU=,iv:rOCZbQtORczrbG3KZAebn61p2SHTeX+zmgJEfQuCd4o=,tag:vDkPNhDKoVmZr8WA3s32nA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3