prescientmoon/satellite
1
Fork 0
Code Activity

Set up pounce on lapetus

Browse source
This commit is contained in:
Matei Adriel 2024-01-31 21:59:11 +01:00
parent a175734015
commit 5de2395977
No known key found for this signature in database
10 changed files with 285 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.sops.yaml
View file

@ -16,6 +16,11 @@ creation_rules:
- age: - age:
- *prescientmoon - *prescientmoon
- *lapetus - *lapetus
- path_regex: hosts/nixos/lapetus/secrets.yaml
key_groups:
- age:
- *prescientmoon
- *lapetus
- path_regex: home/features/desktop/wakatime/secrets.yaml - path_regex: home/features/desktop/wakatime/secrets.yaml
key_groups: key_groups:
- age: - age:

1
hosts/nixos/lapetus/services/nginx.nix → hosts/nixos/common/optional/services/nginx.nix
View file

@ -1,4 +1,5 @@
{ {
imports = [ ./acme ];
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;

2
hosts/nixos/lapetus/default.nix
View file

@ -3,10 +3,10 @@
../common/global ../common/global
../common/users/adrielus.nix ../common/users/adrielus.nix
../common/optional/services/slambda.nix ../common/optional/services/slambda.nix
../common/optional/services/acme
./services/syncthing.nix ./services/syncthing.nix
./services/whoogle.nix ./services/whoogle.nix
./services/pounce.nix
./filesystems ./filesystems
./hardware ./hardware
]; ];

30
hosts/nixos/lapetus/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
tilde_irc_pass: ENC[AES256_GCM,data:+pw/g0pffo1zF++1H/+iFXQDCDw=,iv:zTBvaUCwt78dgv1jF9EmrTuHMnM2S+GUGpQZWY828tA=,tag:umqaQOWqy8aMOxWR0CNGHQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcjFoRm1WNW9jOUJjUC9W
NmxhWGRjWlFHd2tRaXJ6WnpaaWlxSFQ0RlZnCllVNTZ0b0MvL0VURDhQRUE1dDdW
L1NkYzBRRDFLcFpwTTgzRnphLy9GT00KLS0tIFcvU2ZUQ21FZU1NTEFJaHRTVjV3
eU1YeEZIOTJKa3I4c3ZwbVdPMlBLbmMKCBhopcTXWiAwR8ACyDf+P11SYcPrPSSv
QRPJ6I8Y1Lc7KTCbkO8zW2hBb6fdbvWBJQtW0rOfCuGQ831OyArr0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV2VmdmJ2QlVVbUF6MUtt
dzZFUGJFS3cyKzlTTHJiWjlqRmJkUm04WXh3CktSdGRIUWxJRU5oVVdkUTFwaEZr
M1Y4NnRtclZVTkltOHNjNXAxVW9yaFEKLS0tIGlRYjgwd0FkN0FBU1RSQjRnVWpW
RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U
lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-31T20:47:59Z"
mac: ENC[AES256_GCM,data:srdBFOeQmSc5CEIAjAqVzN4GuQL2el+/Q9cyAavr6Iv/LUUysdf6XkH9U3sZBRBdlcW2RR/Fu95kzSa51QL2RYOmnm6/MM6Kwa13MfTCiLiQBeH6tmCRBO9bKPwE9W24f4RwYhK4m5dIXdhCbN+GsCg6utEEgNKRCRFYSHe6h4Y=,iv:qkz66HLu8EcSDFD6Hkk3mNcP8zxNjAb9keZG/q8d2jM=,tag:M6jybdc4FwUcWbbjbiUONQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

26
hosts/nixos/lapetus/services/pounce.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, ... }:
let makeNetworkConfig = host: port: join: secret: {
content = ''
sasl-plain = prescientmoon:${config.sops.placeholder.${secret}}
host = ${host}
port = ${toString port}
join = ${join}
'';
owner = config.services.pounce.user;
};
in
{
security.acme.certs."wildcard-irc.moonythm.dev" = {
group = "pounce";
domain = "*.irc.moonythm.dev";
};
sops.secrets.tilde_irc_pass.sopsFile = ../secrets.yaml;
sops.templates."pounce-tilde.cfg" = makeNetworkConfig "eu.tilde.chat" 6697 "#meta" "tilde_irc_pass";
# services.pounce = {
# enable = true;
# externalHost = "irc.moonythm.dev";
# certDir = "/var/lib/acme/wildcard-irc.moonythm.dev";
# networks.tilde.config = config.sops.templates."pounce-tilde.cfg".path;
# };
}

10
hosts/nixos/lapetus/services/syncthing.nix
View file

@ -1,11 +1,13 @@
{ config, ... }:
let port = 8384;
in
{ {
imports = [ ../../common/optional/services/syncthing.nix ]; imports = [ ../../common/optional/services/syncthing.nix ];
networking.firewall.allowedTCPPorts = [ 8384 ];
services.syncthing = { services.syncthing = {
guiAddress = "0.0.0.0:8384"; # TODO: put this behind nginx
settings.folders = { }; settings.folders = { };
guiAddress = "127.0.0.1:${toString port}";
}; };
services.nginx.virtualHosts."lapetus.syncthing.moonythm.dev" = config.satellite.proxy port;
} }

17
hosts/nixos/lapetus/services/whoogle.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: { lib, config, ... }:
let let
port = 8401; port = 8401;
websiteBlocklist = [ websiteBlocklist = [
@ -9,7 +9,10 @@ let
]; ];
in in
{ {
imports = [ ../../common/optional/podman.nix ./nginx.nix ]; imports = [
../../common/optional/podman.nix
../../common/optional/services/nginx.nix
];
virtualisation.oci-containers.containers.whoogle-search = { virtualisation.oci-containers.containers.whoogle-search = {
image = "benbusby/whoogle-search"; image = "benbusby/whoogle-search";
@ -23,10 +26,8 @@ in
}; };
}; };
services.nginx.virtualHosts."search.moonythm.dev" = { services.nginx.virtualHosts."search.moonythm.dev" = config.satellite.proxy port;
enableACME = true; environment.persistence."/persist/state".directories = [
acmeRoot = null; "/var/lib/acme"
forceSSL = true; ];
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
};
} }

2
modules/nixos/default.nix
View file

@ -2,4 +2,6 @@
{ {
# example = import ./example.nix; # example = import ./example.nix;
nginx = import ./nginx.nix;
pounce = import ./pounce.nix;
} }

13
modules/nixos/nginx.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }: {
options.satellite.proxy = {
type = lib.types.functionTo lib.types.anything;
description = "Helper function for generating a quick proxy config";
};
config.satellite.proxy = port: {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
};
}

192
modules/nixos/pounce.nix Normal file
View file

@ -0,0 +1,192 @@
# Taken from https://git.tempest.dev/ashe/nixos-wrapper-pounce/src/branch/main/flake.nix
# I have removed a lot of the things I didn't need, and modified a few things to fit
# my preferences (specifically, simplified the cert situation)
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.pounce;
pkg = pkgs.pounce;
defaultUser = "pounce";
# {{{ systemd hardening flags
hardeningFlags = {
CapabilityBoundingSet = [ "" ];
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
};
# }}}
in
{
# {{{ Options
options.services.pounce = {
# {{{ general options
enable = mkEnableOption
(lib.mdDoc "the Pounce IRC bouncer and Calico dispatcher");
user = mkOption {
type = types.str;
default = defaultUser;
description = lib.mdDoc ''
User account under which Pounce runs. If not specified, a default user
will be created.
'';
};
dataDir = mkOption {
type = types.str;
default = "/run/pounce";
description = lib.mdDoc ''
Directory where each Pounce instance's UNIX-domain socket is stored for
Calico to route to.
'';
};
externalHost = mkOption {
type = types.str;
example = "example.org";
description = lib.mdDoc ''
Base domain name Calico will be accessible at. Each instance
will be at a subdomain of this.
'';
};
bindHost = mkOption {
type = types.str;
default = "localhost";
description = lib.mdDoc ''
The IP or host for Calico to bind to.
'';
};
port = mkOption {
type = types.port;
default = 6697;
description = lib.mdDoc "Port for Calico to listen on.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open port in the firewall for Calico.";
};
timeout = mkOption {
type = types.ints.positive;
default = 1000;
description = lib.mdDoc ''
Timeout parameter (in milliseconds) for Calico to close a connection
if no `ClientHello` message is sent.
'';
};
certDir = mkOption {
type = types.str;
example = "/var/lib/acme/wildcard-irc.exmaple.com";
description = lib.mdDoc ''
Directory where each Pounce instance's TLS certificates and private
keys are stored. The folder must contain wildcard certs as generated by acme.
'';
};
# }}}
# {{{ networks
networks = mkOption {
type = types.attrsOf (types.submodule {
options = {
config = mkOption {
type = types.path;
description = lib.mdDoc ''
Location to load pounce configuration from
'';
};
};
});
default = { };
description = lib.mdDoc "Attribute set of IRC networks to connect to.";
};
};
# }}}
# }}}
# {{{ config
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ];
systemd.services = mkMerge (
# {{{ calico service
[
{
calico = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Calico dispatcher for Pounce IRC bouncer.";
serviceConfig = {
User = cfg.user;
Group = cfg.user;
ExecStart = ''
${pkg}/bin/calico \
-H ${cfg.bindHost} -P ${toString cfg.port} \
-t ${toString cfg.timeout} ${cfg.dataDir}
'';
Restart = "on-failure";
} // hardeningFlags;
};
}
] ++
# }}}
# {{{ pounce service
(mapAttrsToList
(name: value: mkMerge [
{
"pounce-${name}" = {
wantedBy = [ "calico.service" ];
after = [ "network.target" ];
before = [ "calico.service" ];
description = "Pounce IRC bouncer for the ${name} network.";
serviceConfig = {
User = cfg.user;
Group = cfg.user;
ExecStart = ''
${pkg}/bin/pounce \
-C ${cfg.certDir}/fullchain.pem \
-K ${cfg.certDir}/key.pem \
-U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \
${value.config}
'';
Restart = "on-failure";
} // hardeningFlags;
};
}
])
cfg.networks)
# }}}
);
users = optionalAttrs (cfg.user == defaultUser) {
users.${defaultUser} = {
group = defaultUser;
isSystemUser = true;
};
groups.${defaultUser} = { };
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
};
# }}}
}