From bb591e83d543dfe440fa25c021fb3ad92c634058 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 22 Feb 2023 01:28:16 +0100 Subject: [PATCH 01/16] nix: update inputs --- flake.lock | 28 ++++++++++++++-------------- flake.nix | 2 +- nixos/modules.nix | 1 + 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index bf77887..6700922 100644 --- a/flake.lock +++ b/flake.lock @@ -40,11 +40,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1666248456, - "narHash": "sha256-xHZKzfF0bb890ND8Z9Ioed5vdhk1JZfyJsied4MKw3A=", + "lastModified": 1677013990, + "narHash": "sha256-HwAnE5MHsyLiRJp50KfDFPiiOZXI0Ts8hXpIh6yBilE=", "owner": "nix-community", "repo": "home-manager", - "rev": "d1191c6d05120449f3e54e1211518df7c69ee282", + "rev": "564b82b3542026e7fb5d0da16c56ae3e40e5c9dd", "type": "github" }, "original": { @@ -64,11 +64,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1674611231, - "narHash": "sha256-wjh5rxHSWOfkIq4X1oEM6/kz7tsmYL4qdgSzUTiesoA=", + "lastModified": 1677089685, + "narHash": "sha256-G2Wya12E8G0C6w0acMZxarKubQh3cfT4PEuiraLDzDA=", "ref": "main", - "rev": "ccf6686e09fd5eff9bc58045203bb7c960213aa6", - "revCount": 619, + "rev": "9c8ff7008a1db980fd86156705df822b571568e8", + "revCount": 626, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, @@ -103,17 +103,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1667050928, - "narHash": "sha256-xOn0ZgjImIyeecEsrjxuvlW7IW5genTwvvnDQRFncB8=", + "lastModified": 1677075010, + "narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949", + "rev": "c95bf18beba4290af25c60cbaaceea1110d0f727", "type": "github" }, "original": { "owner": "NixOS", + "ref": "release-22.11", "repo": "nixpkgs", - "rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949", "type": "github" } }, @@ -195,11 +195,11 @@ }, "utils": { "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 38390fb..ee2124d 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ julm-nix.url = "git+file:///home/julm/work/sourcephile/nix/julm-nix?ref=main"; julm-nix.inputs.nixpkgs.follows = "nixpkgs"; nix-formatter-pack.follows = "julm-nix/nix-formatter-pack"; - nixpkgs.url = "github:NixOS/nixpkgs/fdebb81f45a1ba2c4afca5fd9f526e1653ad0949"; + nixpkgs.url = "github:NixOS/nixpkgs/release-22.11"; pre-commit-hooks.follows = "julm-nix/pre-commit-hooks"; }; diff --git a/nixos/modules.nix b/nixos/modules.nix index 144d143..f2f6717 100644 --- a/nixos/modules.nix +++ b/nixos/modules.nix @@ -30,6 +30,7 @@ #modules/services/x11/display-managers/default.nix modules/services/networking/prosody.nix (inputs.julm-nix + "/nixos/modules/security/systemd-creds.nix") + (inputs.julm-nix + "/nixos/modules/services/networking/wireguard.nix") ]; disabledModules = [ #"config/console.nix" -- 2.47.0 From de0526847f2e7505fc31bed23c115770fa73b402 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 24 Feb 2023 18:27:37 +0100 Subject: [PATCH 02/16] nix: update inputs --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 6700922..fc6a386 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1677089685, - "narHash": "sha256-G2Wya12E8G0C6w0acMZxarKubQh3cfT4PEuiraLDzDA=", + "lastModified": 1677237973, + "narHash": "sha256-84df++iCLaLij/jdKrhuRKRdK6h2YvLl2voBgu4LM4g=", "ref": "main", - "rev": "9c8ff7008a1db980fd86156705df822b571568e8", - "revCount": 626, + "rev": "073b1b319513ff635dc3762f1a65453a879017ff", + "revCount": 627, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, -- 2.47.0 From 5dea3764e7db31369425c86171a6e84ed3c684b5 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 24 Feb 2023 18:28:28 +0100 Subject: [PATCH 03/16] mermet: nginx: autogeree.net: add /julm/perso/camera/ --- hosts/losurdo/syncoid.nix | 1 + hosts/mermet/nginx.nix | 10 ++++++---- hosts/mermet/nginx/autogeree.net/www.nix | 16 ++++++++++------ nixos/profiles/services/nginx.nix | 2 +- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/hosts/losurdo/syncoid.nix b/hosts/losurdo/syncoid.nix index 2e56c03..bd84f94 100644 --- a/hosts/losurdo/syncoid.nix +++ b/hosts/losurdo/syncoid.nix @@ -64,6 +64,7 @@ in extraArgs = [ "--skip-parent" "--exclude=rpool/var/cache" + "--exclude=rpool/var/lib/nginx" "--exclude=rpool/var/log" "--exclude=rpool/var/tmp" ]; diff --git a/hosts/mermet/nginx.nix b/hosts/mermet/nginx.nix index be7d5ca..182ee0b 100644 --- a/hosts/mermet/nginx.nix +++ b/hosts/mermet/nginx.nix @@ -34,11 +34,13 @@ in useACMEHost = networking.domain; }; }; - fileSystems."/var/lib/nginx" = { - device = "rpool/var/www"; + /* + fileSystems."/var/lib/nginx" = { + device = "rpool/var/lib/nginx"; fsType = "zfs"; - }; - services.sanoid.datasets."rpool/var/www" = { + }; + */ + services.sanoid.datasets."rpool/var/lib/nginx" = { use_template = [ "snap" ]; daily = 7; }; diff --git a/hosts/mermet/nginx/autogeree.net/www.nix b/hosts/mermet/nginx/autogeree.net/www.nix index f1f5e6d..6acd46a 100644 --- a/hosts/mermet/nginx/autogeree.net/www.nix +++ b/hosts/mermet/nginx/autogeree.net/www.nix @@ -7,17 +7,12 @@ let in { systemd.services.nginx.serviceConfig = { - BindPaths = [ - "/home/julm/work/perso:${root}/julm" - ]; - StateDirectory = [ - "nginx/${domain}/julm" - ]; LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ]; LoadCredentialEncrypted = [ "${domain}.${srv}.julm.PC.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/PC/htpasswd.cred" + "${domain}.${srv}.julm.perso.camera.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/perso/camera.htpasswd.cred" ]; }; services.nginx = { @@ -51,6 +46,15 @@ in fancyindex_exact_size off; ''; }; + locations."/julm/perso/camera/" = { + alias = "${root}/julm/perso/camera/"; + basicAuthFile = "/run/credentials/nginx.service/${domain}.${srv}.julm.perso.camera.htpasswd"; + extraConfig = '' + fancyindex on; + fancyindex_name_length 255; + fancyindex_exact_size off; + ''; + }; }; }; } diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix index 110576c..5f267b3 100644 --- a/nixos/profiles/services/nginx.nix +++ b/nixos/profiles/services/nginx.nix @@ -30,7 +30,7 @@ in # whenever upstream uses a list instead of a string. LogsDirectory = lib.mkForce [ "nginx" ]; StateDirectory = [ "nginx" ]; - StateDirectoryMode = "2770"; + StateDirectoryMode = "2771"; #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"]; }; }; -- 2.47.0 From 13964c97f5c13d914ae892a3a19ffb4d66256288 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 24 Feb 2023 18:17:54 +0100 Subject: [PATCH 04/16] Edit password for hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd using vim. --- .../www/julm/perso/camera.htpasswd.cred | Bin 0 -> 675 bytes .../www/julm/perso/camera.htpasswd.gpg | Bin 0 -> 1031 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.cred create mode 100644 hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.gpg diff --git a/hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.cred b/hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.cred new file mode 100644 index 0000000000000000000000000000000000000000..e4268789d3d3d594b6561fb3d2f338416dfab567 GIT binary patch literal 675 zcmV;U0$lw7M@dveQdv+`0FqK`I?0)yVYE-P2($#PL{5u_5Fzv92!F3z07B$F>O^)? zZ=5P~3?Dw{8p&tMf7-Rsne<2MxnjV9@p^s>%RWN(&Fp#5v2F~d(A~_8h6Y6~=h1iM zK@^Lb;fn$b+qc@7nc@E>awx^_+cvq%DT{$5a0_70w!@ZEG`pXh(WW;UGdcS)$97!z ziLY8(FjSpD#A%1qoZ$;hh1$o*z*T0WtTUK)XajTd9c@Pi6~-MST)Tb55Qk3T<^OBg z;*W9n7nr|C1bj=-d|T50yeAOF8Bzx{ID_^pWI6+VO4B${wqB;S?`3|T z?WAE?jn#I_hMLGn3J1v!>>4&t1AeiOd1(hd&RDNRCSr*taFSJ9w_*Ilj8AAZj0A9g zpWRRXcgj}1Nj&Iv_@a}mB!lcKWYgx-Tfj)iLl~$oVUuWjQ>2_>^`(=TEHzhj z9Km;*RR%rqBE#@hRvvW$w|K9}LJu}Ix{|;bdW~NS*@9?=P#cK!0<8=t*%>4Z7K?_t z9o?&uxcEl@du)?kUw69nf4l0+qJLB?ma&rc9PRe`rg&iwB}P^=x*}=U3l{eXoN~oO J=Z2^Ju{Cy6P1^tf literal 0 HcmV?d00001 diff --git a/hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.gpg b/hosts/mermet/nginx/autogeree.net/www/julm/perso/camera.htpasswd.gpg new file mode 100644 index 0000000000000000000000000000000000000000..7661aef2e88a115bd25628246b28a2f4f99b4e24 GIT binary patch literal 1031 zcmV+i1o-;^M@dveQdv+`0LrG0$CT{F9+;WW!gnJ_UW22A{v@csGA=w@zec@ogVhG= zNKIBnHR&8^*}y@-)O(}V&@c2cA5)D}M)v?CP)3WDr;r18^th~{L(;Zt}xTt*tR-fbRCIslRrFm}50V11k+ zyLwQdH4KKql@a^vE%2TBV0Ttn1HRmP)*@&E%diWY0MYUW+(-7sW;BL_(*tF<;LGg@ z7SA2KsR}nJL0k@#5088@(Gbon1~0=l1BVu+sQw1bii3|+JSh&ftS_RtRt9W6I*uS} zpb|6umRBPB&5Sk+@y?5TN_(y8damoIhF5`1w*9o-54yqI{9vP?!~sX*R*Ur1v%vok zhSO`xx~D-fe_GfTcpW{e3)QKNqlorYa1u6Y%lfI+=jF+W@29M+&o zhkqliTo#i8+r;$rErD^C;yEr|&bhHsdyxMr?@@5m@xR9_W9dj`d4@8O;js!DtQR@icFu-!yRl{W-cZoN;;v!&!kH>LlroHpbM_R6 zBi}2|)HupIX!Y_A-yawJj_BSe&f&{hfOZgXGwFw-VAq~qaIZls_Ch2#h z2l{=P>Z&Er-G=UJAS5>Sv&DRbxvEHjv}cdi+-q_W=bPE%5`^KYo)#lF1@ z^pc5bBe0i&vwvAfBkW4Q&VoB90+ulZny<-8f4&yqX`>vAgpR)ZTt%=queAnqiLJ1@ zqDl8Eyk!-$%W{`POjygQj!%*<({qv69^2i=<&^F+jLDY%sH3!@uv?D02GGd1h$zh} z`OVz#QGDuzB>#JTBO0HVJ0q?dkk`NKPwEU`C7Q%s!MHqdT Date: Sat, 25 Feb 2023 13:56:00 +0100 Subject: [PATCH 05/16] mermet: avoid sending nixpkgs input --- hosts/mermet/system.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/mermet/system.nix b/hosts/mermet/system.nix index 07b4656..bd4e330 100644 --- a/hosts/mermet/system.nix +++ b/hosts/mermet/system.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: { # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database servers. @@ -9,6 +9,7 @@ nix.gc.dates = "daily"; nix.gc.options = "--delete-older-than 2d"; + nix.registry = lib.mkForce { }; # Setting the machine-id avoids to reencrypt all credentials # when reinstalling NixOS on a new drive. -- 2.47.0 From 47e7939aae1a46762a3061299023c4f1747cec91 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 1 Mar 2023 23:02:08 +0100 Subject: [PATCH 06/16] creds: avoid restarts by not using inputs.self --- flake.lock | 8 ++-- hosts/losurdo/acme/autogeree.net.nix | 5 ++- hosts/losurdo/acme/sourcephile.fr.nix | 5 ++- hosts/losurdo/networking/nsupdate.nix | 4 +- hosts/losurdo/networking/tor.nix | 5 ++- hosts/losurdo/ssh.nix | 38 ++++++++++--------- hosts/losurdo/syncoid.nix | 2 +- hosts/losurdo/transmission.nix | 5 ++- hosts/losurdo/wireguard/wg-extra.nix | 5 ++- hosts/losurdo/wireguard/wg-intra.nix | 3 ++ hosts/mermet.nix | 2 + hosts/mermet/iodine.nix | 5 ++- hosts/mermet/knot/autogeree.net.nix | 2 +- hosts/mermet/knot/sourcephile.fr.nix | 4 +- hosts/mermet/miniflux.nix | 2 +- hosts/mermet/networking.nix | 2 - hosts/mermet/nginx/autogeree.net/www.nix | 4 +- hosts/mermet/rspamd.nix | 2 +- hosts/mermet/rspamd/autogeree.net.nix | 2 +- hosts/mermet/rspamd/sourcephile.fr.nix | 2 +- hosts/mermet/{networking => }/ssh.nix | 5 +++ .../wireguard.nix => wireguard/wg-intra.nix} | 3 ++ 22 files changed, 69 insertions(+), 46 deletions(-) rename hosts/mermet/{networking => }/ssh.nix (90%) rename hosts/mermet/{networking/wireguard.nix => wireguard/wg-intra.nix} (83%) diff --git a/flake.lock b/flake.lock index fc6a386..df8fe92 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1677237973, - "narHash": "sha256-84df++iCLaLij/jdKrhuRKRdK6h2YvLl2voBgu4LM4g=", + "lastModified": 1677705458, + "narHash": "sha256-j//Gc10EBZ9kEB4+i0ggDKngRnIO2W3+UPWjW+4dzec=", "ref": "main", - "rev": "073b1b319513ff635dc3762f1a65453a879017ff", - "revCount": 627, + "rev": "5d3a7ba9f8794aad5475c8ccbabc96bb501a3da4", + "revCount": 637, "type": "git", "url": "file:///home/julm/work/sourcephile/nix/julm-nix" }, diff --git a/hosts/losurdo/acme/autogeree.net.nix b/hosts/losurdo/acme/autogeree.net.nix index 261bdbf..80df8bd 100644 --- a/hosts/losurdo/acme/autogeree.net.nix +++ b/hosts/losurdo/acme/autogeree.net.nix @@ -46,8 +46,9 @@ in ''; }; systemd.services."acme-${domain}" = { - serviceConfig.LoadCredentialEncrypted = - [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ]; + serviceConfig.LoadCredentialEncrypted = [ + "${domain}.tsig:${./. + "/${domain}.tsig.cred"}" + ]; environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig"; after = [ "unbound.service" ]; }; diff --git a/hosts/losurdo/acme/sourcephile.fr.nix b/hosts/losurdo/acme/sourcephile.fr.nix index 893d9f7..5eb3cac 100644 --- a/hosts/losurdo/acme/sourcephile.fr.nix +++ b/hosts/losurdo/acme/sourcephile.fr.nix @@ -44,8 +44,9 @@ in ''; }; systemd.services."acme-${domain}" = { - serviceConfig.LoadCredentialEncrypted = - [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ]; + serviceConfig.LoadCredentialEncrypted = [ + "${domain}.tsig:${./. + "/${domain}.tsig.cred"}" + ]; environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig"; after = [ "unbound.service" ]; }; diff --git a/hosts/losurdo/networking/nsupdate.nix b/hosts/losurdo/networking/nsupdate.nix index a15729f..d5a53f8 100644 --- a/hosts/losurdo/networking/nsupdate.nix +++ b/hosts/losurdo/networking/nsupdate.nix @@ -10,7 +10,9 @@ in startAt = "*:0/5"; # every 5 min serviceConfig = { Type = "simple"; - LoadCredentialEncrypted = [ "${hostName}.${domain}.tsig:${inputs.self}/hosts/${hostName}/networking/nsupdate/${domain}/tsig.cred" ]; + LoadCredentialEncrypted = [ + "${hostName}.${domain}.tsig:${./nsupdate +"/${domain}/tsig.cred"}" + ]; ExecStart = pkgs.writeShellScript "nsupdate" '' set -eux publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr || diff --git a/hosts/losurdo/networking/tor.nix b/hosts/losurdo/networking/tor.nix index aa62352..50fa34d 100644 --- a/hosts/losurdo/networking/tor.nix +++ b/hosts/losurdo/networking/tor.nix @@ -24,8 +24,9 @@ in } } ''; - systemd.services.tor.serviceConfig.LoadCredentialEncrypted = - "${onion}.hs_ed25519_secret_key:" + ./tor + "/${onion}.hs_ed25519_secret_key.cred"; + systemd.services.tor.serviceConfig.LoadCredentialEncrypted = [ + "${onion}.hs_ed25519_secret_key:${./tor + "/${onion}.hs_ed25519_secret_key.cred"}" + ]; services.tor = { enable = true; enableGeoIP = true; diff --git a/hosts/losurdo/ssh.nix b/hosts/losurdo/ssh.nix index 1b1d72c..1c3aa27 100644 --- a/hosts/losurdo/ssh.nix +++ b/hosts/losurdo/ssh.nix @@ -1,5 +1,26 @@ { pkgs, lib, config, hosts, ... }: { + services.openssh = { + openFirewall = true; + forwardX11 = true; + }; + systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ + "host.key:${ssh/host.key.cred}" + ]; + programs.ssh = { + extraConfig = '' + ''; + }; + + boot.initrd.network.ssh = { + enable = true; + port = 2222; + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + hostKeys = [ "/root/initrd/ssh.key" ]; + extraConfig = '' + ''; + }; + systemd.services.ssh-mermet-reverse = { after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; @@ -17,23 +38,6 @@ RestartSec = "5s"; }; }; - boot.initrd.network.ssh = { - enable = true; - port = 2222; - authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; - hostKeys = [ "/root/initrd/ssh.key" ]; - extraConfig = '' - ''; - }; - services.openssh = { - openFirewall = true; - forwardX11 = true; - }; - programs.ssh = { - extraConfig = '' - Compression = yes - ''; - }; services.upnpc.enable = true; services.upnpc.redirections = [ diff --git a/hosts/losurdo/syncoid.nix b/hosts/losurdo/syncoid.nix index bd84f94..e5ebc16 100644 --- a/hosts/losurdo/syncoid.nix +++ b/hosts/losurdo/syncoid.nix @@ -43,7 +43,7 @@ in nftables.enable = true; interval = "*-*-* *:05:00"; #interval = "*:0/1"; - sshKey = "sshKey:${inputs.self}/hosts/${hostName}/syncoid/sshKey.cred"; + sshKey = "sshKey:${syncoid/sshKey.cred}"; commonArgs = [ #"--debug" "--no-sync-snap" diff --git a/hosts/losurdo/transmission.nix b/hosts/losurdo/transmission.nix index cbb5b8a..37f9fe7 100644 --- a/hosts/losurdo/transmission.nix +++ b/hosts/losurdo/transmission.nix @@ -70,8 +70,9 @@ in startAt = "06..19:0,15,30,45:00"; script = "true"; }; - systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = - [ "settings.json:${inputs.self}/hosts/${hostName}/transmission/settings.json.cred" ]; + systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = [ + "settings.json:${transmission/settings.json.cred}" + ]; services.transmission = { enable = true; performanceNetParameters = true; diff --git a/hosts/losurdo/wireguard/wg-extra.nix b/hosts/losurdo/wireguard/wg-extra.nix index 8a82b74..7672019 100644 --- a/hosts/losurdo/wireguard/wg-extra.nix +++ b/hosts/losurdo/wireguard/wg-extra.nix @@ -32,8 +32,9 @@ in } ''; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = - [ "privateKey:${inputs.self}/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred" ]; + systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [ + "privateKey:${./. + "/${wgIface}/privateKey.cred"}" + ]; networking.wireguard.interfaces.${wgIface} = { # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM= privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey"; diff --git a/hosts/losurdo/wireguard/wg-intra.nix b/hosts/losurdo/wireguard/wg-intra.nix index a996813..3381c9e 100644 --- a/hosts/losurdo/wireguard/wg-intra.nix +++ b/hosts/losurdo/wireguard/wg-intra.nix @@ -10,6 +10,9 @@ in imports = [ (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix") ]; + systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [ + "privateKey:${./. + "/${wgIface}/privateKey.cred"}" + ]; networking.wireguard.${wgIface}.peers = { mermet.enable = true; oignon.enable = true; diff --git a/hosts/mermet.nix b/hosts/mermet.nix index 0d8eb62..c43b034 100644 --- a/hosts/mermet.nix +++ b/hosts/mermet.nix @@ -31,8 +31,10 @@ mermet/sanoid.nix mermet/security.nix #mermet/sourcehut.nix + mermet/ssh.nix mermet/system.nix mermet/unbound.nix mermet/users.nix + mermet/wireguard/wg-intra.nix ]; } diff --git a/hosts/mermet/iodine.nix b/hosts/mermet/iodine.nix index e96f220..4c30ffc 100644 --- a/hosts/mermet/iodine.nix +++ b/hosts/mermet/iodine.nix @@ -5,8 +5,9 @@ let gwIface = config.networking.defaultGateway.interface; in { - systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = - [ "password:${inputs.self}/hosts/${hostName}/iodine/password.cred" ]; + systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = [ + "password:${iodine/password.cred}" + ]; systemd.sockets.iodined = { enable = true; listenDatagrams = [ "127.0.0.1:1053" ]; diff --git a/hosts/mermet/knot/autogeree.net.nix b/hosts/mermet/knot/autogeree.net.nix index 956ee5b..d2f00a6 100644 --- a/hosts/mermet/knot/autogeree.net.nix +++ b/hosts/mermet/knot/autogeree.net.nix @@ -102,7 +102,7 @@ in }; systemd.services.knot.serviceConfig = { LoadCredentialEncrypted = [ - "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/acme.conf.cred" + "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}" ]; }; /* Useless since the zone is public diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix index 3c7623a..b51389d 100644 --- a/hosts/mermet/knot/sourcephile.fr.nix +++ b/hosts/mermet/knot/sourcephile.fr.nix @@ -160,8 +160,8 @@ in systemd.services.knot = { serviceConfig = { LoadCredentialEncrypted = [ - "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/acme.conf.cred" - "losurdo.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/losurdo.conf.cred" + "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}" + "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}" ]; }; }; diff --git a/hosts/mermet/miniflux.nix b/hosts/mermet/miniflux.nix index a385836..1559320 100644 --- a/hosts/mermet/miniflux.nix +++ b/hosts/mermet/miniflux.nix @@ -39,7 +39,7 @@ in }; serviceConfig = { LoadCredentialEncrypted = [ - "credentials:${inputs.self}/hosts/${hostName}/miniflux/credentials.cred" + "credentials:${miniflux/credentials.cred}" ]; # For postgres auth User = users."miniflux".name; diff --git a/hosts/mermet/networking.nix b/hosts/mermet/networking.nix index 9d1f4e0..871b2fe 100644 --- a/hosts/mermet/networking.nix +++ b/hosts/mermet/networking.nix @@ -15,8 +15,6 @@ in { imports = [ networking/nftables.nix - networking/ssh.nix - networking/wireguard.nix ]; _module.args.ipv4 = netIPv4; diff --git a/hosts/mermet/nginx/autogeree.net/www.nix b/hosts/mermet/nginx/autogeree.net/www.nix index 6acd46a..c3879c1 100644 --- a/hosts/mermet/nginx/autogeree.net/www.nix +++ b/hosts/mermet/nginx/autogeree.net/www.nix @@ -11,8 +11,8 @@ in "nginx/${domain}/${srv}" ]; LoadCredentialEncrypted = [ - "${domain}.${srv}.julm.PC.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/PC/htpasswd.cred" - "${domain}.${srv}.julm.perso.camera.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/perso/camera.htpasswd.cred" + "${domain}.${srv}.julm.PC.htpasswd:${./. + "/${srv}/julm/PC/htpasswd.cred"}" + "${domain}.${srv}.julm.perso.camera.htpasswd:${./. + "/${srv}/julm/perso/camera.htpasswd.cred"}" ]; }; services.nginx = { diff --git a/hosts/mermet/rspamd.nix b/hosts/mermet/rspamd.nix index ebe1272..1980eb4 100644 --- a/hosts/mermet/rspamd.nix +++ b/hosts/mermet/rspamd.nix @@ -109,7 +109,7 @@ in systemd.services.rspamd = { serviceConfig = { LoadCredentialEncrypted = [ - "controller.inc:${inputs.self}/hosts/${hostName}/rspamd/controller.inc.cred" + "controller.inc:${rspamd/controller.inc.cred}" ]; }; }; diff --git a/hosts/mermet/rspamd/autogeree.net.nix b/hosts/mermet/rspamd/autogeree.net.nix index 05a9600..00061cb 100644 --- a/hosts/mermet/rspamd/autogeree.net.nix +++ b/hosts/mermet/rspamd/autogeree.net.nix @@ -19,7 +19,7 @@ in ''; systemd.services.rspamd.serviceConfig = { LoadCredentialEncrypted = [ - "${domain}.${selector}.key:${inputs.self}/hosts/${hostName}/rspamd/${domain}/${selector}.dkim.key.cred" + "${domain}.${selector}.key:${./. + "/${domain}/${selector}.dkim.key.cred"}" ]; }; } diff --git a/hosts/mermet/rspamd/sourcephile.fr.nix b/hosts/mermet/rspamd/sourcephile.fr.nix index 3eefe5b..4a5778c 100644 --- a/hosts/mermet/rspamd/sourcephile.fr.nix +++ b/hosts/mermet/rspamd/sourcephile.fr.nix @@ -23,7 +23,7 @@ in ''; systemd.services.rspamd.serviceConfig = { LoadCredentialEncrypted = [ - "${domain}.${selector}.key:${inputs.self}/hosts/${hostName}/rspamd/${domain}/${selector}.dkim.key.cred" + "${domain}.${selector}.key:${./. + "/${domain}/${selector}.dkim.key.cred"}" ]; }; } diff --git a/hosts/mermet/networking/ssh.nix b/hosts/mermet/ssh.nix similarity index 90% rename from hosts/mermet/networking/ssh.nix rename to hosts/mermet/ssh.nix index 1e18ae1..6b55271 100644 --- a/hosts/mermet/networking/ssh.nix +++ b/hosts/mermet/ssh.nix @@ -7,10 +7,15 @@ } } ''; + services.openssh = { gatewayPorts = "clientspecified"; openFirewall = true; }; + systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ + "host.key:${ssh/host.key.cred}" + ]; + boot.initrd.network.ssh = { enable = true; # To prevent ssh from freaking out because a different host key is used, diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/wireguard/wg-intra.nix similarity index 83% rename from hosts/mermet/networking/wireguard.nix rename to hosts/mermet/wireguard/wg-intra.nix index 54d479e..292f3bd 100644 --- a/hosts/mermet/networking/wireguard.nix +++ b/hosts/mermet/wireguard/wg-intra.nix @@ -7,6 +7,9 @@ in (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix") ]; config = { + systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [ + "privateKey:${./. + "/${wgIface}/privateKey.cred"}" + ]; networking.wireguard.${wgIface}.peers = { aubergine.enable = true; losurdo.enable = true; -- 2.47.0 From c309b54753a5c9ea296d0b4371b5aa7f61e0b781 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 2 Mar 2023 00:51:54 +0100 Subject: [PATCH 07/16] mermet: nginx: autogeree.net: www: publish camera captures in by-uuid --- hosts/mermet/nginx/autogeree.net/www.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/mermet/nginx/autogeree.net/www.nix b/hosts/mermet/nginx/autogeree.net/www.nix index c3879c1..e644af7 100644 --- a/hosts/mermet/nginx/autogeree.net/www.nix +++ b/hosts/mermet/nginx/autogeree.net/www.nix @@ -55,6 +55,13 @@ in fancyindex_exact_size off; ''; }; + # Disable basicAuthFile for by-uuid + locations."~ ^/julm/perso/camera/([0-9]+/[0-9][0-9]/by-uuid/[0-9a-f-]+/.+)$" = { + alias = "${root}/julm/perso/camera/$1"; + extraConfig = '' + autoindex off; + ''; + }; }; }; } -- 2.47.0 From 2e00a14ba08916e9c46d43bd948a596528bfe24e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 2 Mar 2023 00:52:06 +0100 Subject: [PATCH 08/16] mermet: gitolite: update --- hosts/mermet/gitolite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mermet/gitolite b/hosts/mermet/gitolite index 9a0bb7a..5fa3429 160000 --- a/hosts/mermet/gitolite +++ b/hosts/mermet/gitolite @@ -1 +1 @@ -Subproject commit 9a0bb7a28efebc33cff1265aff2239828400d45e +Subproject commit 5fa3429e79c619e91ca7a65ff20507df22474265 -- 2.47.0 From e56dd371825283ef037e551c387060fe7cfa979b Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 12 Mar 2023 00:09:50 +0100 Subject: [PATCH 09/16] mermet: sanoid: snap all /var/lib/nginx --- hosts/mermet/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/mermet/nginx.nix b/hosts/mermet/nginx.nix index 182ee0b..3cfc00a 100644 --- a/hosts/mermet/nginx.nix +++ b/hosts/mermet/nginx.nix @@ -43,5 +43,6 @@ in services.sanoid.datasets."rpool/var/lib/nginx" = { use_template = [ "snap" ]; daily = 7; + recursive = true; }; } -- 2.47.0 From 2d373fe8a76b3e96b4d45a2859655e1d278fc74e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 12 Mar 2023 00:32:32 +0100 Subject: [PATCH 10/16] losurdo: wireguard: fix already defined attribute --- hosts/losurdo/wireguard/wg-intra.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/hosts/losurdo/wireguard/wg-intra.nix b/hosts/losurdo/wireguard/wg-intra.nix index 3381c9e..ea952d6 100644 --- a/hosts/losurdo/wireguard/wg-intra.nix +++ b/hosts/losurdo/wireguard/wg-intra.nix @@ -10,9 +10,14 @@ in imports = [ (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix") ]; - systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [ - "privateKey:${./. + "/${wgIface}/privateKey.cred"}" - ]; + systemd.services."wireguard-${wgIface}" = { + serviceConfig = { + LoadCredentialEncrypted = [ "privateKey:${./. + "/${wgIface}/privateKey.cred"}" ]; + }; + unitConfig = { + Upholds = [ "upnpc-${toString wg.listenPort}.service" ]; + }; + }; networking.wireguard.${wgIface}.peers = { mermet.enable = true; oignon.enable = true; @@ -20,9 +25,6 @@ in carotte.enable = true; aubergine.enable = true; }; - systemd.services."wireguard-${wgIface}" = { - unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ]; - }; networking.nftables.ruleset = '' table inet filter { chain input-intra { -- 2.47.0 From 1dd6c8e79bf72b67133573b146a11cafd2c67d9e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 12 Mar 2023 00:32:47 +0100 Subject: [PATCH 11/16] losurdo: vnstat: enable service --- hosts/losurdo/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/losurdo/networking.nix b/hosts/losurdo/networking.nix index 7d4f7af..d81ff9e 100644 --- a/hosts/losurdo/networking.nix +++ b/hosts/losurdo/networking.nix @@ -149,4 +149,5 @@ in environment.systemPackages = [ pkgs.iodine ]; + services.vnstat.enable = true; } -- 2.47.0 From 95add5ea67137f75731d7b186cdaea3caefd8c16 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 12 Mar 2023 17:41:39 +0100 Subject: [PATCH 12/16] mermet: vnstat: enable service --- hosts/mermet/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/mermet/networking.nix b/hosts/mermet/networking.nix index 871b2fe..d3bd679 100644 --- a/hosts/mermet/networking.nix +++ b/hosts/mermet/networking.nix @@ -149,4 +149,6 @@ in useDHCP = false; }; }; + + services.vnstat.enable = true; } -- 2.47.0 From 7b07a10c0206b5ef4d8b01960316ddf8154ae16c Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 12 Mar 2023 17:41:56 +0100 Subject: [PATCH 13/16] mermet: openldap: julm: increase mailQuota --- hosts/mermet/openldap/autogeree.net.nix | 2 +- hosts/mermet/openldap/sourcephile.fr.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/mermet/openldap/autogeree.net.nix b/hosts/mermet/openldap/autogeree.net.nix index c7584d7..5eb4b39 100644 --- a/hosts/mermet/openldap/autogeree.net.nix +++ b/hosts/mermet/openldap/autogeree.net.nix @@ -118,7 +118,7 @@ in mailAlias = [ "julien.moutinho" ]; userPassword = builtins.readFile (./. + "/${domain}/${uid}/hashedPassword.clear"); mailHomeDirectory = "/home/${uid}/mail/${domain}"; - mailQuota = "1G"; + mailQuota = "2G"; mailStorageDirectory = let stateDir = "/var/lib/dovecot"; in # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it, diff --git a/hosts/mermet/openldap/sourcephile.fr.nix b/hosts/mermet/openldap/sourcephile.fr.nix index 97af6c6..ef49862 100644 --- a/hosts/mermet/openldap/sourcephile.fr.nix +++ b/hosts/mermet/openldap/sourcephile.fr.nix @@ -118,7 +118,7 @@ in mailAlias = [ "julien.moutinho" ]; userPassword = builtins.readFile (./. + "/${domain}/${uid}/hashedPassword.clear"); mailHomeDirectory = "/home/${uid}/mail/${domain}"; - mailQuota = "1G"; + mailQuota = "2G"; mailStorageDirectory = let stateDir = "/var/lib/dovecot"; in # I'm personnaly using "maildir:" instead of "sdbox:" to be able to use a local (neo)mutt on it, -- 2.47.0 From 44f8f0320bfb7c71e8e149e7fc67f8a1053131b1 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 14 Mar 2023 02:44:22 +0100 Subject: [PATCH 14/16] mermet: acme: disable dnsPropagationCheck (again) --- hosts/mermet/acme/autogeree.net.nix | 2 +- hosts/mermet/acme/sourcephile.fr.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/mermet/acme/autogeree.net.nix b/hosts/mermet/acme/autogeree.net.nix index 149c828..91bf481 100644 --- a/hosts/mermet/acme/autogeree.net.nix +++ b/hosts/mermet/acme/autogeree.net.nix @@ -27,7 +27,7 @@ in group = groups."acme".name; keyType = "rsa4096"; dnsProvider = "rfc2136"; - dnsPropagationCheck = false; + #dnsPropagationCheck = false; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 diff --git a/hosts/mermet/acme/sourcephile.fr.nix b/hosts/mermet/acme/sourcephile.fr.nix index e8750c4..e0d5f23 100644 --- a/hosts/mermet/acme/sourcephile.fr.nix +++ b/hosts/mermet/acme/sourcephile.fr.nix @@ -27,7 +27,7 @@ in group = groups."acme".name; keyType = "rsa4096"; dnsProvider = "rfc2136"; - #dnsPropagationCheck = false; + dnsPropagationCheck = false; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 -- 2.47.0 From 7d43a8a733b1c11c8f89c8bacdbbd7de14615f9b Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 26 Apr 2023 11:24:33 +0200 Subject: [PATCH 15/16] mermet: miniflux: fix LoadCredentialEncrypted= not supported by EnvironmentFile= --- hosts/mermet/miniflux.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hosts/mermet/miniflux.nix b/hosts/mermet/miniflux.nix index 1559320..cccfd85 100644 --- a/hosts/mermet/miniflux.nix +++ b/hosts/mermet/miniflux.nix @@ -1,4 +1,4 @@ -{ lib, config, inputs, hostName, ... }: +{ pkgs, lib, config, inputs, hostName, ... }: let inherit (config.networking) domain; inherit (config.services) nginx postgresql; @@ -28,7 +28,8 @@ in WATCHDOG = "1"; WORKER_POOL_SIZE = "2"; }; - adminCredentialsFile = "/run/credentials/miniflux.service/credentials"; + #adminCredentialsFile = "/run/credentials/miniflux.service/credentials"; + adminCredentialsFile = "/dev/null"; }; systemd.services.miniflux = { partOf = [ "postgresql.service" ]; @@ -38,6 +39,12 @@ in RefuseManualStart = true; }; serviceConfig = { + ExecStart = lib.mkForce (pkgs.writeShellScript "miniflux" '' + . /run/credentials/miniflux.service/credentials + export ADMIN_USERNAME + export ADMIN_PASSWORD + exec ${pkgs.miniflux}/bin/miniflux + ''); LoadCredentialEncrypted = [ "credentials:${miniflux/credentials.cred}" ]; -- 2.47.0 From 1642552da713c5fe0e5e18ca0b3bc47b3e091e62 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 16 May 2023 17:59:57 +0200 Subject: [PATCH 16/16] losurdo: dhcpcd4: restart on failure --- hosts/losurdo/networking/wireless.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/losurdo/networking/wireless.nix b/hosts/losurdo/networking/wireless.nix index a05be11..19bc7b4 100644 --- a/hosts/losurdo/networking/wireless.nix +++ b/hosts/losurdo/networking/wireless.nix @@ -112,6 +112,8 @@ in "network-addresses-${wifiIface}.service" "sys-subsystem-net-devices-${wifiIface}.device" ]; + unitConfig.StartLimitIntervalSec = 0; + serviceConfig.RestartSec = 5; }; services.dhcpd4 = { enable = true; -- 2.47.0