From dab0af910be50206aa9ac2f7742bffe91d1f08d4 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Mon, 23 Dec 2024 11:20:27 -0600 Subject: [PATCH] Add garden and updates. --- flake.lock | 24 +++---- flake.nix | 16 +++++ hosts/garden/default.nix | 17 +++++ hosts/garden/hardware-configuration.nix | 14 ++++ hosts/hub/apps/dev.nix | 8 ++- hosts/hub/apps/nextcloud.nix | 13 ++-- hosts/hub/default.nix | 32 +++++++-- pkgs/caddy.nix | 86 ++++++++++++++++++++++++ roles/caddy.nix | 10 +++ roles/fail2ban.nix | 6 ++ roles/syncthing.nix | 6 ++ secrets/secrets.nix | 1 + secrets/ts_auth_key.age | Bin 0 -> 287 bytes users/nolan/desktop-minimal.nix | 7 +- 14 files changed, 216 insertions(+), 24 deletions(-) create mode 100644 hosts/garden/default.nix create mode 100644 hosts/garden/hardware-configuration.nix create mode 100644 pkgs/caddy.nix create mode 100644 roles/fail2ban.nix create mode 100644 roles/syncthing.nix create mode 100644 secrets/ts_auth_key.age diff --git a/flake.lock b/flake.lock index 5d373b6..bac7a6c 100644 --- a/flake.lock +++ b/flake.lock @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1733951536, - "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=", + "lastModified": 1734366194, + "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", "owner": "nix-community", "repo": "home-manager", - "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f", + "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", "type": "github" }, "original": { @@ -119,11 +119,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733861262, - "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=", + "lastModified": 1734352517, + "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5", + "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1733759999, - "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", + "lastModified": 1734424634, + "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", + "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733808091, - "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", + "lastModified": 1734600368, + "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", + "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 6e44ca5..a8747f4 100644 --- a/flake.nix +++ b/flake.nix @@ -97,6 +97,22 @@ ./hosts/hub ]; }; + garden = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages.${system}.default ]; + } + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = [ overlayUnstable ]; + } + ) + ./hosts/garden + ]; + }; }; }; } diff --git a/hosts/garden/default.nix b/hosts/garden/default.nix new file mode 100644 index 0000000..ffd424a --- /dev/null +++ b/hosts/garden/default.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + imports = [ + ./hardware-configuration.nix + ../../base.nix + ../../users/root.nix + ../../roles/tailscale.nix + ../../roles/caddy.nix + ../../roles/vscode-remote.nix + ../../roles/syncthing.nix + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "GARDEN"; + system.stateVersion = "23.11"; +} diff --git a/hosts/garden/hardware-configuration.nix b/hosts/garden/hardware-configuration.nix new file mode 100644 index 0000000..b584d72 --- /dev/null +++ b/hosts/garden/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/FAAB-A09E"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/hub/apps/dev.nix b/hosts/hub/apps/dev.nix index c6d576a..f102c1a 100644 --- a/hosts/hub/apps/dev.nix +++ b/hosts/hub/apps/dev.nix @@ -66,10 +66,14 @@ useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; + environment.sessionVariables = { + PATH = [ "${pkgs.gitea}/bin" ]; + GITEA_WORK_DIR = "/var/lib/gitea"; + }; }; bindMounts = { - "/run/postgresql/.s.PGSQL.5432" = { - hostPath = "/run/postgresql/.s.PGSQL.5432"; + "/run/postgresql" = { + hostPath = "/run/postgresql"; }; }; }; diff --git a/hosts/hub/apps/nextcloud.nix b/hosts/hub/apps/nextcloud.nix index 6a2ca7e..918361f 100644 --- a/hosts/hub/apps/nextcloud.nix +++ b/hosts/hub/apps/nextcloud.nix @@ -31,7 +31,7 @@ package = pkgs.nextcloud30; configureRedis = true; maxUploadSize = "16G"; - autoUpdateApps.enable = true; + # autoUpdateApps.enable = true; notify_push.enable = true; webfinger = true; settings = { @@ -44,6 +44,7 @@ dbhost = "/run/postgresql"; adminpassFile = "/etc/nextcloud-admin-pass"; }; + phpOptions."opcache.interned_strings_buffer" = "23"; }; onlyoffice = { enable = true; @@ -51,6 +52,7 @@ }; resolved.enable = true; }; + programs.nix-ld.enable = true; networking = { firewall.allowedTCPPorts = [ 80 ]; useHostResolvConf = lib.mkForce false; @@ -62,11 +64,14 @@ }; }; bindMounts = { - "/run/postgresql/.s.PGSQL.5432" = { - hostPath = "/run/postgresql/.s.PGSQL.5432"; + "/run/postgresql" = { + hostPath = "/run/postgresql"; }; }; }; - services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud''; + services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = '' + reverse_proxy nextcloud + header Strict-Transport-Security max-age=31536000; + ''; } diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix index add4ca3..5dd8bd9 100644 --- a/hosts/hub/default.nix +++ b/hosts/hub/default.nix @@ -10,6 +10,7 @@ ../../roles/zfs.nix ../../base.nix ../../users/root.nix + ../../roles/fail2ban.nix ../../roles/tailscale.nix ../../roles/lldap.nix ../../roles/authelia.nix @@ -18,6 +19,7 @@ ../../roles/caddy.nix ../../roles/vscode-remote.nix ../../roles/postgres.nix + ../../roles/syncthing.nix ./apps/dev.nix ./apps/nextcloud.nix ]; @@ -64,11 +66,6 @@ acceptTerms = true; defaults.email = "nolan@thewordnerd.info"; certs."thewordnerd.info" = { - domain = "*.thewordnerd.info"; - dnsProvider = "cloudflare"; - environmentFile = config.age.secrets.cloudflareApi.path; - }; - certs."hub.thewordnerd.info" = { dnsProvider = "cloudflare"; environmentFile = config.age.secrets.cloudflareApi.path; }; @@ -103,6 +100,15 @@ }; }; + services.fail2ban.jails = { + dovecot.settings = { + filter = "dovecot[mode=aggressive]"; + }; + postfix.settings = { + filter = "postfix[mode=aggressive]"; + }; + }; + services.caddy.virtualHosts."users.thewordnerd.info".extraConfig = ''reverse_proxy localhost:17170''; @@ -110,6 +116,22 @@ reverse_proxy localhost:9091 ''; + services.authelia.instances.main.settings.access_control.rules = [ + { + domain = "syncthing.thewordnerd.info"; + policy = "one_factor"; + } + ]; + + services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = '' + forward_auth localhost:9091 { + uri /api/authz/forward-auth + } + reverse_proxy localhost:8384 { + header_up Host {upstream_hostport} + } + ''; + services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = '' file_server root * /var/www/thewordnerd.info diff --git a/pkgs/caddy.nix b/pkgs/caddy.nix new file mode 100644 index 0000000..92b3db2 --- /dev/null +++ b/pkgs/caddy.nix @@ -0,0 +1,86 @@ +{ + lib, + buildGoModule, + fetchFromGitHub, + nixosTests, + caddy, + testers, + installShellFiles, + stdenv, +}: +let + version = "2.8.4"; + dist = fetchFromGitHub { + owner = "caddyserver"; + rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4"; + repo = "dist"; + hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0="; + }; +in +buildGoModule { + pname = "caddy"; + version = "0-unstable-2024-12-22"; + src = fetchFromGitHub { + owner = "tailscale"; + repo = "caddy-tailscale"; + rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4"; + hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ="; + }; + + vendorHash = "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM="; + + subPackages = [ "cmd/caddy" ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}" + ]; + + # matches upstream since v2.8.0 + tags = [ "nobadger" ]; + + nativeBuildInputs = [ installShellFiles ]; + + postInstall = + '' + install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system + + substituteInPlace $out/lib/systemd/system/caddy.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + substituteInPlace $out/lib/systemd/system/caddy-api.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + '' + + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + # Generating man pages and completions fail on cross-compilation + # https://github.com/NixOS/nixpkgs/issues/308283 + + $out/bin/caddy manpage --directory manpages + installManPage manpages/* + + installShellCompletion --cmd caddy \ + --bash <($out/bin/caddy completion bash) \ + --fish <($out/bin/caddy completion fish) \ + --zsh <($out/bin/caddy completion zsh) + ''; + + passthru.tests = { + inherit (nixosTests) caddy; + version = testers.testVersion { + command = "${caddy}/bin/caddy version"; + package = caddy; + }; + }; + + meta = with lib; { + homepage = "https://caddyserver.com"; + description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS"; + license = licenses.asl20; + mainProgram = "caddy"; + maintainers = with maintainers; [ + Br1ght0ne + emilylange + techknowlogick + ]; + }; +} diff --git a/roles/caddy.nix b/roles/caddy.nix index b20d1c9..23aa2dd 100644 --- a/roles/caddy.nix +++ b/roles/caddy.nix @@ -1,10 +1,20 @@ +{ config, pkgs, ... }: + { services.caddy = { enable = true; + package = pkgs.callPackage ../pkgs/caddy.nix { }; email = "nolan@thewordnerd.info"; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; + age.secrets.tsAuthKey = { + file = ../secrets/ts_auth_key.age; + owner = config.services.caddy.user; + group = config.services.caddy.group; + mode = "600"; + }; + systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.tsAuthKey.path; } diff --git a/roles/fail2ban.nix b/roles/fail2ban.nix new file mode 100644 index 0000000..c4a8464 --- /dev/null +++ b/roles/fail2ban.nix @@ -0,0 +1,6 @@ +{ + services.fail2ban = { + enable = true; + ignoreIP = [ "192.168.0.0/16" ]; + }; +} diff --git a/roles/syncthing.nix b/roles/syncthing.nix new file mode 100644 index 0000000..b30ffea --- /dev/null +++ b/roles/syncthing.nix @@ -0,0 +1,6 @@ +{ + services.syncthing = { + enable = true; + openDefaultPorts = true; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 336777e..f121e62 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,4 +13,5 @@ in "authelia_session.age".publicKeys = [ hub ]; "authelia_storage.age".publicKeys = [ hub ]; "cloudflare_api.age".publicKeys = [ hub ]; + "ts_auth_key.age".publicKeys = [ hub ]; } diff --git a/secrets/ts_auth_key.age b/secrets/ts_auth_key.age new file mode 100644 index 0000000000000000000000000000000000000000..e8d8fd2d8672d30533b31333bc2dc6768bb86ebd GIT binary patch literal 287 zcmV+)0pR{&XJsvAZewzJaCB*JZZ2U#de6>7#9;Mfs lkj3@ji)a854Pr49At1-T1VI`Cva`nWioG;uY$c@vErwljYh?fc literal 0 HcmV?d00001 diff --git a/users/nolan/desktop-minimal.nix b/users/nolan/desktop-minimal.nix index a89ed5f..9a855b5 100644 --- a/users/nolan/desktop-minimal.nix +++ b/users/nolan/desktop-minimal.nix @@ -14,7 +14,12 @@ programs = { firefox = { enable = true; - package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; }; + package = pkgs.firefox.override { + nativeMessagingHosts = with pkgs; [ + firefoxpwa + gnome-browser-connector + ]; + }; }; }; };