From 483f30229fe754801da3077afac938ad66e3e4e0 Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Sat, 18 Oct 2025 22:25:05 +0200
Subject: [PATCH] leonard: add www-feal-no. add www-kinealbrigtsen-no.
 configure outgoing firewall

---
 hosts/leonard/configuration.nix               | 16 ++++
 hosts/leonard/services/mysql.nix              | 10 ++
 hosts/leonard/services/nginx.nix              | 19 ++++
 .../leonard/services/www-feal-no/default.nix  | 26 +++++
 .../www-feal-no/well-known/matrix/client      |  5 +
 .../www-feal-no/well-known/matrix/server      |  1 +
 .../services/www-kinealbrigtsen-no.nix        | 95 +++++++++++++++++++
 7 files changed, 172 insertions(+)
 create mode 100644 hosts/leonard/services/mysql.nix
 create mode 100644 hosts/leonard/services/nginx.nix
 create mode 100644 hosts/leonard/services/www-feal-no/default.nix
 create mode 100644 hosts/leonard/services/www-feal-no/well-known/matrix/client
 create mode 100644 hosts/leonard/services/www-feal-no/well-known/matrix/server
 create mode 100644 hosts/leonard/services/www-kinealbrigtsen-no.nix

diff --git a/hosts/leonard/configuration.nix b/hosts/leonard/configuration.nix
index 1fe2e27..10f5f36 100644
--- a/hosts/leonard/configuration.nix
+++ b/hosts/leonard/configuration.nix
@@ -7,6 +7,12 @@
       ../../common/metrics-exporters.nix
       ../../common/auto-upgrade.nix
       ./hardware-configuration.nix
+
+      ./services/nginx.nix
+      ./services/mysql.nix
+
+      ./services/www-feal-no
+      ./services/www-kinealbrigtsen-no.nix
   ];
 
   boot.loader.systemd-boot.enable = lib.mkForce false;
@@ -23,6 +29,16 @@
       ];
     };
     hostId = "b99c12d1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
   };
 
   sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
diff --git a/hosts/leonard/services/mysql.nix b/hosts/leonard/services/mysql.nix
new file mode 100644
index 0000000..128f2d6
--- /dev/null
+++ b/hosts/leonard/services/mysql.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+
+  # TODO: services.mysqlBackup
+}
diff --git a/hosts/leonard/services/nginx.nix b/hosts/leonard/services/nginx.nix
new file mode 100644
index 0000000..e4f4a00
--- /dev/null
+++ b/hosts/leonard/services/nginx.nix
@@ -0,0 +1,19 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "felix@albrigtsen.it";
+  };
+}
diff --git a/hosts/leonard/services/www-feal-no/default.nix b/hosts/leonard/services/www-feal-no/default.nix
new file mode 100644
index 0000000..e4b0b28
--- /dev/null
+++ b/hosts/leonard/services/www-feal-no/default.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.nginx.virtualHosts."feal.no" = {
+    default = true;
+
+    serverAliases = [
+      "www.feal.no"
+    ];
+
+    locations = {
+      # TODO: Reinstate actual website
+      "/".return = "302 https://git.feal.no/";
+
+      "^~ /.well-known/" = {
+        alias = (toString ./well-known) + "/";
+      };
+
+      "/cc/" = {
+        alias = "${pkgs.cyberchef}/share/cyberchef/";
+        index = "index.html";
+      };
+      "= /cc".return = "302 /cc/";
+    };
+  };
+}
diff --git a/hosts/leonard/services/www-feal-no/well-known/matrix/client b/hosts/leonard/services/www-feal-no/well-known/matrix/client
new file mode 100644
index 0000000..97c9d85
--- /dev/null
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/client
@@ -0,0 +1,5 @@
+{
+	"m.homeserver": {
+		"base_url": "https://matrix.feal.no:443"
+	}
+}
diff --git a/hosts/leonard/services/www-feal-no/well-known/matrix/server b/hosts/leonard/services/www-feal-no/well-known/matrix/server
new file mode 100644
index 0000000..b1728cf
--- /dev/null
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/server
@@ -0,0 +1 @@
+{"m.server": "matrix.feal.no:443"}
diff --git a/hosts/leonard/services/www-kinealbrigtsen-no.nix b/hosts/leonard/services/www-kinealbrigtsen-no.nix
new file mode 100644
index 0000000..f970fd4
--- /dev/null
+++ b/hosts/leonard/services/www-kinealbrigtsen-no.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+{
+  users.users.www-kinealbrigtsen-no = {
+    isSystemUser = true;
+    group = "www-kinealbrigtsen-no";
+  };
+
+  users.groups.www-kinealbrigtsen-no = { };
+
+  services.mysql.ensureDatabases = [
+    "www_kinealbrigtsen_no"
+  ];
+  services.mysql.ensureUsers = [
+    {
+      name = "www-kinealbrigtsen-no";
+      ensurePermissions = {
+        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
+        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
+      };
+    }
+  ];
+
+  services.phpfpm.pools.www-kinealbrigtsen-no = {
+    user = "www-kinealbrigtsen-no";
+    group = "www-kinealbrigtsen-no";
+    phpOptions = lib.generators.toKeyValue {} {
+      upload_max_filesize = "1000M";
+      post_max_size = "1000M";
+      memory_limit = "1000M";
+    };
+
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "listen.group" = config.services.nginx.group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 1000;
+    };
+  };
+
+  services.nginx.virtualHosts."kinealbrigtsen.no" = {
+    serverAliases = [ "www.kinealbrigtsen.no" ];
+    root = "/var/www/www-kinealbrigtsen-no";
+    locations = {
+      "/".extraConfig = ''
+        try_files $uri $uri/ /index.php?$args;
+      '';
+
+      "~ \\.php$".extraConfig = ''
+        include ${config.services.nginx.package}/conf/fastcgi_params;
+
+        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
+      '';
+
+      "~ /\\.ht".extraConfig = ''
+        deny all;
+      '';
+
+      "/favicon.ico".extraConfig = ''
+        log_not_found off;
+        access_log off;
+      '';
+
+      "/robots.txt".extraConfig = ''
+        allow all;
+        log_not_found off;
+        access_log off;
+      '';
+
+      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
+        expires max;
+        log_not_found off;
+      '';
+    };
+    extraConfig = ''
+      index index.php index.html;
+      set_real_ip_from 192.168.11.0/24;
+      real_ip_header X-Forwarded-For;
+
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+
+  # TODO:
+  # - Configure a mailer so wp_mail() works
+  # - Enable periodic backups
+}