Various fixes; wireguard, vaultwarden, cleanups
This commit is contained in:
parent
d112a42699
commit
b15ab7ef01
|
@ -7,6 +7,7 @@
|
||||||
../../common/metrics-exporters.nix
|
../../common/metrics-exporters.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./filesystems.nix
|
./filesystems.nix
|
||||||
|
./wireguard.nix
|
||||||
./exports.nix
|
./exports.nix
|
||||||
|
|
||||||
#./vms.nix
|
#./vms.nix
|
||||||
|
@ -21,6 +22,7 @@
|
||||||
./services/flame.nix
|
./services/flame.nix
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
./services/hedgedoc.nix
|
./services/hedgedoc.nix
|
||||||
|
./services/vaultwarden.nix
|
||||||
./services/code-server.nix
|
./services/code-server.nix
|
||||||
# TODO:
|
# TODO:
|
||||||
# x Boot
|
# x Boot
|
||||||
|
|
|
@ -45,9 +45,41 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.hedgedoc.serviceConfig = {
|
systemd.services.hedgedoc = {
|
||||||
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
|
requires = [
|
||||||
|
"postgresql.service"
|
||||||
|
"kanidm.service"
|
||||||
|
];
|
||||||
|
serviceConfig = let
|
||||||
|
workDir = "/var/lib/hedgedoc";
|
||||||
|
in {
|
||||||
|
WorkingDirectory = lib.mkForce workDir;
|
||||||
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
||||||
|
|
||||||
|
# Better safe than sorry :)
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
LockPersonality = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ReadWritePaths = [ workDir ];
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
UMask = "0007";
|
||||||
|
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ port ];
|
networking.firewall.allowedTCPPorts = [ port ];
|
||||||
|
|
|
@ -10,6 +10,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domainName}" = {
|
services.nginx.virtualHosts."${domainName}" = {
|
||||||
|
serverAliases = [ "jf.feal.no" ];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.mx-puppet-discord = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
serviceDependencies = [
|
||||||
|
"matrix-synapse.service"
|
||||||
|
"postgresql.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
bridge = {
|
||||||
|
bindAddress = "localhost";
|
||||||
|
domain = "feal.no";
|
||||||
|
homeserverUrl = "https://matrix.feal.no";
|
||||||
|
# homeserverUrl = "http://127.0.1.2:8008";
|
||||||
|
|
||||||
|
port = 8434;
|
||||||
|
enableGroupSync = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
|
||||||
|
|
||||||
|
provisioning.whitelist = [ "@felixalb:feal\\.no" ];
|
||||||
|
relay.whitelist = [ ".*" ];
|
||||||
|
selfService.whitelist = [ "@felixalb:feal\\.no" ];
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
|
||||||
|
}
|
|
@ -5,12 +5,14 @@
|
||||||
/* enableTCPIP = true; # Expose on the network */
|
/* enableTCPIP = true; # Expose on the network */
|
||||||
authentication = pkgs.lib.mkOverride 10 ''
|
authentication = pkgs.lib.mkOverride 10 ''
|
||||||
local gitea all ident map=gitea-users
|
local gitea all ident map=gitea-users
|
||||||
|
local vaultwarden all ident map=vaultwarden-users
|
||||||
local all all trust
|
local all all trust
|
||||||
host all all 127.0.0.1/32 trust
|
host all all 127.0.0.1/32 trust
|
||||||
host all all ::1/128 trust
|
host all all ::1/128 trust
|
||||||
'';
|
'';
|
||||||
identMap = ''
|
identMap = ''
|
||||||
gitea-users gitea gitea
|
gitea-users gitea gitea
|
||||||
|
vaultwarden-users vaultwarden vaultwarden
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
let
|
let
|
||||||
host = "127.0.1.2";
|
host = "127.0.1.2";
|
||||||
port = "5003";
|
port = "5003";
|
||||||
uid = 778;
|
uid = config.ids.uids.transmission;
|
||||||
gid = 778;
|
gid = config.ids.gids.transmission;
|
||||||
in {
|
in {
|
||||||
sops.secrets."transmission/vpncreds" = {
|
sops.secrets."transmission/vpncreds" = {
|
||||||
owner = "transmission";
|
owner = "transmission";
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.vaultwarden;
|
||||||
|
domain = "pw.feal.no";
|
||||||
|
address = "127.0.0.1";
|
||||||
|
port = 3011; # Note! The websocket port is left as default
|
||||||
|
in {
|
||||||
|
sops.secrets."vaultwarden/admintoken" = {
|
||||||
|
owner = "vaultwarden";
|
||||||
|
group = "vaultwarden";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
dbBackend = "postgresql";
|
||||||
|
environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
|
||||||
|
config = {
|
||||||
|
domain = "https://${domain}";
|
||||||
|
|
||||||
|
rocketAddress = address;
|
||||||
|
rocketPort = port;
|
||||||
|
websocketEnabled = true;
|
||||||
|
databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
|
||||||
|
|
||||||
|
signupsAllowed = false;
|
||||||
|
rocketLog = "critical";
|
||||||
|
|
||||||
|
# This example assumes a mailserver running on localhost,
|
||||||
|
# thus without transport encryption.
|
||||||
|
# If you use an external mail server, follow:
|
||||||
|
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
||||||
|
/* SMTP_HOST = "127.0.0.1"; */
|
||||||
|
/* SMTP_PORT = 25; */
|
||||||
|
/* SMTP_SSL = false; */
|
||||||
|
|
||||||
|
/* SMTP_FROM = "admin@bitwarden.example.com"; */
|
||||||
|
/* SMTP_FROM_NAME = "example.com Bitwarden server"; */
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 128M;
|
||||||
|
'';
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://${address}:${toString port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub" = {
|
||||||
|
proxyPass = "http://localhost:3012";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://${address}:${toString port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.postgresql = {
|
||||||
|
ensureDatabases = [ "vaultwarden" ];
|
||||||
|
ensureUsers = [{
|
||||||
|
name = "vaultwarden";
|
||||||
|
ensurePermissions = {
|
||||||
|
"DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
port = 51820;
|
||||||
|
endpoint = "vpn.feal.no:51820";
|
||||||
|
publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
|
||||||
|
in {
|
||||||
|
sops.secrets."wireguard/wg0/private" = {};
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [ port ];
|
||||||
|
networking.wireguard.interfaces.wg0 = {
|
||||||
|
ips = [ "10.100.0.2/24" ];
|
||||||
|
listenPort = port;
|
||||||
|
privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
inherit endpoint publicKey;
|
||||||
|
allowedIPs = [ "10.100.0.0/24" ];
|
||||||
|
persistentKeepalive = 25;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -15,6 +15,12 @@ transmission:
|
||||||
matrix:
|
matrix:
|
||||||
synapse:
|
synapse:
|
||||||
registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
|
registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
|
||||||
|
wireguard:
|
||||||
|
wg0:
|
||||||
|
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
|
||||||
|
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
|
||||||
|
vaultwarden:
|
||||||
|
admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -39,8 +45,8 @@ sops:
|
||||||
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
|
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
|
||||||
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
|
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-05-11T22:37:33Z"
|
lastmodified: "2023-05-19T20:43:42Z"
|
||||||
mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str]
|
mac: ENC[AES256_GCM,data:GcQWXYMLlLIdygoiA03VryxVpIeeYn3vvrMmARTyLNmuLniq14Ut/IFP7KB50jDAiUVsgO4gpKDAWx53ZijpJo5JY4Ec49o4TEqfSh764dtRPYhwazrLl/Y+lwAT3H5p2jeTuo0a6k9u2uxwnJ/OV9DFikkRp+yJLMtqwTGj9KU=,iv:rOCZbQtORczrbG3KZAebn61p2SHTeX+zmgJEfQuCd4o=,tag:vDkPNhDKoVmZr8WA3s32nA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
Loading…
Reference in New Issue