diff --git a/.sops.yaml b/.sops.yaml index 37c6e83..8e3bd80 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,6 +16,11 @@ creation_rules: - age: - *prescientmoon - *lapetus + - path_regex: hosts/nixos/lapetus/secrets.yaml + key_groups: + - age: + - *prescientmoon + - *lapetus - path_regex: home/features/desktop/wakatime/secrets.yaml key_groups: - age: diff --git a/hosts/nixos/lapetus/services/nginx.nix b/hosts/nixos/common/optional/services/nginx.nix similarity index 88% rename from hosts/nixos/lapetus/services/nginx.nix rename to hosts/nixos/common/optional/services/nginx.nix index 3b9e48c..8eddfaa 100644 --- a/hosts/nixos/lapetus/services/nginx.nix +++ b/hosts/nixos/common/optional/services/nginx.nix @@ -1,4 +1,5 @@ { + imports = [ ./acme ]; services.nginx = { enable = true; recommendedGzipSettings = true; diff --git a/hosts/nixos/lapetus/default.nix b/hosts/nixos/lapetus/default.nix index 5ba8676..617d55e 100644 --- a/hosts/nixos/lapetus/default.nix +++ b/hosts/nixos/lapetus/default.nix @@ -3,10 +3,10 @@ ../common/global ../common/users/adrielus.nix ../common/optional/services/slambda.nix - ../common/optional/services/acme ./services/syncthing.nix ./services/whoogle.nix + ./services/pounce.nix ./filesystems ./hardware ]; diff --git a/hosts/nixos/lapetus/secrets.yaml b/hosts/nixos/lapetus/secrets.yaml new file mode 100644 index 0000000..0be6cf1 --- /dev/null +++ b/hosts/nixos/lapetus/secrets.yaml @@ -0,0 +1,30 @@ +tilde_irc_pass: ENC[AES256_GCM,data:+pw/g0pffo1zF++1H/+iFXQDCDw=,iv:zTBvaUCwt78dgv1jF9EmrTuHMnM2S+GUGpQZWY828tA=,tag:umqaQOWqy8aMOxWR0CNGHQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcjFoRm1WNW9jOUJjUC9W + NmxhWGRjWlFHd2tRaXJ6WnpaaWlxSFQ0RlZnCllVNTZ0b0MvL0VURDhQRUE1dDdW + L1NkYzBRRDFLcFpwTTgzRnphLy9GT00KLS0tIFcvU2ZUQ21FZU1NTEFJaHRTVjV3 + eU1YeEZIOTJKa3I4c3ZwbVdPMlBLbmMKCBhopcTXWiAwR8ACyDf+P11SYcPrPSSv + QRPJ6I8Y1Lc7KTCbkO8zW2hBb6fdbvWBJQtW0rOfCuGQ831OyArr0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV2VmdmJ2QlVVbUF6MUtt + dzZFUGJFS3cyKzlTTHJiWjlqRmJkUm04WXh3CktSdGRIUWxJRU5oVVdkUTFwaEZr + M1Y4NnRtclZVTkltOHNjNXAxVW9yaFEKLS0tIGlRYjgwd0FkN0FBU1RSQjRnVWpW + RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U + lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-31T20:47:59Z" + mac: ENC[AES256_GCM,data:srdBFOeQmSc5CEIAjAqVzN4GuQL2el+/Q9cyAavr6Iv/LUUysdf6XkH9U3sZBRBdlcW2RR/Fu95kzSa51QL2RYOmnm6/MM6Kwa13MfTCiLiQBeH6tmCRBO9bKPwE9W24f4RwYhK4m5dIXdhCbN+GsCg6utEEgNKRCRFYSHe6h4Y=,iv:qkz66HLu8EcSDFD6Hkk3mNcP8zxNjAb9keZG/q8d2jM=,tag:M6jybdc4FwUcWbbjbiUONQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/nixos/lapetus/services/pounce.nix b/hosts/nixos/lapetus/services/pounce.nix new file mode 100644 index 0000000..ffaf999 --- /dev/null +++ b/hosts/nixos/lapetus/services/pounce.nix @@ -0,0 +1,26 @@ +{ config, ... }: +let makeNetworkConfig = host: port: join: secret: { + content = '' + sasl-plain = prescientmoon:${config.sops.placeholder.${secret}} + host = ${host} + port = ${toString port} + join = ${join} + ''; + owner = config.services.pounce.user; +}; +in +{ + security.acme.certs."wildcard-irc.moonythm.dev" = { + group = "pounce"; + domain = "*.irc.moonythm.dev"; + }; + + sops.secrets.tilde_irc_pass.sopsFile = ../secrets.yaml; + sops.templates."pounce-tilde.cfg" = makeNetworkConfig "eu.tilde.chat" 6697 "#meta" "tilde_irc_pass"; + # services.pounce = { + # enable = true; + # externalHost = "irc.moonythm.dev"; + # certDir = "/var/lib/acme/wildcard-irc.moonythm.dev"; + # networks.tilde.config = config.sops.templates."pounce-tilde.cfg".path; + # }; +} diff --git a/hosts/nixos/lapetus/services/syncthing.nix b/hosts/nixos/lapetus/services/syncthing.nix index efaff74..65f7519 100644 --- a/hosts/nixos/lapetus/services/syncthing.nix +++ b/hosts/nixos/lapetus/services/syncthing.nix @@ -1,11 +1,13 @@ +{ config, ... }: +let port = 8384; +in { imports = [ ../../common/optional/services/syncthing.nix ]; - networking.firewall.allowedTCPPorts = [ 8384 ]; - services.syncthing = { - guiAddress = "0.0.0.0:8384"; # TODO: put this behind nginx - settings.folders = { }; + guiAddress = "127.0.0.1:${toString port}"; }; + + services.nginx.virtualHosts."lapetus.syncthing.moonythm.dev" = config.satellite.proxy port; } diff --git a/hosts/nixos/lapetus/services/whoogle.nix b/hosts/nixos/lapetus/services/whoogle.nix index 54ef10f..1dc32c9 100644 --- a/hosts/nixos/lapetus/services/whoogle.nix +++ b/hosts/nixos/lapetus/services/whoogle.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, config, ... }: let port = 8401; websiteBlocklist = [ @@ -9,7 +9,10 @@ let ]; in { - imports = [ ../../common/optional/podman.nix ./nginx.nix ]; + imports = [ + ../../common/optional/podman.nix + ../../common/optional/services/nginx.nix + ]; virtualisation.oci-containers.containers.whoogle-search = { image = "benbusby/whoogle-search"; @@ -23,10 +26,8 @@ in }; }; - services.nginx.virtualHosts."search.moonythm.dev" = { - enableACME = true; - acmeRoot = null; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:${toString port}"; - }; + services.nginx.virtualHosts."search.moonythm.dev" = config.satellite.proxy port; + environment.persistence."/persist/state".directories = [ + "/var/lib/acme" + ]; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 238f0cd..e67c8cb 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,4 +2,6 @@ { # example = import ./example.nix; + nginx = import ./nginx.nix; + pounce = import ./pounce.nix; } diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix new file mode 100644 index 0000000..4df3652 --- /dev/null +++ b/modules/nixos/nginx.nix @@ -0,0 +1,13 @@ +{ lib, ... }: { + options.satellite.proxy = { + type = lib.types.functionTo lib.types.anything; + description = "Helper function for generating a quick proxy config"; + }; + + config.satellite.proxy = port: { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + }; +} diff --git a/modules/nixos/pounce.nix b/modules/nixos/pounce.nix new file mode 100644 index 0000000..0956910 --- /dev/null +++ b/modules/nixos/pounce.nix @@ -0,0 +1,192 @@ +# Taken from https://git.tempest.dev/ashe/nixos-wrapper-pounce/src/branch/main/flake.nix +# I have removed a lot of the things I didn't need, and modified a few things to fit +# my preferences (specifically, simplified the cert situation) +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.pounce; + pkg = pkgs.pounce; + defaultUser = "pounce"; + + # {{{ systemd hardening flags + hardeningFlags = { + CapabilityBoundingSet = [ "" ]; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + }; + # }}} +in +{ + # {{{ Options + options.services.pounce = { + # {{{ general options + enable = mkEnableOption + (lib.mdDoc "the Pounce IRC bouncer and Calico dispatcher"); + + user = mkOption { + type = types.str; + default = defaultUser; + description = lib.mdDoc '' + User account under which Pounce runs. If not specified, a default user + will be created. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/run/pounce"; + description = lib.mdDoc '' + Directory where each Pounce instance's UNIX-domain socket is stored for + Calico to route to. + ''; + }; + + externalHost = mkOption { + type = types.str; + example = "example.org"; + description = lib.mdDoc '' + Base domain name Calico will be accessible at. Each instance + will be at a subdomain of this. + ''; + }; + + bindHost = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc '' + The IP or host for Calico to bind to. + ''; + }; + + port = mkOption { + type = types.port; + default = 6697; + description = lib.mdDoc "Port for Calico to listen on."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Open port in the firewall for Calico."; + }; + + timeout = mkOption { + type = types.ints.positive; + default = 1000; + description = lib.mdDoc '' + Timeout parameter (in milliseconds) for Calico to close a connection + if no `ClientHello` message is sent. + ''; + }; + + certDir = mkOption { + type = types.str; + example = "/var/lib/acme/wildcard-irc.exmaple.com"; + description = lib.mdDoc '' + Directory where each Pounce instance's TLS certificates and private + keys are stored. The folder must contain wildcard certs as generated by acme. + ''; + }; + # }}} + # {{{ networks + networks = mkOption { + type = types.attrsOf (types.submodule { + options = { + config = mkOption { + type = types.path; + description = lib.mdDoc '' + Location to load pounce configuration from + ''; + }; + }; + }); + default = { }; + description = lib.mdDoc "Attribute set of IRC networks to connect to."; + }; + }; + # }}} + # }}} + # {{{ config + config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ]; + systemd.services = mkMerge ( + # {{{ calico service + [ + { + calico = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + description = "Calico dispatcher for Pounce IRC bouncer."; + + serviceConfig = { + User = cfg.user; + Group = cfg.user; + ExecStart = '' + ${pkg}/bin/calico \ + -H ${cfg.bindHost} -P ${toString cfg.port} \ + -t ${toString cfg.timeout} ${cfg.dataDir} + ''; + Restart = "on-failure"; + } // hardeningFlags; + }; + } + ] ++ + # }}} + # {{{ pounce service + (mapAttrsToList + (name: value: mkMerge [ + { + "pounce-${name}" = { + wantedBy = [ "calico.service" ]; + after = [ "network.target" ]; + before = [ "calico.service" ]; + + description = "Pounce IRC bouncer for the ${name} network."; + + serviceConfig = { + User = cfg.user; + Group = cfg.user; + ExecStart = '' + ${pkg}/bin/pounce \ + -C ${cfg.certDir}/fullchain.pem \ + -K ${cfg.certDir}/key.pem \ + -U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \ + ${value.config} + ''; + Restart = "on-failure"; + } // hardeningFlags; + }; + } + ]) + cfg.networks) + # }}} + ); + + users = optionalAttrs (cfg.user == defaultUser) { + users.${defaultUser} = { + group = defaultUser; + isSystemUser = true; + }; + + groups.${defaultUser} = { }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; + # }}} +}