From f2c0054928fe04a644905bfe5955ab1ff3ade858 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 13 Feb 2020 04:18:09 +0100 Subject: [PATCH 01/16] nginx: use Let's Encrypt X.509 certificate --- servers/mermet/knot.nix | 8 ++ servers/mermet/knot/sourcephile.fr.nix | 14 +--- servers/mermet/nginx.nix | 75 +++++++------------ servers/mermet/nginx/sourcephile.fr.nix | 7 ++ .../{gitweb.nix => sourcephile.fr/git.nix} | 13 ++-- .../mermet/nginx/{ => sourcephile.fr}/www.nix | 6 +- 6 files changed, 55 insertions(+), 68 deletions(-) create mode 100644 servers/mermet/nginx/sourcephile.fr.nix rename servers/mermet/nginx/{gitweb.nix => sourcephile.fr/git.nix} (91%) rename servers/mermet/nginx/{ => sourcephile.fr}/www.nix (75%) diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix index 2768e23..52f9ea3 100644 --- a/servers/mermet/knot.nix +++ b/servers/mermet/knot.nix @@ -27,6 +27,14 @@ config = { security.acme = { acceptTerms = true; }; +environment.systemPackages = [ + pkgs.lego +]; +users = { + groups = { + acme = {}; + }; +}; systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}: lib.optionalString (data != null) '' install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix index 6dc4711..a313fa1 100644 --- a/servers/mermet/knot/sourcephile.fr.nix +++ b/servers/mermet/knot/sourcephile.fr.nix @@ -13,16 +13,6 @@ let domain = "sourcephile.fr"; in { -environment.systemPackages = [ - pkgs.lego -]; -users = { - groups = { - acme = { - members = [ users.users.nginx.name ]; - }; - }; -}; security.acme.certs."${domain}" = { email = "root@${domain}"; extraDomains = { @@ -92,6 +82,10 @@ services.knot.zones."${domain}" = { ; SRV (SeRVice) _git._tcp.git 18000 IN SRV 0 0 9418 git + + ; CAA (Certificate Authority Authorization) + ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum + @ CAA 128 issue "letsencrypt.org" ''; }; } diff --git a/servers/mermet/nginx.nix b/servers/mermet/nginx.nix index 0c416ec..903b658 100644 --- a/servers/mermet/nginx.nix +++ b/servers/mermet/nginx.nix @@ -10,8 +10,7 @@ let in { imports = [ - nginx/gitweb.nix - nginx/www.nix + nginx/sourcephile.fr.nix ]; options = { services.nginx = { @@ -37,10 +36,8 @@ config = { ${nginx.webDir} \ ${nginx.logDir} ''; - after = [ - "${networking.domain}.key.pem-key.service" - ]; }; + users.groups."acme".members = [nginx.user]; services.nginx = { enable = true; stateDir = "/dev/shm/nginx"; @@ -50,15 +47,22 @@ config = { worker_connections 1024; ''; clientMaxBodySize = "20m"; + recommendedGzipSettings = true; + recommendedOptimisation = false; recommendedProxySettings = true; recommendedTlsSettings = true; + resolver = { + addresses = [ "127.0.0.1:53" ]; + valid = ""; + ipv6 = networking.defaultGateway6 != null; + }; serverTokens = false; # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; + #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslDhparam = ../../../sec/openssl/dh.pem; - #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;"; - #sslProtocols = "TLSv1.2"; + sslProtocols = "TLSv1.3 TLSv1.2"; commonHttpConfig = '' log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' @@ -75,10 +79,11 @@ config = { # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged - #map $scheme $hsts_header { - # https "max-age=31536000; includeSubdomains; preload"; - #} - #add_header Strict-Transport-Security $hsts_header; + # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; @@ -98,6 +103,9 @@ config = { # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + # If a client has a session ticket, it can present it to the server and re-negotiation is not necessary. + ssl_session_tickets on; ''; log = '' access_log ${nginx.logDir}/access.log main buffer=32k; @@ -145,8 +153,8 @@ config = { tcp_nodelay on; keepalive_timeout 20; reset_timedout_connection on; - #types_hash_max_size 2048; - #server_names_hash_bucket_size 128; + types_hash_max_size 4096; + server_names_hash_bucket_size 128; ''; map = '' # User agents that are to be blocked. @@ -165,34 +173,6 @@ config = { # 127.0.0.1 0; #} ''; - gzip = '' - gzip on; - gzip_buffers 16 8k; - gzip_comp_level 6; - gzip_disable "MSIE [1-6]\."; - gzip_http_version 1.1; - gzip_min_length 1024; - gzip_proxied any; - gzip_static on; - gzip_vary on; - gzip_types application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-javascript - application/xml - application/xml+rss - font/opentype - font/truetype - image/svg+xml - text/css - text/javascript - text/plain - text/x-component - text/xml; - ''; cache = '' client_body_buffer_size 4K; # getconf PAGESIZE @@ -202,7 +182,7 @@ config = { client_header_buffer_size 1k; client_header_timeout 60; large_client_header_buffers 4 8k; - + open_file_cache max=200000 inactive=20s; open_file_cache_errors on; open_file_cache_min_uses 2; @@ -210,14 +190,11 @@ config = { ''; }); appendConfig = '' - worker_processes 4; + worker_processes ${toString config.nix.maxJobs}; ''; virtualHosts."_" = { - forceSSL = false; - # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it. - # NOTE: no ssl_stapling while the certificate remains self-signed. - sslCertificate = loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem"); - sslCertificateKey = "/run/keys/${networking.domain}.key.pem"; + forceSSL = true; + useACMEHost = networking.domain; }; }; }; diff --git a/servers/mermet/nginx/sourcephile.fr.nix b/servers/mermet/nginx/sourcephile.fr.nix new file mode 100644 index 0000000..63d6148 --- /dev/null +++ b/servers/mermet/nginx/sourcephile.fr.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, ... }: +{ +imports = [ + sourcephile.fr/www.nix + sourcephile.fr/git.nix +]; +} diff --git a/servers/mermet/nginx/gitweb.nix b/servers/mermet/nginx/sourcephile.fr/git.nix similarity index 91% rename from servers/mermet/nginx/gitweb.nix rename to servers/mermet/nginx/sourcephile.fr/git.nix index e258031..c1d5336 100644 --- a/servers/mermet/nginx/gitweb.nix +++ b/servers/mermet/nginx/sourcephile.fr/git.nix @@ -1,6 +1,7 @@ { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) gitweb gitolite nginx; + domain = "sourcephile.fr"; package = pkgs.gitweb.override (lib.optionalAttrs gitweb.gitwebTheme { gitwebTheme = true; }); @@ -19,13 +20,13 @@ in { services.nginx = { virtualHosts."git" = { - serverName = "git.${networking.domain}"; + serverName = "git.${domain}"; serverAliases = map (domainAlias: "git." + domainAlias) config.networking.domainAliases; forceSSL = false; - sslCertificate = nginx.virtualHosts."_".sslCertificate; - sslCertificateKey = nginx.virtualHosts."_".sslCertificateKey; + enableSSL = true; + useACMEHost = domain; locations = { "/" = { extraConfig = '' @@ -67,7 +68,7 @@ in extraConfig = '' use utf8; my $s = $cgi->https() ? "s" : ""; - @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${networking.domain}"]); + @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${domain}"]); $site_name = "Git — Sourcephile"; $home_link_str = "git"; $projects_list = "${gitolite.dataDir}/projects.list"; @@ -78,8 +79,8 @@ in $export_ok = "git-daemon-export-ok"; $prevent_xss = 0; @git_base_url_list = - ( "git://git.${networking.domain}" - , "git\@git.${networking.domain}:" + ( "git://git.${domain}" + , "git\@git.${domain}:" ); # NOTE: more readable URL. $feature{'pathinfo'}{'default'} = [1]; diff --git a/servers/mermet/nginx/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix similarity index 75% rename from servers/mermet/nginx/www.nix rename to servers/mermet/nginx/sourcephile.fr/www.nix index 5c2ad3f..f4ea868 100644 --- a/servers/mermet/nginx/www.nix +++ b/servers/mermet/nginx/sourcephile.fr/www.nix @@ -1,6 +1,7 @@ { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) nginx; + domain = "sourcephile.fr"; in { services.nginx = { @@ -12,9 +13,8 @@ in ++ map (domainAlias: "www." + domainAlias) config.networking.domainAliases; forceSSL = false; - enableSSL = false; - #sslCertificate = nginx.virtualHosts."_".sslCertificate; - #sslCertificateKey = nginx.virtualHosts."_".sslCertificateKey; + enableSSL = true; + useACMEHost = domain; globalRedirect = "git.${networking.domain}"; }; }; -- 2.44.1 From d9b90231a8582712092a311d590e0bd8a6f6a3b9 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 13 Feb 2020 04:55:58 +0100 Subject: [PATCH 02/16] knot: allow only updates to _acme-challenge TXT --- servers/mermet/knot.nix | 8 -------- servers/mermet/knot/sourcephile.fr.nix | 12 ++++++++++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix index 52f9ea3..d925c80 100644 --- a/servers/mermet/knot.nix +++ b/servers/mermet/knot.nix @@ -119,14 +119,6 @@ services.knot = { ksk-submission: dnssec_validating_resolver acl: - - id: acl_localhost - address: 127.0.0.1 - action: transfer - - - id: acl_lego - address: 127.0.0.1 - action: update - # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html - id: acl_gandi address: 217.70.177.40 diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix index a313fa1..e79ac47 100644 --- a/servers/mermet/knot/sourcephile.fr.nix +++ b/servers/mermet/knot/sourcephile.fr.nix @@ -29,6 +29,15 @@ security.acme.certs."${domain}" = { }; services.knot.zones."${domain}" = { conf = '' + acl: + - id: acl_acme_challenge_sourcephile_fr + address: 127.0.0.1 + action: update + update-owner: name + update-owner-match: equal + update-owner-name: [_acme-challenge.${domain}] + update-type: [TXT] + zone: - domain: ${domain} file: ${domain}.zone @@ -36,8 +45,7 @@ services.knot.zones."${domain}" = { semantic-checks: on notify: secondary_gandi acl: acl_gandi - acl: acl_lego - acl: acl_localhost + acl: acl_acme_challenge_sourcephile_fr dnssec-signing: on dnssec-policy: rsa ''; -- 2.44.1 From 94b5661428c4d4e6e8ab82752c31eece4fe13085 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 13 Feb 2020 17:32:07 +0100 Subject: [PATCH 03/16] nginx: remove deprecated enableSSL --- servers/mermet/dovecot/sourcephile.fr.nix | 2 ++ servers/mermet/nginx/sourcephile.fr/git.nix | 1 - servers/mermet/nginx/sourcephile.fr/www.nix | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix index 46f01c0..7271c05 100644 --- a/servers/mermet/dovecot/sourcephile.fr.nix +++ b/servers/mermet/dovecot/sourcephile.fr.nix @@ -53,6 +53,8 @@ services.nginx.virtualHosts."autoconfig.${domain}" = { access_log off; log_not_found off; ''; + forceSSL = true; + useACMEHost = domain; root = pkgs.writeTextFile { name = "autoconfig"; destination = "/mail/config-v1.1.xml"; diff --git a/servers/mermet/nginx/sourcephile.fr/git.nix b/servers/mermet/nginx/sourcephile.fr/git.nix index c1d5336..c031b50 100644 --- a/servers/mermet/nginx/sourcephile.fr/git.nix +++ b/servers/mermet/nginx/sourcephile.fr/git.nix @@ -25,7 +25,6 @@ in map (domainAlias: "git." + domainAlias) config.networking.domainAliases; forceSSL = false; - enableSSL = true; useACMEHost = domain; locations = { "/" = { diff --git a/servers/mermet/nginx/sourcephile.fr/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix index f4ea868..9426af2 100644 --- a/servers/mermet/nginx/sourcephile.fr/www.nix +++ b/servers/mermet/nginx/sourcephile.fr/www.nix @@ -13,7 +13,6 @@ in ++ map (domainAlias: "www." + domainAlias) config.networking.domainAliases; forceSSL = false; - enableSSL = true; useACMEHost = domain; globalRedirect = "git.${networking.domain}"; }; -- 2.44.1 From 445baebce48848fd41a25a28a4beaa39c7fd1c21 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 14 Feb 2020 02:47:00 +0100 Subject: [PATCH 04/16] direnv: fix broken dump with new direnv_load --- .envrc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.envrc b/.envrc index 0f3621d..20c104d 100644 --- a/.envrc +++ b/.envrc @@ -53,7 +53,7 @@ if test -e ".cache/nix-shell/$hash/dump" then log_status "reusing .cache/nix-shell/$hash/" # Load the cached environment - direnv_load cat .cache/nix-shell/"$hash"/dump + direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH .cache/nix-shell/"$hash"/dump" # Re-run the shellHook to update envvars like GPG_TTY, # and run gpg-connect-agent updatestartuptty /bye eval "$shellHook" @@ -72,12 +72,11 @@ else log_status "building .cache/nix-shell/$hash/" --indirect --add-root .cache/nix-shell/"$hash"/shell.dep \ ${OFFLINE:+--option substituters ""} \ --realise $(nix-store --query --references .cache/nix-shell/"$hash"/shell.drv) && - nix-shell >"$dump" ${TRACE:+--show-trace} --pure \ - --run "$(join_args "$direnv" dump)" \ - ${OFFLINE:+--option substituters ""} && + direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \ + --run \"DIRENV_DUMP_FILE_PATH=$dump $direnv dump; cat $dump >\$DIRENV_DUMP_FILE_PATH\" \ + ${OFFLINE:+--option substituters ""}" && mv -f "$dump" .cache/nix-shell/"$hash"/dump && - find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + && - direnv_load cat .cache/nix-shell/"$hash"/dump || { + find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || { rm -rf "$PWD/.cache/nix-shell/$hash" log_error "cannot build shell.nix" return 1 -- 2.44.1 From 17ecd1cd0475bba7572fe36bb7b5a90be102c489 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 15 Feb 2020 04:51:52 +0100 Subject: [PATCH 05/16] direnv: use flock --- .envrc | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/.envrc b/.envrc index 20c104d..111cab0 100644 --- a/.envrc +++ b/.envrc @@ -8,7 +8,9 @@ nixshell_sources=(.envrc shell.nix $(test ! -d shell || find shell -type f -not if ! has nix || test "$(nix --version)" != "nix (Nix) $nix_version" then log_status "installing Nix core tools" gpg2 --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys "$nix_openpgp" - if test ! -e .config/nix/install -o ! -e .config/nix/install.asc + { + flock --exclusive 3 + if test ! -s .config/nix/install -o ! -s .config/nix/install.asc then mkdir -p .config/nix (cd .config/nix; curl -OO https://nixos.org/releases/nix/nix-"$nix_version"/{install,install.asc}) @@ -21,17 +23,22 @@ then log_status "installing Nix core tools" } } . ~/.nix-profile/etc/profile.d/nix.sh + } 3>>.config/nix/install fi # nixpkgs -if test ! -e .config/nixpkgs-channel/$nixpkgs_channel.nix +mkdir -p .config/nixpkgs-channel +{ +flock --exclusive 3 +if test ! -s .config/nixpkgs-channel/$nixpkgs_channel.nix then log_status "installing nixpkgs from $nixpkgs_channel (This may take some time. To update: delete .config/nixpkgs-channel/$nixpkgs_channel.nix)" rev=$(curl -L https://nixos.org/channels/"$nixpkgs_channel"/git-revision | head -n1 | tr -dC 'a-z0-9') sha256=$(nix-prefetch-url --unpack https://github.com/NixOS/nixpkgs-channels/archive/"$rev".tar.gz) - mkdir -p .config/nixpkgs-channel - echo >.config/nixpkgs-channel/$nixpkgs_channel.nix "builtins.fetchTarball {url=\"https://github.com/NixOS/nixpkgs-channels/archive/$rev.tar.gz\"; sha256=\"$sha256\";}" + echo >.config/nixpkgs-channel/$nixpkgs_channel.nix \ + "builtins.fetchTarball {url=\"https://github.com/NixOS/nixpkgs-channels/archive/$rev.tar.gz\"; sha256=\"$sha256\";}" else log_status "using nixpkgs from .config/nixpkgs-channel/$nixpkgs_channel.nix" fi +} 3>>.config/nixpkgs-channel/$nixpkgs_channel.nix watch_file .config/nixpkgs-channel/$nixpkgs_channel.nix # Used in shell.nix export nixpkgs_channel @@ -49,36 +56,40 @@ has shasum || { log_error "shasum is needed to cache environment"; return 1; } for e in "${nixshell_sources[@]}" do watch_file "$e"; done hash=$(shasum -a 256 "${nixshell_sources[@]}" | shasum -a 256 | cut -c -64) -if test -e ".cache/nix-shell/$hash/dump" +cache=.cache/nix-shell/"$hash" +if test -e "$cache/dump" then - log_status "reusing .cache/nix-shell/$hash/" + log_status "reusing $cache/" + { + flock --shared 3 # Load the cached environment - direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH .cache/nix-shell/"$hash"/dump" + direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH $cache/dump" # Re-run the shellHook to update envvars like GPG_TTY, # and run gpg-connect-agent updatestartuptty /bye eval "$shellHook" -else log_status "building .cache/nix-shell/$hash/" - mkdir -p ".cache/nix-shell/$hash" - local dump="$(mktemp .cache/nix-shell/$hash/dump-XXXXXXXX)" + } 3<$cache/dump +else + log_status "building $cache/" + mkdir -p "$cache" + { + flock --exclusive 3 # Register the derivation as a root for the garbage-collector, # then cache a dump of the environment from within the nix-shell, # then unregister previous derivations, # then load the cached environment. - nix-instantiate >/dev/null ./shell.nix \ - --indirect --add-root .cache/nix-shell/"$hash"/shell.drv \ + nix-instantiate >/dev/null ./shell.nix --indirect --add-root "$cache"/shell.drv \ ${TRACE:+--show-trace} \ ${OFFLINE:+--option substituters ""} && - nix-store >/dev/null \ - --indirect --add-root .cache/nix-shell/"$hash"/shell.dep \ - ${OFFLINE:+--option substituters ""} \ - --realise $(nix-store --query --references .cache/nix-shell/"$hash"/shell.drv) && + nix-store >/dev/null --indirect --add-root "$cache"/shell.dep \ + --realise $(nix-store --query --references $cache/shell.drv) \ + ${OFFLINE:+--option substituters ""} && direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \ - --run \"DIRENV_DUMP_FILE_PATH=$dump $direnv dump; cat $dump >\$DIRENV_DUMP_FILE_PATH\" \ + --run \"$direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \ ${OFFLINE:+--option substituters ""}" && - mv -f "$dump" .cache/nix-shell/"$hash"/dump && find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || { rm -rf "$PWD/.cache/nix-shell/$hash" log_error "cannot build shell.nix" return 1 } + } 3>$cache/dump fi -- 2.44.1 From 92bf53164f3ed01c191101d7ec46563d83bcf560 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 15 Feb 2020 04:52:37 +0100 Subject: [PATCH 06/16] shell: gnupg: always update conf --- shell/modules/tools/security/gnupg.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shell/modules/tools/security/gnupg.nix b/shell/modules/tools/security/gnupg.nix index 39d968f..c5821be 100644 --- a/shell/modules/tools/security/gnupg.nix +++ b/shell/modules/tools/security/gnupg.nix @@ -202,10 +202,6 @@ let set -eu set -o pipefail ${info} - ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome} - ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf} ${gnupg.gnupgHome}/gpg.conf - ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf - ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf} ${gnupg.gnupgHome}/dirmngr.conf '' + generateKeys gnupg.keys ); @@ -472,6 +468,10 @@ config = lib.mkIf gnupg.enable { ]; nix-shell.shellHook = '' # gnupg + ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome} + ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf} ${gnupg.gnupgHome}/gpg.conf + ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf + ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf} ${gnupg.gnupgHome}/dirmngr.conf export GNUPGHOME=${gnupg.gnupgHome} install -dm700 "$GNUPGHOME" export GPG_TTY=$(${pkgs.coreutils}/bin/tty) -- 2.44.1 From 9001352c0ab237a523f92b53709f4ae267555787 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 15 Feb 2020 04:54:02 +0100 Subject: [PATCH 07/16] nix: remove useless rebuilding of the patched Nixpkgs derivation --- nixos/defaults.nix | 2 +- shell.nix | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/nixos/defaults.nix b/nixos/defaults.nix index b6be38e..1637e1a 100644 --- a/nixos/defaults.nix +++ b/nixos/defaults.nix @@ -18,7 +18,7 @@ config = { options = "--delete-older-than 30d"; }; nixPath = [ - "nixpkgs=${pkgs.path}" + ("nixpkgs=" + toString pkgs.path) ]; }; diff --git a/shell.nix b/shell.nix index c142be8..57454b3 100644 --- a/shell.nix +++ b/shell.nix @@ -1,5 +1,6 @@ let - originNixpkgs = import (.config/nixpkgs-channel + ("/" + builtins.getEnv "nixpkgs_channel" + ".nix")); + nixpkgs_channel = builtins.getEnv "nixpkgs_channel"; + originNixpkgs = import (.config/nixpkgs-channel + ("/" + nixpkgs_channel + ".nix")); originPkgs = import originNixpkgs { config = {}; # Make the config pure, ignoring user's config. overlays = []; @@ -189,7 +190,8 @@ pkgs.mkShell { . ~/.nix-profile/etc/profile.d/hm-session-vars.sh PATH=$NIX_SHELL_PATH:$PATH - export NIX_PATH="nixpkgs=${pkgs.path}:nixpkgs-overlays="$PWD"/overlays" + export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays" + export nixpkgs_channel=${nixpkgs_channel} # Cleanup "../sec/tmp/" # This is done when exiting the nix-shell -- 2.44.1 From 8e57213ec8a0d82d116a571bf364a8140a039b75 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 16 Feb 2020 15:53:34 +0100 Subject: [PATCH 08/16] nix: update to latest nixos-unstable --- .../nixpkgs-channel/nixos-unstable-small.nix | 2 +- shell.nix | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.config/nixpkgs-channel/nixos-unstable-small.nix b/.config/nixpkgs-channel/nixos-unstable-small.nix index 0de1a4c..be87549 100644 --- a/.config/nixpkgs-channel/nixos-unstable-small.nix +++ b/.config/nixpkgs-channel/nixos-unstable-small.nix @@ -1 +1 @@ -builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/eee784a1bb6b3e23491e2ee99814d7cb8700db5e.tar.gz"; sha256="1kf4vf2ls743mgqmligr2s9iwidn1y11cpz9pkip6g90fssmjds6";} +builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/b94c1c89f69563a9fc2ceee487b9bc19e5234d6a.tar.gz"; sha256="0gqk3dlkd03yj0vgp6hzaz8y62i5bccjnw657xij7cq3qypc28v5";} diff --git a/shell.nix b/shell.nix index 57454b3..172101c 100644 --- a/shell.nix +++ b/shell.nix @@ -26,10 +26,20 @@ let sha256 = "0y255x74qksqy7fm4bdwlknhm3s55vgfgbv4dd7580p4lcavya0m"; } */ + /* { meta.description = "Replace simp-le with lego and support DNS-01 challenge"; url = "https://github.com/NixOS/nixpkgs/pull/77578.diff"; sha256 = "15zs2146zh54jg1gywrcwyqxpx7izc35vlakk3cvrlqwwsvlr2rf"; } + */ + { meta.description = "dstat: fix pluginpath"; + url = "https://github.com/NixOS/nixpkgs/pull/80151.diff"; + sha256 = "0jjw2gvp7b7v2n2m2d6yj0gw711j6p9lyjf5ywp2y9ql6905qf4b"; + } + { meta.description = "shorewall: fix warnings due to types.loaOf being deprecated"; + url = "https://github.com/NixOS/nixpkgs/pull/80154.diff"; + sha256 = "0b216m1rib3jl6s3r5cbkd5h1bfhppikg4cz9ayr1fspsflr3bci"; + } ]; localNixpkgsPatches = [ ]; @@ -114,7 +124,6 @@ pkgs.mkShell { #preferLocalBuild = true; #allowSubstitutes = false; buildInputs = modules.nix-shell.buildInputs ++ [ - nixpkgs nixos.nixos-generate-config nixos.nixos-install nixos.nixos-enter @@ -194,10 +203,9 @@ pkgs.mkShell { export nixpkgs_channel=${nixpkgs_channel} # Cleanup "../sec/tmp/" - # This is done when exiting the nix-shell - # (or when… entering the directory with direnv - # which spawns a nix-shell just to get the env). - trap "cd '$PWD' && find ../sec/tmp -type f -exec shred -fu {} +" EXIT + # This is done when entering the nix-shell + # because direnv already hooks trap EXIT. + (cd "$PWD" && find ../sec/tmp -type f -exec shred -fu {} +) ${modules.nix-shell.shellHook} -- 2.44.1 From 21cb3bb8067c444874cfc44b45f1deec14d507b4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 16 Feb 2020 15:54:19 +0100 Subject: [PATCH 09/16] nsd: remove overlay --- overlays.nix | 1 - overlays/servers/dns/nsd.nix | 18 ------------------ 2 files changed, 19 deletions(-) delete mode 100644 overlays/servers/dns/nsd.nix diff --git a/overlays.nix b/overlays.nix index 7abbe7c..fe0576c 100644 --- a/overlays.nix +++ b/overlays.nix @@ -1,7 +1,6 @@ map import [ overlays/lib/filesystem.nix overlays/lib/strings.nix - overlays/servers/dns/nsd.nix #overlays/users-init.nix ] ++ [ (self: super: { smartctl-tbw = super.callPackage pkgs/tools/system/smartmontools/smartctl-tbw {}; }) diff --git a/overlays/servers/dns/nsd.nix b/overlays/servers/dns/nsd.nix deleted file mode 100644 index e297ff4..0000000 --- a/overlays/servers/dns/nsd.nix +++ /dev/null @@ -1,18 +0,0 @@ -self: super: { - nsd = (super.nsd.override { - mmap = true; - }).overrideDerivation (attrs: { - # DOC: https://www.raspberrypi.org/forums/viewtopic.php?t=223628 - configureFlags = attrs.configureFlags ++ [ - # Allow to listen on that number of addresses - "--with-max-ips=8" - # You can disable the radix tree and use the red-black - # tree for the main lookups, the red-black tree uses - # less memory, but uses some more CPU. - #"--disable-radix-tree" - # Enable packed structure alignment, uses less memory, - # but unaligned reads. - "--enable-packed" - ]; - }); -} -- 2.44.1 From 8658c4bcb900ae661a0af6cc5b40e5e1f7bf02eb Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 16 Feb 2020 15:55:02 +0100 Subject: [PATCH 10/16] nsd: remove configuration --- servers/mermet/nsd.nix | 36 -------------- servers/mermet/nsd/autogeree.net.nix | 71 --------------------------- servers/mermet/nsd/sourcephile.fr.nix | 68 ------------------------- 3 files changed, 175 deletions(-) delete mode 100644 servers/mermet/nsd.nix delete mode 100644 servers/mermet/nsd/autogeree.net.nix delete mode 100644 servers/mermet/nsd/sourcephile.fr.nix diff --git a/servers/mermet/nsd.nix b/servers/mermet/nsd.nix deleted file mode 100644 index 341a87f..0000000 --- a/servers/mermet/nsd.nix +++ /dev/null @@ -1,36 +0,0 @@ -{pkgs, lib, config, ...}: -let - inherit (config) networking; - inherit (config.services) nsd; -in -{ -imports = [ - nsd/sourcephile.fr.nix - nsd/autogeree.net.nix -]; -config = { -environment.systemPackages = [ - (pkgs.bind.override { enablePython = true; }) -]; -services.nsd = { - enable = true; - ipv4 = true; - ipv6 = true; - verbosity = 5; - #zones = {}; - /* - interfaces = lib.unique [ - #(builtins.elemAt networking.interfaces."${networking.defaultGateway.interface}".ipv4.addresses 0).address - #networking.privateIPv4 - ]; - */ - # SEE: http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ - ratelimit.enable = true; - # 100 less than the default to preserve a few Mio of RAM - ratelimit.size = 10000; - ratelimit.ratelimit = 200; - extraConfig = '' - ''; -}; -}; -} diff --git a/servers/mermet/nsd/autogeree.net.nix b/servers/mermet/nsd/autogeree.net.nix deleted file mode 100644 index 0bf5968..0000000 --- a/servers/mermet/nsd/autogeree.net.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ pkgs, lib, config, ... }: -with builtins; -let - inherit (builtins.extraBuiltins) pass git; - inherit (lib) toInt; - inherit (pkgs.lib) unlinesAttrs types; - inherit (config) networking; - inherit (config.services) nsd rspamd; - # Use the Git commit time of the ${domain}.nix file to set the serial number. - # WARNING: the ${domain}.nix must be committed into Git for this to work. - serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]); - # FIXME: make dedicated config options - mermetIPv4 = "80.67.180.129"; - chomskyIPv4 = "91.216.110.36"; - domain = "autogeree.net"; -in -{ -services.nsd.zones."${domain}" = { - # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html - # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named - provideXFR = [ "217.70.177.40 NOKEY" ]; - # Not allowed by 217.70.177.40 - #notify = [ "217.70.177.40 NOKEY" ]; - dnssec = false; - # TODO: increase the TTL once things have settled down - data = '' - $ORIGIN ${domain}. - $TTL 500 - - ; SOA (Start Of Authority) - @ SOA ns admin ( - ${toString (toInt (serial domain) - 1581021859 + 2016043001)} ; Serial number - 24h ; Refresh - 15m ; Retry - 1000h ; Expire (1000h) - 1d ; Negative caching - ) - - ; NS (Name Server) - @ NS ns - @ NS ns6.gandi.net. - - ; A (DNS -> IPv4) - @ A ${mermetIPv4} - chomsky A ${chomskyIPv4} - mermet A ${mermetIPv4} - - ; CNAME - autoconfig CNAME mermet - code CNAME mermet - git CNAME mermet - imap CNAME mermet - mail CNAME mermet - ns CNAME mermet - pop CNAME mermet - smtp CNAME mermet - submission CNAME mermet - www CNAME mermet - - ; SPF (Sender Policy Framework) - @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all" - @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all" - - ; MX (Mail eXchange) - @ 180 MX 5 mail - - ; SRV (SeRVice) - _git._tcp.git 18000 IN SRV 0 0 9418 git - ''; -}; -} diff --git a/servers/mermet/nsd/sourcephile.fr.nix b/servers/mermet/nsd/sourcephile.fr.nix deleted file mode 100644 index ee3b0c3..0000000 --- a/servers/mermet/nsd/sourcephile.fr.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ pkgs, lib, config, ... }: -with builtins; -let - inherit (builtins.extraBuiltins) pass git; - inherit (pkgs.lib) unlinesAttrs types; - inherit (config) networking; - inherit (config.services) nsd rspamd; - # Use the Git commit time of the ${domain}.nix file to set the serial number. - # WARNING: the ${domain}.nix must be committed into Git for this to work. - # WARNING: when dnssec=true, dnssec-signzone is used with -N date - # which will override the serial number in the SOA, - # used by slave nameservers decide whether they should update or not from the master nameserver. - serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]); - mermetIPv4 = "80.67.180.129"; - domain = "sourcephile.fr"; -in -{ -services.nsd.zones."${domain}" = { - # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html - # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named - provideXFR = [ "217.70.177.40 NOKEY" ]; - # Not allowed by 217.70.177.40 - #notify = [ "217.70.177.40 NOKEY" ]; - dnssec = true; - # TODO: increase the TTL once things have settled down - data = '' - $ORIGIN ${domain}. - $TTL 500 - - ; SOA (Start Of Authority) - @ SOA ns admin ( - ${serial domain} ; Serial number - 24h ; Refresh - 15m ; Retry - 1000h ; Expire (1000h) - 1d ; Negative caching - ) - - ; NS (Name Server) - @ NS ns - @ NS ns6.gandi.net. - - ; A (DNS -> IPv4) - @ A ${mermetIPv4} - mermet A ${mermetIPv4} - autoconfig A ${mermetIPv4} - code A ${mermetIPv4} - git A ${mermetIPv4} - imap A ${mermetIPv4} - mail A ${mermetIPv4} - ns A ${mermetIPv4} - pop A ${mermetIPv4} - smtp A ${mermetIPv4} - submission A ${mermetIPv4} - www A ${mermetIPv4} - - ; SPF (Sender Policy Framework) - @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all" - @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all" - - ; MX (Mail eXchange) - @ 180 MX 5 mail - - ; SRV (SeRVice) - _git._tcp.git 18000 IN SRV 0 0 9418 git - ''; -}; -} -- 2.44.1 From ed554899158cdd894671fe8307d16bc5dc3ed58d Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 17 Feb 2020 13:34:16 +0100 Subject: [PATCH 11/16] dovecot: fix passdb --- servers/mermet/dovecot.nix | 7 +- .../dovecot/autoconfig/mail/config-v1.1.xml | 39 ++++++++ servers/mermet/dovecot/autogeree.net.nix | 95 ++++++------------ servers/mermet/dovecot/sourcephile.fr.nix | 98 ++++++------------- servers/mermet/openldap/sourcephile.fr.nix | 5 - servers/mermet/postfix/sourcephile.fr.nix | 8 +- 6 files changed, 109 insertions(+), 143 deletions(-) create mode 100644 servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml diff --git a/servers/mermet/dovecot.nix b/servers/mermet/dovecot.nix index 3cb4ed3..0c82f07 100644 --- a/servers/mermet/dovecot.nix +++ b/servers/mermet/dovecot.nix @@ -68,7 +68,6 @@ systemd.services.dovecot2 = { after = [ "postfix.service" "openldap.service" - "${networking.domain}.key.pem-key.service" ]; /* preStart = '' @@ -115,8 +114,8 @@ services.dovecot2 = { ssl_dh = <${../../../sec/openssl/dh.pem} ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL ssl_prefer_server_ciphers = yes - ssl_cert = <${loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem")} - ssl_key = + + + + + %EMAILDOMAIN% + + mail.%EMAILDOMAIN% + 993 + SSL + %EMAILADDRESS% + password-cleartext + + + + mail.%EMAILDOMAIN% + 465 + SSL + %EMAILADDRESS% + password-cleartext + + true + false + + + + diff --git a/servers/mermet/dovecot/autogeree.net.nix b/servers/mermet/dovecot/autogeree.net.nix index 8e67e75..514b56a 100644 --- a/servers/mermet/dovecot/autogeree.net.nix +++ b/servers/mermet/dovecot/autogeree.net.nix @@ -1,15 +1,41 @@ { pkgs, lib, config, ... }: let + inherit (builtins) readFile; inherit (config.services) dovecot2; stateDir = "/var/lib/dovecot"; domain = "autogeree.net"; domainGroup = "autogeree"; - domainConfig = '' +in +{ +services.dovecot2.extraConfig = + let domainConfig = '' ssl_cert = <${../../../../sec/openssl/autogeree.net/cert.self-signed.pem} ssl_key = - - - - - %EMAILDOMAIN% - - mail.%EMAILDOMAIN% - 993 - SSL - %EMAILADDRESS% - password-cleartext - - - mail.%EMAILDOMAIN% - 995 - SSL - %EMAILADDRESS% - password-cleartext - - false - true - - - - mail.%EMAILDOMAIN% - 465 - SSL - %EMAILADDRESS% - password-cleartext - - true - false - - - - - ''; - }; + root = ./autoconfig; }; } diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix index 7271c05..f9a8efd 100644 --- a/servers/mermet/dovecot/sourcephile.fr.nix +++ b/servers/mermet/dovecot/sourcephile.fr.nix @@ -1,15 +1,42 @@ { pkgs, lib, config, ... }: let + inherit (builtins) readFile; inherit (config.services) dovecot2; stateDir = "/var/lib/dovecot"; domain = "sourcephile.fr"; domainGroup = "sourcephile"; - domainConfig = '' - ssl_cert = <${../../../../sec/openssl/sourcephile.fr/cert.self-signed.pem} - ssl_key = - - - - - %EMAILDOMAIN% - - mail.%EMAILDOMAIN% - 993 - SSL - %EMAILADDRESS% - password-cleartext - - - mail.%EMAILDOMAIN% - 995 - SSL - %EMAILADDRESS% - password-cleartext - - false - true - - - - mail.%EMAILDOMAIN% - 465 - SSL - %EMAILADDRESS% - password-cleartext - - true - false - - - - - ''; - }; + root = ./autoconfig; }; } diff --git a/servers/mermet/openldap/sourcephile.fr.nix b/servers/mermet/openldap/sourcephile.fr.nix index 3094384..49caec9 100644 --- a/servers/mermet/openldap/sourcephile.fr.nix +++ b/servers/mermet/openldap/sourcephile.fr.nix @@ -122,11 +122,6 @@ services.openldap.databases."${domainSuffix}" = { # neither sorting them by date). "maildir:${stateDir}/home/${d}/${uid}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}"; } - #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy"; - # mailAlias = ["severine.popek" "ouais-ouais"]; } - #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; } - #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; } - #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; } ]; }; } diff --git a/servers/mermet/postfix/sourcephile.fr.nix b/servers/mermet/postfix/sourcephile.fr.nix index a7782c7..18701c4 100644 --- a/servers/mermet/postfix/sourcephile.fr.nix +++ b/servers/mermet/postfix/sourcephile.fr.nix @@ -1,12 +1,14 @@ { pkgs, lib, config, ... }: let inherit (pkgs.lib) loadFile; + inherit (config.services) postfix; domain = "sourcephile.fr"; domainSuffix = "dc=sourcephile,dc=fr"; in { +users.groups.acme.members = [ postfix.user ]; systemd.services.postfix.after = [ - "${domain}.key.pem-key.service" + "acme-${domain}.service" ]; services.postfix = { extraAliases = '' @@ -16,8 +18,8 @@ services.postfix = { ''; tls_server_sni_maps = let chain = [ - "/run/keys/${domain}.key.pem" - (loadFile (../../../../sec/openssl + "/${domain}/cert.self-signed.pem")) + "/var/lib/acme/${domain}/key.pem" + "/var/lib/acme/${domain}/fullchain.pem" ]; in { "smtp.${domain}" = chain; "mail.${domain}" = chain; -- 2.44.1 From 62a6beaab23f45c20201f3268762de08765ba720 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 24 Feb 2020 00:46:01 +0100 Subject: [PATCH 12/16] nslcd: quiet syslog --- servers/mermet/openldap.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/servers/mermet/openldap.nix b/servers/mermet/openldap.nix index 7a55839..24ce2bb 100644 --- a/servers/mermet/openldap.nix +++ b/servers/mermet/openldap.nix @@ -24,7 +24,7 @@ users.ldap = { daemon = { enable = true; extraConfig = '' - log syslog debug + log syslog info sasl_mech EXTERNAL # NOTE: nslcd cannot use SASL to bind to rootpwmoddn -- 2.44.1 From ce048838306794d19960977ef94a4027f656c10a Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 26 Feb 2020 14:58:13 +0100 Subject: [PATCH 13/16] nix: disable --pure --- nixos/defaults.nix | 6 ++++++ patches/direnv.diff | 15 +++++++++++++++ shell.nix | 26 ++------------------------ 3 files changed, 23 insertions(+), 24 deletions(-) create mode 100644 patches/direnv.diff diff --git a/nixos/defaults.nix b/nixos/defaults.nix index 1637e1a..c41b2eb 100644 --- a/nixos/defaults.nix +++ b/nixos/defaults.nix @@ -71,6 +71,7 @@ config = { }; environment = { + #checkConfigurationOptions = false; systemPackages = with pkgs; [ binutils #dnsutils @@ -125,6 +126,11 @@ config = { nixos-upstream="sudo nix-channel --list"; }; }; + gnupg = { + agent = { + pinentryFlavor = "curses"; + }; + }; mtr.enable = true; }; }; diff --git a/patches/direnv.diff b/patches/direnv.diff new file mode 100644 index 0000000..cf49e63 --- /dev/null +++ b/patches/direnv.diff @@ -0,0 +1,15 @@ +diff --git a/pkgs/tools/misc/direnv/default.nix b/pkgs/tools/misc/direnv/default.nix +index c358e240..07c39542 100644 +--- a/pkgs/tools/misc/direnv/default.nix ++++ b/pkgs/tools/misc/direnv/default.nix +@@ -8,8 +8,8 @@ buildGoPackage rec { + src = fetchFromGitHub { + owner = "direnv"; + repo = "direnv"; +- rev = "v${version}"; +- sha256 = "0afpxx8pwa1zb66l79af57drzjaazn2rp6306w4pxvqfh0zi2bri"; ++ rev = "767bb42ab614bad9d16013e8992035a78feed87c"; ++ sha256 = "0ijl13pj96n4cnpxp8xyca391nyvk6gaywbpivmg7kq04d8xfrhb"; + }; + + postConfigure = '' diff --git a/shell.nix b/shell.nix index 172101c..7c065cf 100644 --- a/shell.nix +++ b/shell.nix @@ -42,6 +42,7 @@ let } ]; localNixpkgsPatches = [ + patches/direnv.diff ]; nixpkgs = originPkgs.stdenv.mkDerivation { name = "nixpkgs-patched"; @@ -180,24 +181,8 @@ pkgs.mkShell { #enableParallelBuilding = true; shellHook = '' echo >&2 "nix: running shellHook" - # WARNING: beware that sudo may reset the environment, - # and especially PATH, to some system's default. - - NIX_SHELL_PATH=$PATH - unset __ETC_PROFILE_SOURCED - unset __NIXOS_SET_ENVIRONMENT_DONE - test ! -e /etc/profile || . /etc/profile - test ! -e ~/.profile || . ~/.profile - - # nix - test ! -e ~/.nix-profile/etc/profile.d/nix.sh || - . ~/.nix-profile/etc/profile.d/nix.sh - - # home-manager - unset __HM_SESS_VARS_SOURCED - test ! -e ~/.nix-profile/etc/profile.d/hm-session-vars.sh || - . ~/.nix-profile/etc/profile.d/hm-session-vars.sh + # Nix PATH=$NIX_SHELL_PATH:$PATH export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays" export nixpkgs_channel=${nixpkgs_channel} @@ -220,13 +205,6 @@ pkgs.mkShell { export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null - # git - gitdir="$PWD"/.git - test ! -f "$gitdir" || while IFS=" :" read -r hdr gitdir; do [ "$hdr" != gitdir ] || break; done <"$gitdir" - ln -fnsr \ - "$PWD"/.lib/git/hooks/prepare-commit-msg--longuest-common-prefix \ - "$gitdir"/hooks/prepare-commit-msg - # nixops #export NIXOPS_DEPLOYMENT="staging" export NIXOPS_STATE="$PWD"/../sec/nixops/state.nixops -- 2.44.1 From 4b39b5f4b0586391f337990faafe18a4038cc6b1 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 2 Mar 2020 14:42:41 +0100 Subject: [PATCH 14/16] direnv: fix dump --- .envrc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.envrc b/.envrc index 111cab0..f47a9f3 100644 --- a/.envrc +++ b/.envrc @@ -57,6 +57,7 @@ for e in "${nixshell_sources[@]}" do watch_file "$e"; done hash=$(shasum -a 256 "${nixshell_sources[@]}" | shasum -a 256 | cut -c -64) cache=.cache/nix-shell/"$hash" +unset DIRENV_DUMP_FILE_PATH if test -e "$cache/dump" then log_status "reusing $cache/" @@ -83,8 +84,8 @@ else nix-store >/dev/null --indirect --add-root "$cache"/shell.dep \ --realise $(nix-store --query --references $cache/shell.drv) \ ${OFFLINE:+--option substituters ""} && - direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \ - --run \"$direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \ + direnv_load sh -c "nix-shell ${TRACE:+--show-trace} \ + --run \"DIRENV_DUMP_FILE_PATH= $direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \ ${OFFLINE:+--option substituters ""}" && find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || { rm -rf "$PWD/.cache/nix-shell/$hash" -- 2.44.1 From 3f0e5565afce964894141eb6a59d1eeb48fa02cf Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 2 Mar 2020 14:50:04 +0100 Subject: [PATCH 15/16] nslcd: disable ldap login --- servers/mermet.nix | 1 - servers/mermet/openldap.nix | 4 ++-- servers/mermet/openldap/sourcephile.fr.nix | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/servers/mermet.nix b/servers/mermet.nix index a9b1fb8..175dc7b 100644 --- a/servers/mermet.nix +++ b/servers/mermet.nix @@ -49,7 +49,6 @@ in mutableUsers = false; users = { root = { - hashedPassword = pass-chomp "servers/mermet/login/root/hashedPassword"; openssh.authorizedKeys.keys = [ (readFile ../../sec/ssh/julm.pub) (readFile ../../sec/ssh/julm-mob.pub) diff --git a/servers/mermet/openldap.nix b/servers/mermet/openldap.nix index 24ce2bb..e323a38 100644 --- a/servers/mermet/openldap.nix +++ b/servers/mermet/openldap.nix @@ -15,14 +15,14 @@ imports = [ ]; config = { users.ldap = { - enable = true; + enable = false; server = "ldapi:///"; base = "ou=posix,${domainSuffix}"; bind = { #distinguishedName = "cn=admin,${domainSuffix}"; }; daemon = { - enable = true; + enable = false; extraConfig = '' log syslog info diff --git a/servers/mermet/openldap/sourcephile.fr.nix b/servers/mermet/openldap/sourcephile.fr.nix index 49caec9..d62346c 100644 --- a/servers/mermet/openldap/sourcephile.fr.nix +++ b/servers/mermet/openldap/sourcephile.fr.nix @@ -56,7 +56,6 @@ services.openldap.databases."${domainSuffix}" = { by * none olcAccess: to dn.sub="ou=posix,${domainSuffix}" by self read - by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''} ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''} by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read -- 2.44.1 From 1977ffdb9d1a902e59cda4f2e9f1f5cab4da202c Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 4 Mar 2020 17:37:37 +0100 Subject: [PATCH 16/16] nsd: re-add autogeree.net zone --- servers/mermet/knot.nix | 8 ++ servers/mermet/knot/autogeree.net.nix | 103 ++++++++++++++++++++++++ servers/mermet/knot/sourcephile.fr.nix | 2 +- servers/mermet/production/shorewall.nix | 1 + 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 servers/mermet/knot/autogeree.net.nix diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix index d925c80..17302fe 100644 --- a/servers/mermet/knot.nix +++ b/servers/mermet/knot.nix @@ -5,6 +5,7 @@ let in { imports = [ + knot/autogeree.net.nix knot/sourcephile.fr.nix ]; options.services.knot = { @@ -92,6 +93,9 @@ services.knot = { - id: secondary_gandi address: 217.70.177.40@53 + - id: secondary_muarf + address: 78.192.65.63@53 + submission: - id: dnssec_validating_resolver parent: local_resolver @@ -124,6 +128,10 @@ services.knot = { address: 217.70.177.40 action: transfer + - id: acl_muarf + address: 78.192.65.63 + action: transfer + '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones); }; }; diff --git a/servers/mermet/knot/autogeree.net.nix b/servers/mermet/knot/autogeree.net.nix new file mode 100644 index 0000000..b6f485d --- /dev/null +++ b/servers/mermet/knot/autogeree.net.nix @@ -0,0 +1,103 @@ +{ pkgs, lib, config, ... }: +let + inherit (builtins.extraBuiltins) pass git; + inherit (pkgs.lib) unlinesAttrs types; + inherit (config) networking; + inherit (config.services) knot; + inherit (config) users; + # Use the Git commit time of the ${domain}.nix file to set the serial number. + # WARNING: the ${domain}.nix must be committed into Git for this to work. + # WARNING: this does not take other .nix into account, though they may contribute to the zone's data. + serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]); + mermetIPv4 = "80.67.180.129"; + domain = "autogeree.net"; +in +{ +security.acme.certs."${domain}" = { + email = "root+letsencrypt@${domain}"; + extraDomains = { + "*.${domain}" = null; + }; + group = users.groups.acme.name; + allowKeysForGroup = true; + keyType = "rsa4096"; + dnsProvider = "rfc2136"; + credentialsFile = pkgs.writeText "credentials" '' + RFC2136_NAMESERVER=127.0.0.1:5353 + LEGO_EXPERIMENTAL_CNAME_SUPPORT=1 + ''; +}; +services.knot.zones."${domain}" = { + conf = '' + acl: + - id: acl_acme_challenge_autogeree_net + address: 127.0.0.1 + action: update + update-owner: name + update-owner-match: equal + update-owner-name: [_acme-challenge.${domain}] + update-type: [TXT] + + zone: + - domain: ${domain} + file: ${domain}.zone + serial-policy: increment + semantic-checks: on + notify: secondary_gandi + notify: secondary_muarf + acl: acl_gandi + acl: acl_muarf + acl: acl_acme_challenge_autogeree_net + dnssec-signing: off + dnssec-policy: ed25519 + ''; + # TODO: increase the TTL once things have settled down + data = '' + $ORIGIN ${domain}. + $TTL 500 + + ; SOA (Start Of Authority) + @ SOA ns admin ( + ${serial domain} ; Serial number + 24h ; Refresh + 15m ; Retry + 1000h ; Expire (1000h) + 1d ; Negative caching + ) + + ; NS (Name Server) + @ NS ns + @ NS ns6.gandi.net. + + ; A (DNS -> IPv4) + @ A ${mermetIPv4} + mermet A ${mermetIPv4} + autoconfig A ${mermetIPv4} + code A ${mermetIPv4} + git A ${mermetIPv4} + imap A ${mermetIPv4} + mail A ${mermetIPv4} + ns A ${mermetIPv4} + pop A ${mermetIPv4} + smtp A ${mermetIPv4} + submission A ${mermetIPv4} + www A ${mermetIPv4} + chomsky A 91.216.110.36 + alpes A 195.88.84.51 + + ; SPF (Sender Policy Framework) + @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all" + @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all" + + ; MX (Mail eXchange) + @ 180 MX 5 mail + + ; SRV (SeRVice) + _git._tcp.git 18000 IN SRV 0 0 9418 git + + ; CAA (Certificate Authority Authorization) + ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum + @ CAA 128 issue "letsencrypt.org" + ''; +}; +} diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix index e79ac47..4201805 100644 --- a/servers/mermet/knot/sourcephile.fr.nix +++ b/servers/mermet/knot/sourcephile.fr.nix @@ -68,7 +68,7 @@ services.knot.zones."${domain}" = { @ NS ns6.gandi.net. ; A (DNS -> IPv4) - @ A ${mermetIPv4} + @ A ${mermetIPv4} mermet A ${mermetIPv4} autoconfig A ${mermetIPv4} code A ${mermetIPv4} diff --git a/servers/mermet/production/shorewall.nix b/servers/mermet/production/shorewall.nix index 16159bb..d8ab15a 100644 --- a/servers/mermet/production/shorewall.nix +++ b/servers/mermet/production/shorewall.nix @@ -11,6 +11,7 @@ let # By port DNS(ACCEPT) $FW net {user=${users.users.unbound.name}} DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net + DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org Git(ACCEPT) $FW net HKP(ACCEPT) $FW net {user=${users.users.julm.name}} HTTP(ACCEPT) $FW net -- 2.44.1