From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:21:45 +0100 Subject: Refactor: Use better file layout --- system/default.nix | 9 ++-- system/file_system_layouts/default.nix | 45 +++++++++++++++++++ system/hardware/default.nix | 9 ++++ system/mail/default.nix | 27 ++++++++++++ system/packages/default.nix | 9 ++++ system/services/acme/default.nix | 30 +++++++++++++ system/services/default.nix | 9 ++++ system/services/minecraft/default.nix | 26 +++++++++++ system/services/nginx/default.nix | 15 +++++++ system/services/nix/default.nix | 18 ++++++++ system/services/opensshd/default.nix | 18 ++++++++ system/services/rust-motd/default.nix | 79 ++++++++++++++++++++++++++++++++++ system/system/fileSystemLayouts.nix | 45 ------------------- system/system/hardware.nix | 9 ---- system/system/packages.nix | 9 ---- system/system/users.nix | 59 ------------------------- system/users/default.nix | 59 +++++++++++++++++++++++++ 17 files changed, 349 insertions(+), 126 deletions(-) create mode 100644 system/file_system_layouts/default.nix create mode 100644 system/hardware/default.nix create mode 100644 system/mail/default.nix create mode 100644 system/packages/default.nix create mode 100644 system/services/acme/default.nix create mode 100644 system/services/default.nix create mode 100644 system/services/minecraft/default.nix create mode 100644 system/services/nginx/default.nix create mode 100644 system/services/nix/default.nix create mode 100644 system/services/opensshd/default.nix create mode 100644 system/services/rust-motd/default.nix delete mode 100644 system/system/fileSystemLayouts.nix delete mode 100644 system/system/hardware.nix delete mode 100644 system/system/packages.nix delete mode 100644 system/system/users.nix create mode 100644 system/users/default.nix (limited to 'system') diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix new file mode 100644 index 0000000..9d03a05 --- /dev/null +++ b/system/file_system_layouts/default.nix @@ -0,0 +1,45 @@ +{ + modulesPath, + config, + lib, + ... +}: +with lib; let + cfg = config.system.fileSystemLayouts; +in { + options.system.fileSystemLayouts = { + mainDisk = mkOption { + type = lib.types.path; + example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; + description = lib.mdDoc "Path to the main disk"; + }; + }; + config = { + fileSystems = { + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=nix" "compress-force=zstd"]; + }; + "/srv" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=storage" "compress-force=zstd"]; + }; + "/boot" = { + device = cfg.mainDisk; + options = ["subvol=boot" "compress-force=zstd"]; + }; + + "/etc/nixos" = { + device = "/srv/nix-config"; + options = ["bind"]; + }; + }; + }; +} diff --git a/system/hardware/default.nix b/system/hardware/default.nix new file mode 100644 index 0000000..c4c7dc9 --- /dev/null +++ b/system/hardware/default.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/headless.nix") + ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + boot.initrd.kernelModules = ["nvme" "btrfs"]; +} diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..b09f8f1 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,27 @@ +# vim: ts=2 +{...}: { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; +} diff --git a/system/packages/default.nix b/system/packages/default.nix new file mode 100644 index 0000000..4d33c6e --- /dev/null +++ b/system/packages/default.nix @@ -0,0 +1,9 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + jre_minimal + git + zsh + neovim + btrfs-progs + ]; +} diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..acf20f5 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,9 @@ +{config, ...}: { + imports = [ + ./acme + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix new file mode 100644 index 0000000..754c974 --- /dev/null +++ b/system/services/minecraft/default.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + users = { + groups.minecraft = {}; + users.minecraft = { + isSystemUser = true; + group = "minecraft"; + }; + }; + systemd.services.minecraft = { + wantedBy = ["multi-user.target"]; + after = "network.target"; + description = "Minecraft Server"; + serviceConfig = { + WorkingDirectory = "/srv/minecraft"; + User = "minecraft"; + Group = "minecraft"; + Restart = "always"; + ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; + SyslogIdentifier = "minecraft-server"; + }; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/system/services/nginx/default.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix new file mode 100644 index 0000000..bd562ec --- /dev/null +++ b/system/services/nix/default.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: { + nix = { + # gc = { + # automatic = true; + # dates = "daily"; + # options = "--delete-older-than 3"; + # }; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; +} diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix new file mode 100644 index 0000000..cb9f2ba --- /dev/null +++ b/system/services/opensshd/default.nix @@ -0,0 +1,18 @@ +{ + config, + pkg, + ... +}: { + services.openssh = { + enable = true; + passwordAuthentication = false; + hostKeys = [ + { + comment = "key comment"; + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + }; +} diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix new file mode 100644 index 0000000..21bc1cd --- /dev/null +++ b/system/services/rust-motd/default.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + ... +}: { + programs.rust-motd = { + enable = true; + enableMotdInSSHD = true; + refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) + settings = { + global = { + progress_full_character = "="; + progress_empty_character = "-"; + progress_prefix = "["; + progress_suffix = "]"; + time_format = "%Y-%m-%d %H:%M:%S"; + }; + + banner = { + color = "red"; + command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; + # if you don't want a dependency on figlet, you can generate your + # banner however you want, put it in a file, and then use something like: + # command = "cat banner.txt" + }; + + # [weather] + # url = "https://wttr.in/New+York,New+York?0" + # proxy = "http://proxy:8080" + + # [service_status] + # Accounts = "accounts-daemon" + # Cron = "cron" + + # [docker_status] + # Local containers MUST start with a slash + # https://github.com/moby/moby/issues/6705 + #"/nextcloud-nextcloud-1" = "Nextcloud" + #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" + + uptime = { + prefix = "Uptime:"; + }; + + # [user_service_status] + # gpg-agent = "gpg-agent" + + #s_s_l_certs = { + # sort_method = "manual" + # + # certs = { + # CertName1 = "/path/to/cert1.pem" + # CertName2 = "/path/to/cert2.pem" + # } + #}; + + filesystems = { + root = "/"; + }; + + memory = { + swap_pos = "beside"; # or "below" or "none" + }; + + fail2_ban = { + jails = ["sshd"]; #, "anotherjail"] + }; + + last_login = { + sils = 2; + soispha = 2; + nightingale = 2; + }; + + last_run = { + }; + }; + }; +} diff --git a/system/system/fileSystemLayouts.nix b/system/system/fileSystemLayouts.nix deleted file mode 100644 index 9d03a05..0000000 --- a/system/system/fileSystemLayouts.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - modulesPath, - config, - lib, - ... -}: -with lib; let - cfg = config.system.fileSystemLayouts; -in { - options.system.fileSystemLayouts = { - mainDisk = mkOption { - type = lib.types.path; - example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; - description = lib.mdDoc "Path to the main disk"; - }; - }; - config = { - fileSystems = { - "/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=nix" "compress-force=zstd"]; - }; - "/srv" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=storage" "compress-force=zstd"]; - }; - "/boot" = { - device = cfg.mainDisk; - options = ["subvol=boot" "compress-force=zstd"]; - }; - - "/etc/nixos" = { - device = "/srv/nix-config"; - options = ["bind"]; - }; - }; - }; -} diff --git a/system/system/hardware.nix b/system/system/hardware.nix deleted file mode 100644 index c4c7dc9..0000000 --- a/system/system/hardware.nix +++ /dev/null @@ -1,9 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/headless.nix") - ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; -} diff --git a/system/system/packages.nix b/system/system/packages.nix deleted file mode 100644 index 4d33c6e..0000000 --- a/system/system/packages.nix +++ /dev/null @@ -1,9 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = with pkgs; [ - jre_minimal - git - zsh - neovim - btrfs-progs - ]; -} diff --git a/system/system/users.nix b/system/system/users.nix deleted file mode 100644 index 34e1648..0000000 --- a/system/system/users.nix +++ /dev/null @@ -1,59 +0,0 @@ -{pkgs, ...}: { - users.mutableUsers = false; - users.defaultUserShell = pkgs.zsh; - - users.users = { - root = { - #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - sils = { - name = "sils"; - isNormalUser = true; - home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE - uid = 1000; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; - }; - - soispha = { - name = "soispha"; - isNormalUser = true; - home = "/srv/home/soispha"; - initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; - uid = 1001; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - nightingale = { - name = "nightingale"; - isNormalUser = true; - home = "/srv/home/nightingale"; - initialHashedPassword = null; # TODO CHANGE - uid = 1002; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - ]; - }; - }; -} -# vim: ts=2 - diff --git a/system/users/default.nix b/system/users/default.nix new file mode 100644 index 0000000..34e1648 --- /dev/null +++ b/system/users/default.nix @@ -0,0 +1,59 @@ +{pkgs, ...}: { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.users = { + root = { + #uid = 0; + #initialHashedPassword = null; # to lock root + # Backup, if something happens. TODO remove this later + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + sils = { + name = "sils"; + isNormalUser = true; + home = "/srv/home/sils"; + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; + + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/srv/home/soispha"; + initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/srv/home/nightingale"; + initialHashedPassword = null; # TODO CHANGE + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; + }; +} +# vim: ts=2 + -- cgit 1.4.1 From f77f8848301bd0eaf742f177771554f6ce942bb9 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:27:54 +0100 Subject: Fix(system/mail): Disable protocols with STARTTLS This is inherently unsafe because it requires an unencrypted handshake. Considering that all protocols also work directly with TLS i.e., the encrypted variant, disabling this shouldn't be a drawback. --- system/mail/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index b09f8f1..6fe82fd 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -4,6 +4,14 @@ fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; backup.snapshotRoot = "/srv/mail/backup"; -- cgit 1.4.1 From 6ba9c1452144b327963c9f0ae57ec5662b4f6ec1 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:54:20 +0100 Subject: Fix(system/mail): Make extraVirtualAliases fairer --- system/mail/default.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 6fe82fd..67531af 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -1,5 +1,11 @@ # vim: ts=2 -{...}: { +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { enable = true; fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; @@ -23,9 +29,9 @@ }; extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From dc4334de217175ad7d1c0a4e2e3f98b2fef51784 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:56:04 +0100 Subject: Fix(system/users): Remove unneeded root ssh login keys All users are in the wheel group, thus direct login as root is no longer needed. --- system/services/opensshd/default.nix | 1 - system/users/default.nix | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/system/services/opensshd/default.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/system/users/default.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" -- cgit 1.4.1 From 414ad162bc5ecdf71e3c5d674c18c6d65bd03a45 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:12:34 +0100 Subject: Fix(system/mail): Declare the password directly As outlined in commit 19f0808, placing a password hash in the world readable nix-store is perfectly safe as long as the hashing function is not reversible, which should be a necessity for a password hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 67531af..2f58c03 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -24,7 +24,7 @@ in { loginAccounts = { "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; }; -- cgit 1.4.1 From a24dc7da41c18ef68ea32b27995c60c9494f579c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:34:44 +0100 Subject: Feat(system/mail): Use '/' to separate mailboxes This is something that just makes the file system easier to traverse, but isn't really necessary. --- system/mail/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 2f58c03..98af119 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -17,6 +17,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + useFsLayout = true; mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; -- cgit 1.4.1 From d6fbe642e5762f1bd79dcfb0e68bf7df1c902d8d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:22:46 +0100 Subject: Style(system/mail): Reorder options I just think this is easier to read. --- system/mail/default.nix | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 98af119..7a206f5 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -10,19 +10,8 @@ in { fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; - enableImap = false; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = true; - # SMTP - enableSubmission = false; - enableSubmissionSsl = true; useFsLayout = true; - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - loginAccounts = { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; @@ -35,7 +24,21 @@ in { "admin@vhack.eu" = all_admins; }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; -- cgit 1.4.1 From f2ab8429778b5b5c422160da6a11c15af815b55c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:52:49 +0100 Subject: Feat(system/mail): Add other users, so the admin thing works --- system/mail/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 7a206f5..8eaa53b 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -16,6 +16,12 @@ in { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; }; extraVirtualAliases = { -- cgit 1.4.1 From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1 From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:46:18 +0100 Subject: Fix(system/services/minecraft): Remove to make compile --- system/services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/services/default.nix b/system/services/default.nix index 4c39b8b..f36cb29 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,7 @@ imports = [ ./acme ./firewall - ./minecraft + #./minecraft ./nginx ./nix ./opensshd -- cgit 1.4.1 From 7881651fba877dd9a79c4c32422cd7305f0306b5 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:58:43 +0100 Subject: Fix(system/hardware): Use actually needed modules and UUID The old values did work, but these should just make things a bit clearer. --- hosts/server1/configuration.nix | 2 +- system/hardware/default.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index 694b6b4..ad3d8a3 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -10,7 +10,7 @@ networking.hostName = "server1"; networking.domain = "vhack.eu"; - system.fileSystemLayouts.mainDisk = "/dev/vda3"; + system.fileSystemLayouts.mainDisk = "/dev/disk/by-uuid/7d960eb9-9334-4aef-9f7c-9a908a91a6db"; system.stateVersion = "22.11"; } diff --git a/system/hardware/default.nix b/system/hardware/default.nix index c4c7dc9..9fabafe 100644 --- a/system/hardware/default.nix +++ b/system/hardware/default.nix @@ -4,6 +4,6 @@ (modulesPath + "/profiles/headless.nix") ]; boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; } -- cgit 1.4.1 From 0b55d0277cd341eed9532677036e885c0ae038ed Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 18:01:16 +0100 Subject: Refactor(system/hardware): Move hardware to host The hardware settings are (somewhat) host specific, and putting them in `system` just builds the wrong expectations. --- hosts/server1/configuration.nix | 1 + hosts/server1/hardware.nix | 9 +++++++++ system/default.nix | 1 - system/hardware/default.nix | 9 --------- 4 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 hosts/server1/hardware.nix delete mode 100644 system/hardware/default.nix (limited to 'system') diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index ad3d8a3..891c5dc 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -1,6 +1,7 @@ {pkgs, ...}: { imports = [ ./networking.nix # network configuration that just works + ./hardware.nix ../../system ]; diff --git a/hosts/server1/hardware.nix b/hosts/server1/hardware.nix new file mode 100644 index 0000000..9fabafe --- /dev/null +++ b/hosts/server1/hardware.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/headless.nix") + ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; +} diff --git a/system/default.nix b/system/default.nix index 9aa5d9e..d67ada2 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,7 +1,6 @@ {config, ...}: { imports = [ ./file_system_layouts - ./hardware ./packages ./services ./users diff --git a/system/hardware/default.nix b/system/hardware/default.nix deleted file mode 100644 index 9fabafe..0000000 --- a/system/hardware/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/headless.nix") - ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; -} -- cgit 1.4.1 From ecb274ba49042f1dfdf63b9c54ff6920f24a9a58 Mon Sep 17 00:00:00 2001 From: ene Date: Mon, 20 Mar 2023 15:19:26 +0100 Subject: Fix(system/mail): Change placeholder The old one, could have exposed a weak hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index 7102958..be2a33f 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -20,7 +20,7 @@ in { hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; }; "nightingale@vhack.eu" = { - hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + hashedPasswordFile = "/this/is/an/non/existing/path/and/should/be/considerd/a/palce/holder"; # TODO change }; }; -- cgit 1.4.1 From 2cbf5571d702187357e9bbb90de1f5584e31dd5f Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 20 Mar 2023 15:36:06 +0100 Subject: Revert "Fix(system/mail): Change placeholder" This reverts commit ecb274ba49042f1dfdf63b9c54ff6920f24a9a58. It may be a security-risk, but I care much more about a running mailserver for now. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index be2a33f..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -20,7 +20,7 @@ in { hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; }; "nightingale@vhack.eu" = { - hashedPasswordFile = "/this/is/an/non/existing/path/and/should/be/considerd/a/palce/holder"; # TODO change + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change }; }; -- cgit 1.4.1 From ab3c9aa228ecaf79fae5cc1d2bdcb84f2e12951e Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 20 Mar 2023 15:43:05 +0100 Subject: Fix(acme): Store certs permanently. Before, new certs were requested at every rebuild. This caused issues due to letsencrypt ratelimiting. --- system/file_system_layouts/default.nix | 4 ++++ system/mail/default.nix | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix index 9d03a05..31b0b0b 100644 --- a/system/file_system_layouts/default.nix +++ b/system/file_system_layouts/default.nix @@ -40,6 +40,10 @@ in { device = "/srv/nix-config"; options = ["bind"]; }; + "/var/lib/acme" = { + device = "/srv/acme"; + options = ["bind"]; + }; }; }; } diff --git a/system/mail/default.nix b/system/mail/default.nix index 7102958..d2fd55c 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -47,5 +47,4 @@ in { keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; - } -- cgit 1.4.1 From 8d8ad7a9f79ba88cc5b07e8f5f4d1a4cded4ff1b Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 13:41:53 +0100 Subject: Feat(system/services/fail2ban): Add fail2ban This should clear the logs somewhat. --- system/services/default.nix | 1 + system/services/fail2ban/default.nix | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 system/services/fail2ban/default.nix (limited to 'system') diff --git a/system/services/default.nix b/system/services/default.nix index f36cb29..5d9e5b6 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -7,5 +7,6 @@ ./nix ./opensshd ./rust-motd + ./fail2ban ]; } diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix new file mode 100644 index 0000000..5b5e9e7 --- /dev/null +++ b/system/services/fail2ban/default.nix @@ -0,0 +1,14 @@ +# vim: ts=2 +{...}: { + services.fail2ban = { + enable = true; + maxretry = 2; # ban after 2 failures + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + }; +} -- cgit 1.4.1 From 1fc72de6b6606f6c97ccf9883a88705260dd3ac8 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 13:59:51 +0100 Subject: Fix(system/services/fail2ban): Make db persistent --- system/services/fail2ban/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'system') diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 5b5e9e7..949b486 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -3,6 +3,13 @@ services.fail2ban = { enable = true; maxretry = 2; # ban after 2 failures + daemonConfig = '' + [Definition] + logtarget = SYSLOG + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid + dbfile = /srv/fail2ban/fail2ban.sqlite3 + ''; bantime-increment = { enable = true; rndtime = "8m"; -- cgit 1.4.1 From dce980ddb127a470b188fd6efbfb8ddb5b0fe315 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:00:29 +0100 Subject: Feat(system/services/fail2ban): Add dovecot jail This should reduce the log spam even further. --- system/services/fail2ban/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'system') diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 949b486..5aee097 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -17,5 +17,14 @@ multipliers = "2 4 16 128 256"; maxtime = "72h"; }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + }; }; } -- cgit 1.4.1 From 64a554d1af2de6d07ebe61be1f5a3181a5f90b81 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:32:23 +0100 Subject: Fix(system/services/rust-motd): Add fail2ban binary --- system/services/rust-motd/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'system') diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 21bc1cd..4f65dce 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -3,6 +3,15 @@ pkgs, ... }: { + systemd.services.rust-motd = { + path = builtins.attrValues { + inherit + (pkgs) + bash + fail2ban # Needed for rust-motd fail2ban integration + ; + }; + }; programs.rust-motd = { enable = true; enableMotdInSSHD = true; -- cgit 1.4.1 From 4758e5881daa1aa762c6e6e9734faea618dea70c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:32:56 +0100 Subject: Feat(system/services/rust-motd): Show status of ssl-certs --- system/services/rust-motd/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'system') diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 4f65dce..100fcb4 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -54,14 +54,14 @@ # [user_service_status] # gpg-agent = "gpg-agent" - #s_s_l_certs = { - # sort_method = "manual" - # - # certs = { - # CertName1 = "/path/to/cert1.pem" - # CertName2 = "/path/to/cert2.pem" - # } - #}; + s_s_l_certs = { + sort_method = "manual"; + + certs = { + server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem"; + vhack.eu = "/var/lib/acme/vhack.eu/cert.pem"; + }; + }; filesystems = { root = "/"; -- cgit 1.4.1 From f84a9f6a80657d9c9f072a9338d46f7d8c2b79f5 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:33:48 +0100 Subject: Feat(system/services/rust-motd): Info about filesystems --- system/services/rust-motd/default.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'system') diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 100fcb4..f21c0c4 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -65,6 +65,9 @@ filesystems = { root = "/"; + persistent = "/srv"; + store = "/nix"; + boot = "/boot"; }; memory = { -- cgit 1.4.1 From f21504ae85559a2b5a6381afeda451e1eb310f9d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:40:30 +0100 Subject: Fix(system/services/rust-motd): Quote ssl-cert names --- system/services/rust-motd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index f21c0c4..1a41b32 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -58,8 +58,8 @@ sort_method = "manual"; certs = { - server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem"; - vhack.eu = "/var/lib/acme/vhack.eu/cert.pem"; + "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem"; + "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem"; }; }; -- cgit 1.4.1 From cb92ffc878fcb417bd66b3b30ef1ff189a5aa44c Mon Sep 17 00:00:00 2001 From: ene Date: Fri, 7 Apr 2023 22:02:24 +0200 Subject: Fix(system/mail): Allow opening ports in the firewall As the previous configuration only opened some ports, receiving mail was impossible. This allows NSM to open the required ports directly, ensuring that none was missed. SECURITY: As all other options than SSL are still disabled, this change should not introduce unencrypted mail transfer. This has not been tested. --- system/mail/default.nix | 2 +- system/services/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/mail/default.nix b/system/mail/default.nix index d2fd55c..b1da088 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -42,7 +42,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; - openFirewall = false; # handled below + openFirewall = true; keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; diff --git a/system/services/default.nix b/system/services/default.nix index 5d9e5b6..6e5cb3c 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,7 +1,7 @@ {config, ...}: { imports = [ ./acme - ./firewall +# ./firewall #./minecraft ./nginx ./nix -- cgit 1.4.1