Various fixes; wireguard, vaultwarden, cleanups

hosts/voyager/configuration.nix

@@ -7,6 +7,7 @@
       ../../common/metrics-exporters.nix
       ./hardware-configuration.nix
       ./filesystems.nix
+      ./wireguard.nix
       ./exports.nix
 
       #./vms.nix
@@ -21,6 +22,7 @@
       ./services/flame.nix
       ./services/gitea.nix
       ./services/hedgedoc.nix
+      ./services/vaultwarden.nix
       ./services/code-server.nix
   # TODO:
   # x Boot

hosts/voyager/services/hedgedoc.nix

@@ -45,9 +45,41 @@ in {
         };
     };
 
-    systemd.services.hedgedoc.serviceConfig = {
+    systemd.services.hedgedoc = {
-      WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
+      requires = [
+        "postgresql.service"
+        "kanidm.service"
+      ];
+      serviceConfig = let
+        workDir = "/var/lib/hedgedoc";
+      in {
+        WorkingDirectory = lib.mkForce workDir;
         StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+        # Better safe than sorry :)
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = [ workDir ];
+        RemoveIPC = true;
+        RestrictSUIDSGID = true;
+        UMask = "0007";
+        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ port ];

hosts/voyager/services/jellyfin.nix

@@ -10,6 +10,7 @@ in {
   };
 
   services.nginx.virtualHosts."${domainName}" = {
+    serverAliases = [ "jf.feal.no" ];
     extraConfig = ''
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";

hosts/voyager/services/matrix/bridge-discord.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+  services.mx-puppet-discord = {
+    enable = true;
+
+    serviceDependencies = [
+      "matrix-synapse.service"
+      "postgresql.service"
+    ];
+
+    settings = {
+      bridge = {
+        bindAddress = "localhost";
+        domain = "feal.no";
+        homeserverUrl = "https://matrix.feal.no";
+        # homeserverUrl = "http://127.0.1.2:8008";
+
+        port = 8434;
+        enableGroupSync = true;
+      };
+
+      database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
+
+      provisioning.whitelist = [ "@felixalb:feal\\.no" ];
+      relay.whitelist = [ ".*" ];
+      selfService.whitelist = [ "@felixalb:feal\\.no" ];
+
+    };
+  };
+
+  services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
+}

hosts/voyager/services/postgres.nix

@@ -5,12 +5,14 @@
     /* enableTCPIP = true; # Expose on the network */
     authentication = pkgs.lib.mkOverride 10 ''
      local gitea all ident map=gitea-users
+     local vaultwarden all ident map=vaultwarden-users
      local all all trust
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
     '';
     identMap = ''
       gitea-users gitea gitea
+      vaultwarden-users vaultwarden vaultwarden
     '';
   };
 

hosts/voyager/services/transmission.nix

@@ -2,8 +2,8 @@
 let
   host = "127.0.1.2";
   port = "5003";
-  uid = 778;
+  uid = config.ids.uids.transmission;
-  gid = 778;
+  gid = config.ids.gids.transmission;
 in {
   sops.secrets."transmission/vpncreds" = {
     owner = "transmission";

hosts/voyager/services/vaultwarden.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vaultwarden;
+  domain = "pw.feal.no";
+  address = "127.0.0.1";
+  port = 3011; # Note! The websocket port is left as default
+in {
+  sops.secrets."vaultwarden/admintoken" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
+    config = {
+      domain = "https://${domain}";
+
+      rocketAddress = address;
+      rocketPort = port;
+      websocketEnabled = true;
+      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
+
+      signupsAllowed = false;
+      rocketLog = "critical";
+
+    # This example assumes a mailserver running on localhost,
+    # thus without transport encryption.
+    # If you use an external mail server, follow:
+    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+      /* SMTP_HOST = "127.0.0.1"; */
+      /* SMTP_PORT = 25; */
+      /* SMTP_SSL = false; */
+
+      /* SMTP_FROM = "admin@bitwarden.example.com"; */
+      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */
+
+    };
+  };
+
+
+  services.nginx.virtualHosts."${domain}" = {
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+    locations."/" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://localhost:3012";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+  services.postgresql = {
+    ensureDatabases = [ "vaultwarden" ];
+    ensureUsers = [{
+      name = "vaultwarden";
+      ensurePermissions = {
+        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
+      };
+    }];
+  };
+}

hosts/voyager/wireguard.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let
+  port = 51820;
+  endpoint = "vpn.feal.no:51820";
+  publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
+in {
+  sops.secrets."wireguard/wg0/private" = {};
+
+  networking.firewall.allowedUDPPorts = [ port ];
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.2/24" ];
+    listenPort = port;
+    privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
+    peers = [
+      {
+        inherit endpoint publicKey;
+        allowedIPs = [ "10.100.0.0/24" ];
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+}

secrets/voyager/voyager.yaml

@@ -15,6 +15,12 @@ transmission:
 matrix:
     synapse:
         registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
+wireguard:
+    wg0:
+        public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
+        private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
+vaultwarden:
+    admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -39,8 +45,8 @@ sops:
             THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
             u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-11T22:37:33Z"
+    lastmodified: "2023-05-19T20:43:42Z"
-    mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str]
+    mac: ENC[AES256_GCM,data:GcQWXYMLlLIdygoiA03VryxVpIeeYn3vvrMmARTyLNmuLniq14Ut/IFP7KB50jDAiUVsgO4gpKDAWx53ZijpJo5JY4Ec49o4TEqfSh764dtRPYhwazrLl/Y+lwAT3H5p2jeTuo0a6k9u2uxwnJ/OV9DFikkRp+yJLMtqwTGj9KU=,iv:rOCZbQtORczrbG3KZAebn61p2SHTeX+zmgJEfQuCd4o=,tag:vDkPNhDKoVmZr8WA3s32nA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3