leonard: add www-feal-no. add www-kinealbrigtsen-no. configure outgoing firewall

hosts/leonard/configuration.nix

@@ -7,6 +7,12 @@
       ../../common/metrics-exporters.nix
       ../../common/auto-upgrade.nix
       ./hardware-configuration.nix
+
+      ./services/nginx.nix
+      ./services/mysql.nix
+
+      ./services/www-feal-no
+      ./services/www-kinealbrigtsen-no.nix
   ];
 
   boot.loader.systemd-boot.enable = lib.mkForce false;
@@ -23,6 +29,16 @@
       ];
     };
     hostId = "b99c12d1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
   };
 
   sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;

hosts/leonard/services/mysql.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+
+  # TODO: services.mysqlBackup
+}

hosts/leonard/services/nginx.nix

@@ -0,0 +1,19 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "felix@albrigtsen.it";
+  };
+}

hosts/leonard/services/www-feal-no/default.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.nginx.virtualHosts."feal.no" = {
+    default = true;
+
+    serverAliases = [
+      "www.feal.no"
+    ];
+
+    locations = {
+      # TODO: Reinstate actual website
+      "/".return = "302 https://git.feal.no/";
+
+      "^~ /.well-known/" = {
+        alias = (toString ./well-known) + "/";
+      };
+
+      "/cc/" = {
+        alias = "${pkgs.cyberchef}/share/cyberchef/";
+        index = "index.html";
+      };
+      "= /cc".return = "302 /cc/";
+    };
+  };
+}

hosts/leonard/services/www-feal-no/well-known/matrix/client

@@ -0,0 +1,5 @@
+{
+	"m.homeserver": {
+		"base_url": "https://matrix.feal.no:443"
+	}
+}

hosts/leonard/services/www-feal-no/well-known/matrix/server

@@ -0,0 +1 @@
+{"m.server": "matrix.feal.no:443"}

hosts/leonard/services/www-kinealbrigtsen-no.nix

@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+{
+  users.users.www-kinealbrigtsen-no = {
+    isSystemUser = true;
+    group = "www-kinealbrigtsen-no";
+  };
+
+  users.groups.www-kinealbrigtsen-no = { };
+
+  services.mysql.ensureDatabases = [
+    "www_kinealbrigtsen_no"
+  ];
+  services.mysql.ensureUsers = [
+    {
+      name = "www-kinealbrigtsen-no";
+      ensurePermissions = {
+        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
+        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
+      };
+    }
+  ];
+
+  services.phpfpm.pools.www-kinealbrigtsen-no = {
+    user = "www-kinealbrigtsen-no";
+    group = "www-kinealbrigtsen-no";
+    phpOptions = lib.generators.toKeyValue {} {
+      upload_max_filesize = "1000M";
+      post_max_size = "1000M";
+      memory_limit = "1000M";
+    };
+
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "listen.group" = config.services.nginx.group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 1000;
+    };
+  };
+
+  services.nginx.virtualHosts."kinealbrigtsen.no" = {
+    serverAliases = [ "www.kinealbrigtsen.no" ];
+    root = "/var/www/www-kinealbrigtsen-no";
+    locations = {
+      "/".extraConfig = ''
+        try_files $uri $uri/ /index.php?$args;
+      '';
+
+      "~ \\.php$".extraConfig = ''
+        include ${config.services.nginx.package}/conf/fastcgi_params;
+
+        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
+      '';
+
+      "~ /\\.ht".extraConfig = ''
+        deny all;
+      '';
+
+      "/favicon.ico".extraConfig = ''
+        log_not_found off;
+        access_log off;
+      '';
+
+      "/robots.txt".extraConfig = ''
+        allow all;
+        log_not_found off;
+        access_log off;
+      '';
+
+      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
+        expires max;
+        log_not_found off;
+      '';
+    };
+    extraConfig = ''
+      index index.php index.html;
+      set_real_ip_from 192.168.11.0/24;
+      real_ip_header X-Forwarded-For;
+
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+
+  # TODO:
+  # - Configure a mailer so wp_mail() works
+  # - Enable periodic backups
+}