diff options
Diffstat (limited to 'system/services')
| -rw-r--r-- | system/services/acme/default.nix | 38 | ||||
| -rw-r--r-- | system/services/acme/domains.nix | bin | 130 -> 0 bytes | |||
| -rw-r--r-- | system/services/default.nix | 8 | ||||
| -rw-r--r-- | system/services/fail2ban/default.nix | 3 | ||||
| -rw-r--r-- | system/services/git-sync/default.nix | 104 | ||||
| -rw-r--r-- | system/services/keycloak/default.nix | 2 | ||||
| -rw-r--r-- | system/services/mail/default.nix | 41 | ||||
| -rw-r--r-- | system/services/mail/users.nix | bin | 0 -> 486 bytes | |||
| -rw-r--r-- | system/services/matrix/default.nix | 1 | ||||
| -rw-r--r-- | system/services/minecraft/default.nix | 2 | ||||
| -rw-r--r-- | system/services/nginx/default.nix | 8 | ||||
| -rw-r--r-- | system/services/nginx/hosts.nix | bin | 630 -> 976 bytes | |||
| -rw-r--r-- | system/services/nix-sync/default.nix | 262 | ||||
| -rw-r--r-- | system/services/openssh/default.nix | 17 | ||||
| -rw-r--r-- | system/services/opensshd/default.nix | 13 |
15 files changed, 335 insertions, 164 deletions
diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix deleted file mode 100644 index 0a0c4ce..0000000 --- a/system/services/acme/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{lib, ...}: let - domains = import ./domains.nix {}; - - virtualHosts = builtins.listToAttrs ( - builtins.map (domain_name: { - name = "acmechallenge.${domain_name}"; - value = { - serverAliases = ["*.${domain_name}"]; - locations."/.well-known/acme-challenge" = { - root = "/var/lib/acme/.challenges"; - }; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; - }) - domains - ); - certs = lib.attrsets.genAttrs domains ( - domain_name: { - webroot = "/var/lib/acme/.challenges"; - group = "nginx"; - } - ); -in { - users.users.nginx.extraGroups = ["acme"]; - - services.nginx = { - enable = true; - inherit virtualHosts; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "admin@vhack.eu"; - inherit certs; - }; -} diff --git a/system/services/acme/domains.nix b/system/services/acme/domains.nix Binary files differdeleted file mode 100644 index 8f0930d..0000000 --- a/system/services/acme/domains.nix +++ /dev/null diff --git a/system/services/default.nix b/system/services/default.nix index 19a531f..7bf26c3 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,14 +1,14 @@ {...}: { imports = [ - ./acme + ./fail2ban ./keycloak + ./mail ./matrix ./minecraft ./nginx ./nix - ./opensshd + ./nix-sync + ./openssh ./rust-motd - ./fail2ban - ./git-sync ]; } diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 5aee097..43fd674 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -1,4 +1,3 @@ -# vim: ts=2 {...}: { services.fail2ban = { enable = true; @@ -8,7 +7,7 @@ logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid - dbfile = /srv/fail2ban/fail2ban.sqlite3 + dbfile = /var/lib/fail2ban/db.sqlite3 ''; bantime-increment = { enable = true; diff --git a/system/services/git-sync/default.nix b/system/services/git-sync/default.nix deleted file mode 100644 index 776ca60..0000000 --- a/system/services/git-sync/default.nix +++ /dev/null @@ -1,104 +0,0 @@ -/* -Taken from: -https://github.com/nix-community/home-manager/blob/9ba7b3990eb1f4782ea3f5fe7ac4f3c88dd7a32c/modules/services/git-sync.nix -*/ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.services.git-sync; - - mkUnit = name: repo: { - Unit.Description = "Git Sync ${name}"; - - Install.WantedBy = ["default.target"]; - - Service = { - Environment = [ - "PATH=${lib.makeBinPath (with pkgs; [openssh git])}" - "GIT_SYNC_DIRECTORY=${repo.path}" - "GIT_SYNC_COMMAND=${cfg.package}/bin/git-sync" - "GIT_SYNC_REPOSITORY=${repo.uri}" - "GIT_SYNC_INTERVAL=${toString repo.interval}" - ]; - ExecStart = "${cfg.package}/bin/git-sync-on-inotify"; - Restart = "on-abort"; - }; - }; - - services = - lib.mapAttrs' (name: repo: { - name = "git-sync-${name}"; - value = mkUnit name repo; - }) - cfg.repositories; - - repositoryType = lib.types.submodule ({name, ...}: { - options = { - name = lib.mkOption { - internal = true; - default = name; - type = lib.types.str; - description = "The name that should be given to this unit."; - }; - - path = lib.mkOption { - type = lib.types.path; - description = "The path at which to sync the repository"; - }; - - uri = lib.mkOption { - type = lib.types.str; - example = "git+ssh://user@example.com:/~[user]/path/to/repo.git"; - description = '' - The URI of the remote to be synchronized. This is only used in the - event that the directory does not already exist. See - <link xlink:href="https://git-scm.com/docs/git-clone#_git_urls"/> - for the supported URIs. - ''; - }; - - interval = lib.mkOption { - type = lib.types.int; - default = 500; - description = '' - The interval, specified in seconds, at which the synchronization will - be triggered even without filesystem changes. - ''; - }; - }; - }); -in { - options = { - services.git-sync = { - enable = lib.mkEnableOption "git-sync services"; - - package = lib.mkOption { - type = lib.types.package; - default = pkgs.git-sync; - defaultText = lib.literalExpression "pkgs.git-sync"; - description = '' - Package containing the <command>git-sync</command> program. - ''; - }; - - repositories = lib.mkOption { - type = with lib.types; attrsOf repositoryType; - description = '' - The repositories that should be synchronized. - ''; - }; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = [ - (lib.hm.assertions.assertPlatform "services.git-sync" pkgs - lib.platforms.linux) - ]; - - systemd.user.services = services; - }; -} diff --git a/system/services/keycloak/default.nix b/system/services/keycloak/default.nix index dfeabc3..5f21b90 100644 --- a/system/services/keycloak/default.nix +++ b/system/services/keycloak/default.nix @@ -31,7 +31,7 @@ createLocally = true; username = "keycloak"; - passwordFile = "/srv/keycloak/password"; + passwordFile = "${config.age.secrets.keycloak.path}"; }; settings = { diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix new file mode 100644 index 0000000..382a87f --- /dev/null +++ b/system/services/mail/default.nix @@ -0,0 +1,41 @@ +{lib, ...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; + users = import ./users.nix {}; +in { + mailserver = + lib.recursiveUpdate { + enable = true; + fqdn = "server1.vhack.eu"; + + useFsLayout = true; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/var/lib/mail/vmail"; + dkimKeyDirectory = "/var/lib/mail/dkim"; + sieveDirectory = "/var/lib/mail/sieve"; + backup.snapshotRoot = "/var/lib/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = true; + + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = "acme"; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } + users; +} diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix Binary files differnew file mode 100644 index 0000000..f3264a1 --- /dev/null +++ b/system/services/mail/users.nix diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index d49fda2..e35c129 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -55,7 +55,6 @@ in { enable = true; dataDir = "/srv/matrix/data"; configFile = "/srv/matrix"; - extraConfigFiles = ["/srv/matrix/oid/config.yaml"]; settings = { media_store_path = "/srv/matrix/media_store"; server_name = "vhack.eu"; diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix index e69ffb1..e659af0 100644 --- a/system/services/minecraft/default.nix +++ b/system/services/minecraft/default.nix @@ -7,7 +7,7 @@ enable = true; declarative = true; eula = true; - dataDir = "/srv/minecraft"; + dataDir = "/var/lib/minecraft"; openFirewall = true; jvmOpts = "-Xmx8192M -Xms8192M"; whitelist = { diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix index 6753fb0..404c167 100644 --- a/system/services/nginx/default.nix +++ b/system/services/nginx/default.nix @@ -2,6 +2,14 @@ imports = [ ./hosts.nix ]; + security.acme = { + acceptTerms = true; + defaults = { + email = "admin@vhack.eu"; + webroot = "/var/lib/acme/acme-challenge"; + }; + }; + networking.firewall = { allowedTCPPorts = [80 443]; }; diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix Binary files differindex 684bb68..1590756 100644 --- a/system/services/nginx/hosts.nix +++ b/system/services/nginx/hosts.nix diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix new file mode 100644 index 0000000..44348c0 --- /dev/null +++ b/system/services/nix-sync/default.nix @@ -0,0 +1,262 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.nix-sync; + + mkTimer = name: repo: { + description = "Nix sync ${name} timer"; + wantedBy = ["timers.target"]; + timerConfig = { + OnActiveSec = repo.interval; + }; + after = ["network-online.target"]; + }; + + parents = path: let + split_path = builtins.split "/" path; + filename = builtins.elemAt split_path (builtins.length split_path - 1); + in + lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); + esa = lib.strings.escapeShellArg; + mkUnit = name: repo: let + optionalPathSeparator = + if lib.strings.hasPrefix "/" repo.path + then "" + else "/"; + repoCachePath = cfg.cachePath + optionalPathSeparator + repo.path; + execStartScript = pkgs.writeScript "nix-sync-exec" '' + #! /usr/bin/env dash + export XDG_CACHE_HOME="$CACHE_DIRECTORY"; + cd ${esa repoCachePath}; + + git fetch + origin="$(git rev-parse @{u})"; + branch="$(git rev-parse @)"; + + if ! [ "$origin" = "$branch" ]; then + git pull; + + out_paths=$(mktemp); + nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; + [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1) + out_path="$(cat "$out_paths")"; + rm ${esa repo.path}; + ln -s "$out_path" ${esa repo.path}; + rm "$out_paths"; + fi + ''; + execStartPreScript = '' + export XDG_CACHE_HOME="$CACHE_DIRECTORY"; + + if ! [ -d ${esa repoCachePath}/.git ]; then + mkdir --parents ${esa repoCachePath}; + git clone ${esa repo.uri} ${esa repoCachePath}; + + out_paths=$(mktemp); + nix build ${esa repoCachePath} --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; + [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1) + out_path="$(cat "$out_paths")"; + ln -s "$out_path" ${esa repo.path}; + rm "$out_paths"; + fi + + if ! [ -L ${esa repo.path} ]; then + cd ${esa repoCachePath}; + + git pull; + + out_paths=$(mktemp); + nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; + [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1) + out_path="$(cat "$out_paths")"; + + [ -d ${esa repo.path} ] && rm -d ${esa repo.path}; + [ -e ${esa repo.path} ] && rm ${esa repo.path}; + + ln -s "$out_path" ${esa repo.path}; + rm "$out_paths"; + fi + ''; + in { + description = "Nix Sync ${name}"; + wantedBy = ["default.target"]; + after = ["network.target"]; + path = with pkgs; [openssh git nix mktemp coreutils dash]; + preStart = execStartPreScript; + + serviceConfig = { + ExecStart = execStartScript; + Restart = "on-abort"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nix-sync"; + RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nix-sync"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nix-sync"; + LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "all"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 + # Capabilities + AmbientCapabilities = ["CAP_CHOWN"]; + CapabilityBoundingSet = ["CAP_CHOWN"]; + # Security + NoNewPrivileges = true; + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) + ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"]; + ReadOnlyPaths = ["/nix"]; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"]; + }; + }; + + services = + lib.mapAttrs' (name: repo: { + name = "nix-sync-${name}"; + value = mkUnit name repo; + }) + cfg.repositories; + timers = + lib.mapAttrs' (name: repo: { + name = "nix-sync-${name}"; + value = mkTimer name repo; + }) + cfg.repositories; + + # generate the websites directory, so systemd can mount it read write + generatedDirectories = + lib.mapAttrsToList ( + _: repo: "d ${esa (parents repo.path)} 0755 ${cfg.user} ${cfg.group}" + ) + cfg.repositories; + + repositoryType = lib.types.submodule ({name, ...}: { + options = { + name = lib.mkOption { + internal = true; + default = name; + type = lib.types.str; + description = "The name that should be given to this unit."; + }; + + path = lib.mkOption { + type = lib.types.str; + description = "The path at which to sync the repository"; + }; + + uri = lib.mkOption { + type = lib.types.str; + example = "ssh://user@example.com:/~[user]/path/to/repo.git"; + description = '' + The URI of the remote to be synchronized. This is only used in the + event that the directory does not already exist. See + <link xlink:href="https://git-scm.com/docs/git-clone#_git_urls"/> + for the supported URIs. + ''; + }; + + interval = lib.mkOption { + type = lib.types.int; + default = 500; + description = '' + The interval, specified in seconds, at which the synchronization will + be triggered. + ''; + }; + }; + }); +in { + options = { + services.nix-sync = { + enable = lib.mkEnableOption "nix-sync services"; + + user = lib.mkOption { + type = lib.types.str; + default = "nix-sync"; + description = lib.mdDoc "User account under which nix-sync units runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "nix-sync"; + description = lib.mdDoc "Group account under which nix-sync units runs."; + }; + + cachePath = lib.mkOption { + type = lib.types.str; + default = "/var/lib/nix-sync"; + description = lib.mdDoc '' + Where to cache git directories. Should not end with a slash ("/") + ''; + }; + + repositories = lib.mkOption { + type = with lib.types; attrsOf repositoryType; + description = '' + The repositories that should be synchronized. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = !lib.strings.hasSuffix "/" cfg.cachePath; + message = "Your cachePath ('${cfg.cachePath}') ends with a slash ('/'), please use: '${lib.strings.removeSuffix "/" cfg.cachePath}'."; + } + ]; + + systemd.tmpfiles.rules = + generatedDirectories; + + systemd.services = services; + systemd.timers = timers; + users.users = + if cfg.user == "nix-sync" + then { + nix-sync = { + group = "${cfg.group}"; + isSystemUser = true; + }; + } + else lib.warnIf (cfg.user != "nix-sync") "The user (${cfg.user}) is not \"nix-sync\", thus you are responible for generating it."; + users.groups = + if cfg.group == "nix-sync" + then { + nix-sync = { + members = ["${cfg.user}"]; + }; + } + else lib.warnIf (cfg.group != "nix-sync") "The group (${cfg.group}) is not \"nix-sync\", thus you are responible for generating it."; + }; +} diff --git a/system/services/openssh/default.nix b/system/services/openssh/default.nix new file mode 100644 index 0000000..46b7ffd --- /dev/null +++ b/system/services/openssh/default.nix @@ -0,0 +1,17 @@ +{...}: { + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + hostKeys = [ + { + # See the explanation for this in /system/impermanence/mods/openssh.nix + # path = "/var/lib/sshd/ssh_host_ed25519_key"; + + # FIXME: Remove this workaround + path = "/srv/var/lib/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + }; +} diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix deleted file mode 100644 index 1bb37ee..0000000 --- a/system/services/opensshd/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{...}: { - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - hostKeys = [ - { - path = "/srv/sshd/ssh_host_ed25519_key"; - rounds = 1000; - type = "ed25519"; - } - ]; - }; -} |