Various fixes; wireguard, vaultwarden, cleanups
This commit is contained in:
parent
4e8eacce37
commit
477b38b94c
|
@ -7,6 +7,7 @@
|
|||
../../common/metrics-exporters.nix
|
||||
./hardware-configuration.nix
|
||||
./filesystems.nix
|
||||
./wireguard.nix
|
||||
./exports.nix
|
||||
|
||||
#./vms.nix
|
||||
|
@ -21,6 +22,7 @@
|
|||
./services/flame.nix
|
||||
./services/gitea.nix
|
||||
./services/hedgedoc.nix
|
||||
./services/vaultwarden.nix
|
||||
./services/code-server.nix
|
||||
# TODO:
|
||||
# x Boot
|
||||
|
|
|
@ -45,9 +45,41 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc.serviceConfig = {
|
||||
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
|
||||
systemd.services.hedgedoc = {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
"kanidm.service"
|
||||
];
|
||||
serviceConfig = let
|
||||
workDir = "/var/lib/hedgedoc";
|
||||
in {
|
||||
WorkingDirectory = lib.mkForce workDir;
|
||||
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
||||
|
||||
# Better safe than sorry :)
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = [ workDir ];
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
|
|
@ -10,6 +10,7 @@ in {
|
|||
};
|
||||
|
||||
services.nginx.virtualHosts."${domainName}" = {
|
||||
serverAliases = [ "jf.feal.no" ];
|
||||
extraConfig = ''
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.mx-puppet-discord = {
|
||||
enable = true;
|
||||
|
||||
serviceDependencies = [
|
||||
"matrix-synapse.service"
|
||||
"postgresql.service"
|
||||
];
|
||||
|
||||
settings = {
|
||||
bridge = {
|
||||
bindAddress = "localhost";
|
||||
domain = "feal.no";
|
||||
homeserverUrl = "https://matrix.feal.no";
|
||||
# homeserverUrl = "http://127.0.1.2:8008";
|
||||
|
||||
port = 8434;
|
||||
enableGroupSync = true;
|
||||
};
|
||||
|
||||
database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
|
||||
|
||||
provisioning.whitelist = [ "@felixalb:feal\\.no" ];
|
||||
relay.whitelist = [ ".*" ];
|
||||
selfService.whitelist = [ "@felixalb:feal\\.no" ];
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
|
||||
}
|
|
@ -5,12 +5,14 @@
|
|||
/* enableTCPIP = true; # Expose on the network */
|
||||
authentication = pkgs.lib.mkOverride 10 ''
|
||||
local gitea all ident map=gitea-users
|
||||
local vaultwarden all ident map=vaultwarden-users
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
identMap = ''
|
||||
gitea-users gitea gitea
|
||||
vaultwarden-users vaultwarden vaultwarden
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
let
|
||||
host = "127.0.1.2";
|
||||
port = "5003";
|
||||
uid = 778;
|
||||
gid = 778;
|
||||
uid = config.ids.uids.transmission;
|
||||
gid = config.ids.gids.transmission;
|
||||
in {
|
||||
sops.secrets."transmission/vpncreds" = {
|
||||
owner = "transmission";
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.vaultwarden;
|
||||
domain = "pw.feal.no";
|
||||
address = "127.0.0.1";
|
||||
port = 3011; # Note! The websocket port is left as default
|
||||
in {
|
||||
sops.secrets."vaultwarden/admintoken" = {
|
||||
owner = "vaultwarden";
|
||||
group = "vaultwarden";
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
dbBackend = "postgresql";
|
||||
environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
|
||||
config = {
|
||||
domain = "https://${domain}";
|
||||
|
||||
rocketAddress = address;
|
||||
rocketPort = port;
|
||||
websocketEnabled = true;
|
||||
databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
|
||||
|
||||
signupsAllowed = false;
|
||||
rocketLog = "critical";
|
||||
|
||||
# This example assumes a mailserver running on localhost,
|
||||
# thus without transport encryption.
|
||||
# If you use an external mail server, follow:
|
||||
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
||||
/* SMTP_HOST = "127.0.0.1"; */
|
||||
/* SMTP_PORT = 25; */
|
||||
/* SMTP_SSL = false; */
|
||||
|
||||
/* SMTP_FROM = "admin@bitwarden.example.com"; */
|
||||
/* SMTP_FROM_NAME = "example.com Bitwarden server"; */
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
extraConfig = ''
|
||||
client_max_body_size 128M;
|
||||
'';
|
||||
locations."/" = {
|
||||
proxyPass = "http://${address}:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."/notifications/hub" = {
|
||||
proxyPass = "http://localhost:3012";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."/notifications/hub/negotiate" = {
|
||||
proxyPass = "http://${address}:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
ensureUsers = [{
|
||||
name = "vaultwarden";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
port = 51820;
|
||||
endpoint = "vpn.feal.no:51820";
|
||||
publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
|
||||
in {
|
||||
sops.secrets."wireguard/wg0/private" = {};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ port ];
|
||||
networking.wireguard.interfaces.wg0 = {
|
||||
ips = [ "10.100.0.2/24" ];
|
||||
listenPort = port;
|
||||
privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
|
||||
peers = [
|
||||
{
|
||||
inherit endpoint publicKey;
|
||||
allowedIPs = [ "10.100.0.0/24" ];
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -15,6 +15,12 @@ transmission:
|
|||
matrix:
|
||||
synapse:
|
||||
registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
|
||||
wireguard:
|
||||
wg0:
|
||||
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
|
||||
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
|
||||
vaultwarden:
|
||||
admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -39,8 +45,8 @@ sops:
|
|||
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
|
||||
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-05-11T22:37:33Z"
|
||||
mac: ENC[AES256_GCM,data:05Q2/Don1WbgncRQhS1XXJ/l+sH+YJQSUkDPJip798OiFwp/5/C19dS8Z9vXPtCp/96iisfsxfSY3OK/AhaXhhKKze1GQ5oqJnfp8ECE4N70SVy302eRF0rAR8XQQOGiur+JUP4KWYs4rNPAlMJYcppeSu3TeO+yGw+O7CGZuBs=,iv:k1Ab086i4Rur0bt8J5HY35rUax9LXpTnuw+TUoQCrI8=,tag:k9ar+YV2cIHRKdJj2dqdgA==,type:str]
|
||||
lastmodified: "2023-05-19T20:43:42Z"
|
||||
mac: ENC[AES256_GCM,data:GcQWXYMLlLIdygoiA03VryxVpIeeYn3vvrMmARTyLNmuLniq14Ut/IFP7KB50jDAiUVsgO4gpKDAWx53ZijpJo5JY4Ec49o4TEqfSh764dtRPYhwazrLl/Y+lwAT3H5p2jeTuo0a6k9u2uxwnJ/OV9DFikkRp+yJLMtqwTGj9KU=,iv:rOCZbQtORczrbG3KZAebn61p2SHTeX+zmgJEfQuCd4o=,tag:vDkPNhDKoVmZr8WA3s32nA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
Loading…
Reference in New Issue