From 477b38b94c4cb8bd57dd86bd3bf1c7fb47a633fa Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 7 Jun 2023 20:23:49 +0200 Subject: [PATCH] Various fixes; wireguard, vaultwarden, cleanups --- hosts/voyager/configuration.nix | 2 + hosts/voyager/services/hedgedoc.nix | 38 +++++++++- hosts/voyager/services/jellyfin.nix | 1 + .../services/matrix/bridge-discord.nix | 33 +++++++++ hosts/voyager/services/postgres.nix | 2 + hosts/voyager/services/transmission.nix | 4 +- hosts/voyager/services/vaultwarden.nix | 69 +++++++++++++++++++ hosts/voyager/wireguard.nix | 22 ++++++ secrets/voyager/voyager.yaml | 10 ++- 9 files changed, 174 insertions(+), 7 deletions(-) create mode 100644 hosts/voyager/services/matrix/bridge-discord.nix create mode 100644 hosts/voyager/services/vaultwarden.nix create mode 100644 hosts/voyager/wireguard.nix diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 5559aa7..99f0996 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -7,6 +7,7 @@ ../../common/metrics-exporters.nix ./hardware-configuration.nix ./filesystems.nix + ./wireguard.nix ./exports.nix #./vms.nix @@ -21,6 +22,7 @@ ./services/flame.nix ./services/gitea.nix ./services/hedgedoc.nix + ./services/vaultwarden.nix ./services/code-server.nix # TODO: # x Boot diff --git a/hosts/voyager/services/hedgedoc.nix b/hosts/voyager/services/hedgedoc.nix index b7ec9f1..2fa0c79 100644 --- a/hosts/voyager/services/hedgedoc.nix +++ b/hosts/voyager/services/hedgedoc.nix @@ -45,9 +45,41 @@ in { }; }; - systemd.services.hedgedoc.serviceConfig = { - WorkingDirectory = lib.mkForce "/var/lib/hedgedoc"; - StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; + systemd.services.hedgedoc = { + requires = [ + "postgresql.service" + "kanidm.service" + ]; + serviceConfig = let + workDir = "/var/lib/hedgedoc"; + in { + WorkingDirectory = lib.mkForce workDir; + StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; + + # Better safe than sorry :) + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ workDir ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; }; networking.firewall.allowedTCPPorts = [ port ]; diff --git a/hosts/voyager/services/jellyfin.nix b/hosts/voyager/services/jellyfin.nix index 0cbc479..9e8bf40 100644 --- a/hosts/voyager/services/jellyfin.nix +++ b/hosts/voyager/services/jellyfin.nix @@ -10,6 +10,7 @@ in { }; services.nginx.virtualHosts."${domainName}" = { + serverAliases = [ "jf.feal.no" ]; extraConfig = '' add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; diff --git a/hosts/voyager/services/matrix/bridge-discord.nix b/hosts/voyager/services/matrix/bridge-discord.nix new file mode 100644 index 0000000..0d5586c --- /dev/null +++ b/hosts/voyager/services/matrix/bridge-discord.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + services.mx-puppet-discord = { + enable = true; + + serviceDependencies = [ + "matrix-synapse.service" + "postgresql.service" + ]; + + settings = { + bridge = { + bindAddress = "localhost"; + domain = "feal.no"; + homeserverUrl = "https://matrix.feal.no"; + # homeserverUrl = "http://127.0.1.2:8008"; + + port = 8434; + enableGroupSync = true; + }; + + database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable"; + + provisioning.whitelist = [ "@felixalb:feal\\.no" ]; + relay.whitelist = [ ".*" ]; + selfService.whitelist = [ "@felixalb:feal\\.no" ]; + + }; + }; + + services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ]; +} diff --git a/hosts/voyager/services/postgres.nix b/hosts/voyager/services/postgres.nix index 8f50842..6ab0020 100644 --- a/hosts/voyager/services/postgres.nix +++ b/hosts/voyager/services/postgres.nix @@ -5,12 +5,14 @@ /* enableTCPIP = true; # Expose on the network */ authentication = pkgs.lib.mkOverride 10 '' local gitea all ident map=gitea-users + local vaultwarden all ident map=vaultwarden-users local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; identMap = '' gitea-users gitea gitea + vaultwarden-users vaultwarden vaultwarden ''; }; diff --git a/hosts/voyager/services/transmission.nix b/hosts/voyager/services/transmission.nix index 6bfbb6c..9bf2007 100644 --- a/hosts/voyager/services/transmission.nix +++ b/hosts/voyager/services/transmission.nix @@ -2,8 +2,8 @@ let host = "127.0.1.2"; port = "5003"; - uid = 778; - gid = 778; + uid = config.ids.uids.transmission; + gid = config.ids.gids.transmission; in { sops.secrets."transmission/vpncreds" = { owner = "transmission"; diff --git a/hosts/voyager/services/vaultwarden.nix b/hosts/voyager/services/vaultwarden.nix new file mode 100644 index 0000000..91024c3 --- /dev/null +++ b/hosts/voyager/services/vaultwarden.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vaultwarden; + domain = "pw.feal.no"; + address = "127.0.0.1"; + port = 3011; # Note! The websocket port is left as default +in { + sops.secrets."vaultwarden/admintoken" = { + owner = "vaultwarden"; + group = "vaultwarden"; + }; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = config.sops.secrets."vaultwarden/admintoken".path; + config = { + domain = "https://${domain}"; + + rocketAddress = address; + rocketPort = port; + websocketEnabled = true; + databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable"; + + signupsAllowed = false; + rocketLog = "critical"; + + # This example assumes a mailserver running on localhost, + # thus without transport encryption. + # If you use an external mail server, follow: + # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + /* SMTP_HOST = "127.0.0.1"; */ + /* SMTP_PORT = 25; */ + /* SMTP_SSL = false; */ + + /* SMTP_FROM = "admin@bitwarden.example.com"; */ + /* SMTP_FROM_NAME = "example.com Bitwarden server"; */ + + }; + }; + + + services.nginx.virtualHosts."${domain}" = { + extraConfig = '' + client_max_body_size 128M; + ''; + locations."/" = { + proxyPass = "http://${address}:${toString port}"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://${address}:${toString port}"; + proxyWebsockets = true; + }; + }; + services.postgresql = { + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [{ + name = "vaultwarden"; + ensurePermissions = { + "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; + }; + }]; + }; +} diff --git a/hosts/voyager/wireguard.nix b/hosts/voyager/wireguard.nix new file mode 100644 index 0000000..56c2cf3 --- /dev/null +++ b/hosts/voyager/wireguard.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let + port = 51820; + endpoint = "vpn.feal.no:51820"; + publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU="; +in { + sops.secrets."wireguard/wg0/private" = {}; + + networking.firewall.allowedUDPPorts = [ port ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.100.0.2/24" ]; + listenPort = port; + privateKeyFile = config.sops.secrets."wireguard/wg0/private".path; + peers = [ + { + inherit endpoint publicKey; + allowedIPs = [ "10.100.0.0/24" ]; + persistentKeepalive = 25; + } + ]; + }; +} diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index 510a485..5ef4acf 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -15,6 +15,12 @@ transmission: matrix: synapse: registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str] +wireguard: + wg0: + public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str] + private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str] +vaultwarden: + admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str] sops: kms: [] gcp_kms: [] @@ -39,8 +45,8 @@ sops: THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-11T22:37:33Z" - mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str] + lastmodified: "2023-05-19T20:43:42Z" + mac: ENC[AES256_GCM,data:GcQWXYMLlLIdygoiA03VryxVpIeeYn3vvrMmARTyLNmuLniq14Ut/IFP7KB50jDAiUVsgO4gpKDAWx53ZijpJo5JY4Ec49o4TEqfSh764dtRPYhwazrLl/Y+lwAT3H5p2jeTuo0a6k9u2uxwnJ/OV9DFikkRp+yJLMtqwTGj9KU=,iv:rOCZbQtORczrbG3KZAebn61p2SHTeX+zmgJEfQuCd4o=,tag:vDkPNhDKoVmZr8WA3s32nA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3