defiant: Add domeneshop-dyndns

malcolm: Configure firewall and wordpress
malcolm: Init new host
2024-12-22 04:07:28 +01:00 · 2024-09-08 00:29:36 +02:00 · 2024-09-07 21:40:06 +02:00 · 2024-09-07 21:40:06 +02:00 · 2024-09-07 18:15:14 +02:00
11 changed files with 275 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -121,6 +121,25 @@
            }
          ];
        };
+
+        malcolm = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [
+            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
+
+            ./hosts/malcolm/configuration.nix
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users."felixalb" = import ./hosts/malcolm/home.nix;
+            }
+          ];
+        };
      };

      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@ -16,6 +16,7 @@
      ./services/wireguard.nix

      # Services
+      ./services/dyndns.nix
      ./services/flame.nix
      ./services/gitea.nix
      ./services/hedgedoc.nix
@ -25,6 +26,7 @@
      ./services/microbin.nix
      # ./services/minecraft.nix
      ./services/monitoring
+      ./services/rtl-tcp.nix
      ./services/vaultwarden.nix
  ];

--- a/hosts/defiant/services/dyndns.nix
+++ b/hosts/defiant/services/dyndns.nix
@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+let
+  dnsname = "site3.feal.no";
+in {
+  # Defines DDNS_TOKEN and DDNS_SECRET from https://domene.shop/admin?view=api
+  sops.secrets."domeneshop/env" = { };
+
+  systemd.services.domeneshop-dyndns = {
+    serviceConfig.EnvironmentFile = config.sops.secrets."domeneshop/env".path;
+    startAt = "*/10 * * * *";
+
+    script = ''
+      DNSNAME="${dnsname}"
+      NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
+      OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
+
+      if [[ "$NEW_IP" != "$OLD_IP" ]]; then
+        echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
+        ${lib.getExe pkgs.curl} --silent "https://$DDNS_TOKEN:$DDNS_SECRET@api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
+      else
+        echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
+      fi
+    '';
+  };
+}
--- a/hosts/defiant/services/rtl-tcp.nix
+++ b/hosts/defiant/services/rtl-tcp.nix
@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+let
+  port = 1457;
+in {
+  hardware.rtl-sdr.enable = true;
+  systemd.services.rtl-tcp = {
+    script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
+    serviceConfig = {
+      Group = "plugdev";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ port ];
+}
--- a/hosts/malcolm/configuration.nix
+++ b/hosts/malcolm/configuration.nix
@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../base.nix
+    ../../common/metrics-exporters.nix
+
+    ./services/mysql.nix
+    ./services/nginx.nix
+    ./services/www-kinealbrigtsen-no.nix
+  ];
+
+  networking = {
+    hostName = "malcolm";
+    bridges.br0.interfaces = [ "ens18" ];
+    interfaces.br0.useDHCP = false;
+    interfaces.br0.ipv4.addresses = [
+      { address = "192.168.11.106"; prefixLength = 24; }
+    ];
+
+    hostId = "620c42d0";
+    defaultGateway = "192.168.11.1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
+  };
+
+  # virtualisation.oci-containers.backend = "docker";
+  # systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
+  #   "-F DOCKER-USER"
+  # ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
+  #   "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
+  #   "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
+  #   "-A DOCKER-USER -j RETURN"
+  # ]);
+
+  system.stateVersion = "24.05";
+}
--- a/hosts/malcolm/hardware-configuration.nix
+++ b/hosts/malcolm/hardware-configuration.nix
@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/88C2-BAC8";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/malcolm/home.nix
+++ b/hosts/malcolm/home.nix
@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "24.05";
+}
--- a/hosts/malcolm/services/mysql.nix
+++ b/hosts/malcolm/services/mysql.nix
@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+
+  # TODO: services.mysqlBackup
+}
--- a/hosts/malcolm/services/nginx.nix
+++ b/hosts/malcolm/services/nginx.nix
@ -0,0 +1,15 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+
+    clientMaxBodySize = "100m";
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/hosts/malcolm/services/www-kinealbrigtsen-no.nix
+++ b/hosts/malcolm/services/www-kinealbrigtsen-no.nix
@ -0,0 +1,96 @@
+{ config, pkgs, lib, ... }:
+
+{
+  users.users.www-kinealbrigtsen-no = {
+    isSystemUser = true;
+    group = "www-kinealbrigtsen-no";
+  };
+
+  users.groups.www-kinealbrigtsen-no = { };
+
+  services.mysql.ensureDatabases = [
+    "www_kinealbrigtsen_no"
+  ];
+  services.mysql.ensureUsers = [
+    {
+      name = "www-kinealbrigtsen-no";
+      ensurePermissions = {
+        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
+        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
+      };
+    }
+  ];
+
+  services.phpfpm.pools.www-kinealbrigtsen-no = {
+    user = "www-kinealbrigtsen-no";
+    group = "www-kinealbrigtsen-no";
+    phpOptions = lib.generators.toKeyValue {} {
+      upload_max_filesize = "1000M";
+      post_max_size = "1000M";
+      memory_limit = "1000M";
+    };
+
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "listen.group" = config.services.nginx.group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 1000;
+    };
+  };
+
+  services.nginx.virtualHosts."kinealbrigtsen.no" = {
+    serverAliases = [ "www.kinealbrigtsen.no" ];
+    root = "/var/www/www-kinealbrigtsen-no";
+    locations = {
+      "/".extraConfig = ''
+        try_files $uri $uri/ /index.php?$args;
+      '';
+
+      "~ \\.php$".extraConfig = ''
+        include ${config.services.nginx.package}/conf/fastcgi_params;
+
+        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
+      '';
+
+      "~ /\\.ht".extraConfig = ''
+        deny all;
+      '';
+
+      "/favicon.ico".extraConfig = ''
+        log_not_found off;
+        access_log off;
+      '';
+
+      "/robots.txt".extraConfig = ''
+        allow all;
+        log_not_found off;
+        access_log off;
+      '';
+
+      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
+        expires max;
+        log_not_found off;
+      '';
+    };
+    extraConfig = ''
+      index index.php index.html;
+      set_real_ip_from 192.168.11.0/24;
+      real_ip_header X-Forwarded-For;
+
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+
+  # TODO:
+  # - Configure a mailer so wp_mail() works
+  # - Enable periodic backups
+}
--- a/secrets/defiant/defiant.yaml
+++ b/secrets/defiant/defiant.yaml
@ -2,6 +2,8 @@ matrix:
    synapse:
        registrationsecret: ENC[AES256_GCM,data:bWxzNB3c7GL6A4evVMoYJ2/q5TKyeSZzk05lUTMMDLBf3w/ks028oKjntGWbAvpSbnYPAO5wGPPKrvh8TnMVfjuBVrBtL8Vmt10t7YU/e15Xo0WvtwuAtjF6AWiGbV8=,iv:/KW9n2wuVua6zsmMZ/tq7J3wgmtrkLsh6aOWX0Z+fqo=,tag:aoIpD0JgsVnhlyDcsjx1eg==,type:str]
        oidcsecret: ENC[AES256_GCM,data:AKUTKQStFwioRaRYnrFbL/kJM0ZO/ZPLumG+770+A7U=,iv:jSpL6dY27zwctra5w56loVR9rRETWe5eIeMnAn9f6S0=,tag:IoEP8UzoZK7B5LtTu9Ebsw==,type:str]
+domeneshop:
+    env: ENC[AES256_GCM,data:IBEWzGjXPTCxc2yBZxs2TnhrwTUjCey9qgprfmYlRMfoYjbSQDRzFoY3EXWfrRC8O/wt5/noar/XY5C6Krob6LynSHitaudXD/mPegR5u313tO9QwLOpScaA+lGyqUkUkddiI52cARJP,iv:dvMdW4o9ByUO5rl/1TXnwsnxd97UJqtv9UmERXdno2I=,tag:iNLGLF7aT2rLuDdwGfn2EA==,type:str]
 hedgedoc:
    env: ENC[AES256_GCM,data:30kDNwJA/nL2/l1gSVPWgFYIrrxnhKbsQPaS1MqeaggjDpPxyNOhSLf5/p5Z5S/jDuJapevpQR70hfAM8g3gLRNIFtP38V/8w0lUngpuz6MzL7THdNfbabOKsHpNht+nxwGXE1YSd0D4OuX5ll5pLWT8nQtNhhOzuYmDIJ/Xc01lmcGc2ThsA0GlkWZxUw==,iv:ht6BiCYJReWFoR1zpo/X0bcgMV9tYfXUM7Re2ngEk4M=,tag:XrlYHyhVujhhWul3czSTDg==,type:str]
 vaultwarden:
@ -37,8 +39,8 @@ sops:
            RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
            fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-10T17:02:13Z"
-    mac: ENC[AES256_GCM,data:vHwX4i0SqiMI+laj079uNvO/6QKzqAoS4JmhUIW/1F7xjtd/Wv5Ia/00EexMMw59cvaDW/k7QB13xyHNixloFhH5aXi3bF8b8uIP6U3K0nlbIYp2tVRU3m/FtkhabzIuP5o/sfoO+gfcuHfTQxjwcap8Tx3VsecjJO0PaR9+EHU=,iv:6c0hRRRddD535GH9zGWnaBnq0jcSlyN0dPIEW+ldGew=,tag:185qSz+tgfXg/f65sf/y+Q==,type:str]
+    lastmodified: "2024-09-07T21:42:51Z"
+    mac: ENC[AES256_GCM,data:vxl36zjB978nOMO49YFYSyoKM9rX5NT0kJh5nruGU7a0RxcvQrN3sSHZCfes7uFAvEGiFO4YG3LCiMDuUCZYCTV3nMLnu7aAjqDhcSQqcCYieBx4V9wYSdFqebP9asvArOVUN3hL9xze++q+IvxYYISL1EPlWpAF+SdGVMykGDE=,iv:1wW/OHd+A0qupzXn11est/nPGcGJSg8YxyU0hKzTT1k=,tag:YHgeE0ycLRIqAPv4HNpSjg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
Author	SHA1	Message	Date
Felix Albrigtsen	162134d951	defiant: Add domeneshop-dyndns	2024-09-08 00:29:36 +02:00
Felix Albrigtsen	5261abf72c	malcolm: Configure firewall and wordpress	2024-09-07 21:40:06 +02:00
Felix Albrigtsen	8777536817	malcolm: Init new host	2024-09-07 21:40:06 +02:00
Felix Albrigtsen	618271b191	defiant: add rtl-tcp	2024-09-07 18:15:14 +02:00