From de02a8f921d95087e37a2fabfb3043783d773e4f Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 22 May 2021 07:46:30 +0200 Subject: [PATCH 01/16] losurdo: transmission: relax periodic stopping to every 15min --- hosts/losurdo/transmission.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/losurdo/transmission.nix b/hosts/losurdo/transmission.nix index 59f86b9..5044b29 100644 --- a/hosts/losurdo/transmission.nix +++ b/hosts/losurdo/transmission.nix @@ -46,7 +46,7 @@ systemd.services.stop-transmission = { script = "true"; }; systemd.timers.stop-transmission = { - timerConfig.OnCalendar = "06..19:*:00"; + timerConfig.OnCalendar = "06..19:0,15,30,45:00"; wantedBy = [ "timers.target" ]; }; services.transmission = { -- 2.47.2 From 34d45a654211464a317a0f34ae28d670f1fd99bf Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 22 May 2021 07:47:07 +0200 Subject: [PATCH 02/16] nix: update to latest nixos-unstable --- flake.lock | 22 ++++---- flake.nix | 7 ++- hosts/losurdo.nix | 1 + hosts/losurdo/networking/wireless.nix | 21 ++++--- hosts/losurdo/redis.nix | 3 +- hosts/losurdo/unbound.nix | 80 ++++++++++++++------------- hosts/mermet/gitolite | 2 +- hosts/mermet/knot/autogeree.net.nix | 10 ++-- hosts/mermet/knot/sourcephile.fr.nix | 10 ++-- hosts/mermet/nginx/autogeree.net.nix | 3 - hosts/mermet/nginx/sourcephile.fr.nix | 3 - hosts/mermet/redis.nix | 3 +- hosts/mermet/unbound.nix | 80 ++++++++++++++------------- nixpkgs/patches.nix | 6 +- 14 files changed, 128 insertions(+), 123 deletions(-) diff --git a/flake.lock b/flake.lock index 3b8ddfa..a13651e 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-utils": { "locked": { - "lastModified": 1619345332, - "narHash": "sha256-qHnQkEp1uklKTpx3MvKtY6xzgcqXDsz5nLilbbuL+3A=", + "lastModified": 1620759905, + "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=", "owner": "numtide", "repo": "flake-utils", - "rev": "2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28", + "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8", "type": "github" }, "original": { @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1620745259, - "narHash": "sha256-KjlBLgRCFmQVprMz4aL2kLZgTSVGxnvfixls8T134hA=", + "lastModified": 1621532831, + "narHash": "sha256-IZW90FX0C+r4xsYxXKSXmdpNDko785p4/I/3TIZW5qM=", "ref": "master", - "rev": "6cf7cfd0c1e8bfb07b064ee47ed0c6c6714b9417", - "revCount": 124, + "rev": "c715cf6150d9b20ff01799396da2f216efa17119", + "revCount": 132, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, @@ -63,17 +63,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1616688270, - "narHash": "sha256-5OFevG9kH3pMXsPkftzX4NCtP7/9DFDWRPjA+/7Copo=", + "lastModified": 1621420722, + "narHash": "sha256-dVnq/0eaN6HaAbgxgK6muSy0t2fD/Ayss2WUfvkJ5qs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9031057b0e6642e61c74b3e3c97b4e80a8db1dd6", + "rev": "7013a0f2791da4c38c7e6f56d48139aeb344991b", "type": "github" }, "original": { "owner": "NixOS", "repo": "nixpkgs", - "rev": "9031057b0e6642e61c74b3e3c97b4e80a8db1dd6", + "rev": "7013a0f2791da4c38c7e6f56d48139aeb344991b", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 3ef9bf2..b6c6f6d 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { # Pin down nixpkgs from github, instead of using global, system or user registries. -inputs.nixpkgs.url = "github:NixOS/nixpkgs/9031057b0e6642e61c74b3e3c97b4e80a8db1dd6"; +inputs.nixpkgs.url = "github:NixOS/nixpkgs/7013a0f2791da4c38c7e6f56d48139aeb344991b"; #inputs.nixpkgs.url = "flake:nixpkgs"; inputs.flake-utils.url = "github:numtide/flake-utils"; inputs.home-manager.follows = "julm-nix/home-manager"; @@ -14,9 +14,10 @@ inputs.pass = { type = "path"; path = "./pass"; flake = false; }; outputs = inputs: let remoteNixpkgsPatches = import nixpkgs/patches.nix; localNixpkgsPatches = [ - nixpkgs/patches/apparmor.diff + #nixpkgs/patches/transmission.diff + #nixpkgs/patches/apparmor.diff #nixpkgs/patches/ifcopenshell.diff - #nixpkgs/patches/public-inbox.diff + nixpkgs/patches/public-inbox.diff #nixpkgs/patches/zerobin.diff #nixpkgs/patches/gitolite.diff #nixpkgs/patches/tor.diff diff --git a/hosts/losurdo.nix b/hosts/losurdo.nix index 6f21f64..74ea7b2 100644 --- a/hosts/losurdo.nix +++ b/hosts/losurdo.nix @@ -25,6 +25,7 @@ modules = [ losurdo/acme.nix losurdo/apc.nix losurdo/debug.nix + #losurdo/discourse.nix losurdo/fail2ban.nix losurdo/fileSystems.nix #losurdo/freeciv.nix diff --git a/hosts/losurdo/networking/wireless.nix b/hosts/losurdo/networking/wireless.nix index 37aed04..d9ebe59 100644 --- a/hosts/losurdo/networking/wireless.nix +++ b/hosts/losurdo/networking/wireless.nix @@ -29,14 +29,19 @@ networking.nftables.ruleset = '' ''; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -services.unbound.extraConfig = '' - server: - interface: 192.168.2.1 - access-control: 192.168.2.0/24 allow - local-zone: "tracking.intl.miui.com" always_refuse - local-zone: sourcephile.fr typetransparent - local-data: "bureau1.sourcephile.fr A 192.168.2.1" -''; +services.unbound.settings = { + server = { + interface = [ "192.168.2.1" ]; + access-control = ["192.168.2.0/24 allow"]; + local-zone = [ + "tracking.intl.miui.com always_refuse" + "sourcephile.fr typetransparent" + ]; + local-data = [ + "\"bureau1.sourcephile.fr A 192.168.2.1\"" + ]; + }; +}; networking.wlanInterfaces = { ${iface} = { diff --git a/hosts/losurdo/redis.nix b/hosts/losurdo/redis.nix index 5b1f904..062e10e 100644 --- a/hosts/losurdo/redis.nix +++ b/hosts/losurdo/redis.nix @@ -16,8 +16,7 @@ services.redis = { syslog = true; bind = "127.0.0.1 ::1"; settings = { - unixsocketperm = "660"; - maxclients = 1024; + unixsocketperm = lib.mkForce "660"; maxmemory = "500mb"; maxmemory-policy = "volatile-ttl"; }; diff --git a/hosts/losurdo/unbound.nix b/hosts/losurdo/unbound.nix index 5c5d6af..4f83bc6 100644 --- a/hosts/losurdo/unbound.nix +++ b/hosts/losurdo/unbound.nix @@ -9,40 +9,39 @@ networking.resolvconf.useLocalResolver = true; services.unbound = { enable = true; # DOC: https://calomel.org/unbound_dns.html - extraConfig = '' - remote-control: - control-enable: yes - control-interface: /run/unbound/unbound.socket - - server: - log-queries: no - verbosity: 1 - interface: 127.0.0.1 - interface: ::1 - ${lib.optionalString (!config.networking.enableIPv6) "prefer-ip4: yes"} - port: 53 + settings = { + remote-control = { + control-enable = true; + control-interface = "/run/unbound/unbound.socket"; + }; + server = { + log-queries = false; + verbosity = 1; + interface = [ "127.0.0.1" "::1" ]; + prefer-ip4 = !config.networking.enableIPv6; + port = 53; # The file which contains the listing of primary root DNS servers. # To be updated once every six months. - root-hints: /var/lib/unbound/named.root + root-hints = "/var/lib/unbound/named.root"; # Do no answer id.server and hostname.bind queries. - hide-identity: yes + hide-identity = true; # Do not answer version.server and version.bind queries. - hide-version: yes + hide-version = true; # Will trust glue only if it is within the servers authority. # Harden against out of zone rrsets, to avoid spoofing attempts. # Hardening queries multiple name servers for the same data to make # spoofing significantly harder and does not mandate dnssec. - harden-glue: yes + harden-glue = true; # Require DNSSEC data for trust-anchored zones, if such data is absent, the # zone becomes bogus. Harden against receiving dnssec-stripped data. If you # turn it off, failing to validate dnskey data for a trustanchor will trigger # insecure mode for that zone (like without a trustanchor). Default on, # which insists on dnssec data for trust-anchored zones. - harden-dnssec-stripped: yes + harden-dnssec-stripped = true; # Use 0x20-encoded random bits in the query to foil spoof attempts. # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 @@ -61,10 +60,10 @@ services.unbound = { # # It may result in maybe 0.4% of domains getting no answers # due to no support on the authoritative server side - use-caps-for-id: yes + use-caps-for-id = true; - #cache-min-ttl: 3600 - cache-max-ttl: 86400 + #cache-min-ttl = 3600; + cache-max-ttl = 86400; # Perform prefetching of close to expired message cache entries. If a client # requests the dns lookup and the TTL of the cached hostname is going to @@ -72,61 +71,64 @@ services.unbound = { # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server. # This method has been shown to increase the amount of cached hits by # local clients by 10% on average. - prefetch: yes + prefetch = true; # Number of threads to create. 1 disables threading. # This should equal the number of CPU cores in the host. - num-threads: ${toString host.CPUs} + num-threads = host.CPUs; # The number of slabs to use for cache and must be a power of 2 times the # number of num-threads set above. more slabs reduce lock contention, # but fragment memory usage. - msg-cache-slabs: 8 - rrset-cache-slabs: 8 - infra-cache-slabs: 8 - key-cache-slabs: 8 + msg-cache-slabs = 8; + rrset-cache-slabs = 8; + infra-cache-slabs = 8; + key-cache-slabs = 8; # Increase the memory size of the cache. Use roughly twice as much rrset cache # memory as you use msg cache memory. Due to malloc overhead, the total memory # usage is likely to rise to double (or 2.5x) the total cache memory. - rrset-cache-size: 32m - msg-cache-size: 16m + rrset-cache-size = "32m"; + msg-cache-size = "16m"; # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets # the kernel buffer larger so that no messages are lost in spikes in the traffic. - so-rcvbuf: 1m + so-rcvbuf = "1m"; # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. # Protects against 'DNS Rebinding' (uses browser as network proxy). # Only 'private-domain' and 'local-data' names are allowed # to have these private addresses. No default. - private-address: 192.168.0.0/16 - private-address: 172.16.0.0/12 - private-address: 10.0.0.0/8 + private-address = [ + "192.168.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + ]; # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. - #private-domain: "home.lan" + #private-domain = "home.lan"; # If nonzero, unwanted replies are not only reported in statistics, but also # a running total is kept per thread. If it reaches the threshold, a warning # is printed and a defensive action is taken, the cache is cleared to flush # potential poison out of it. A suggested value is 10000000, the default is # 0 (turned off). calomel.org thinks 10K is a good value. - unwanted-reply-threshold: 10000 + unwanted-reply-threshold = 10000; # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on # localhost you will want to allow the resolver to send queries to localhost. - # Make sure to set do-not-query-localhost: yes. - do-not-query-localhost: yes + # Make sure to set do-not-query-localhost = true;. + do-not-query-localhost = true; # Should additional section of secure message also be kept clean of unsecure # data. Useful to shield the users of this validator from potential bogus # data in the additional section. All unsigned data in the additional section # is removed from secure messages. - val-clean-additional: yes - ''; + val-clean-additional = true; + }; + }; }; networking.nftables.ruleset = '' add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound" @@ -138,7 +140,7 @@ systemd.services.unbound = { RuntimeDirectoryMode = "0700"; }; preStart = '' - install -m 444 -o unbound -g nogroup \ + install -m 444 \ ${../../var/named.root} \ /var/lib/unbound/named.root ''; diff --git a/hosts/mermet/gitolite b/hosts/mermet/gitolite index 37d4e04..c63815a 160000 --- a/hosts/mermet/gitolite +++ b/hosts/mermet/gitolite @@ -1 +1 @@ -Subproject commit 37d4e049702168471be8511037f19d3a2514c5f4 +Subproject commit c63815ad18a695531676db55a39d7c1e819b4b8c diff --git a/hosts/mermet/knot/autogeree.net.nix b/hosts/mermet/knot/autogeree.net.nix index 08da9c7..c080c82 100644 --- a/hosts/mermet/knot/autogeree.net.nix +++ b/hosts/mermet/knot/autogeree.net.nix @@ -104,10 +104,12 @@ systemd.services.knot = { wants = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ]; }; /* Useless since the zone is public -services.unbound.extraConfig = '' - stub-zone: - name: "autogeree.net" - stub-addr: 127.0.0.1@5353 +services.unbound.settings = { + stub-zone = { + name = domain; + stub-addr = "127.0.0.1@5353"; + }; +}; ''; */ } diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix index f76e52e..e36d2cb 100644 --- a/hosts/mermet/knot/sourcephile.fr.nix +++ b/hosts/mermet/knot/sourcephile.fr.nix @@ -168,10 +168,12 @@ systemd.services.knot = { ]; }; /* Useless since the zone is public -services.unbound.extraConfig = '' - stub-zone: - name: "sourcephile.fr" - stub-addr: 127.0.0.1@5353 +services.unbound.settings = { + stub-zone = { + name = domain; + stub-addr = "127.0.0.1@5353"; + }; +}; ''; */ } diff --git a/hosts/mermet/nginx/autogeree.net.nix b/hosts/mermet/nginx/autogeree.net.nix index 8edf734..a11cc1f 100644 --- a/hosts/mermet/nginx/autogeree.net.nix +++ b/hosts/mermet/nginx/autogeree.net.nix @@ -7,9 +7,6 @@ imports = map (m: import m {inherit domain;}) [ security.acme.certs."${domain}" = { postRun = "systemctl reload nginx"; }; -systemd.services.nginx.serviceConfig = { - UMask = "0066"; -}; systemd.services.nginx = { wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "acme-selfsigned-${domain}.service" ]; diff --git a/hosts/mermet/nginx/sourcephile.fr.nix b/hosts/mermet/nginx/sourcephile.fr.nix index 11049c9..44ee0e0 100644 --- a/hosts/mermet/nginx/sourcephile.fr.nix +++ b/hosts/mermet/nginx/sourcephile.fr.nix @@ -12,9 +12,6 @@ imports = map (m: import m {inherit domain;}) [ security.acme.certs."${domain}" = { postRun = "systemctl reload nginx"; }; -systemd.services.nginx.serviceConfig = { - UMask = "0066"; -}; systemd.services.nginx = { wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; after = [ "acme-selfsigned-${domain}.service" ]; diff --git a/hosts/mermet/redis.nix b/hosts/mermet/redis.nix index 425603a..68c18d3 100644 --- a/hosts/mermet/redis.nix +++ b/hosts/mermet/redis.nix @@ -15,8 +15,7 @@ services.redis = { syslog = true; bind = "127.0.0.1 ::1"; settings = { - unixsocketperm = "660"; - maxclients = 1024; + unixsocketperm = lib.mkForce "660"; maxmemory = "500mb"; maxmemory-policy = "volatile-ttl"; }; diff --git a/hosts/mermet/unbound.nix b/hosts/mermet/unbound.nix index 5c5d6af..4f83bc6 100644 --- a/hosts/mermet/unbound.nix +++ b/hosts/mermet/unbound.nix @@ -9,40 +9,39 @@ networking.resolvconf.useLocalResolver = true; services.unbound = { enable = true; # DOC: https://calomel.org/unbound_dns.html - extraConfig = '' - remote-control: - control-enable: yes - control-interface: /run/unbound/unbound.socket - - server: - log-queries: no - verbosity: 1 - interface: 127.0.0.1 - interface: ::1 - ${lib.optionalString (!config.networking.enableIPv6) "prefer-ip4: yes"} - port: 53 + settings = { + remote-control = { + control-enable = true; + control-interface = "/run/unbound/unbound.socket"; + }; + server = { + log-queries = false; + verbosity = 1; + interface = [ "127.0.0.1" "::1" ]; + prefer-ip4 = !config.networking.enableIPv6; + port = 53; # The file which contains the listing of primary root DNS servers. # To be updated once every six months. - root-hints: /var/lib/unbound/named.root + root-hints = "/var/lib/unbound/named.root"; # Do no answer id.server and hostname.bind queries. - hide-identity: yes + hide-identity = true; # Do not answer version.server and version.bind queries. - hide-version: yes + hide-version = true; # Will trust glue only if it is within the servers authority. # Harden against out of zone rrsets, to avoid spoofing attempts. # Hardening queries multiple name servers for the same data to make # spoofing significantly harder and does not mandate dnssec. - harden-glue: yes + harden-glue = true; # Require DNSSEC data for trust-anchored zones, if such data is absent, the # zone becomes bogus. Harden against receiving dnssec-stripped data. If you # turn it off, failing to validate dnskey data for a trustanchor will trigger # insecure mode for that zone (like without a trustanchor). Default on, # which insists on dnssec data for trust-anchored zones. - harden-dnssec-stripped: yes + harden-dnssec-stripped = true; # Use 0x20-encoded random bits in the query to foil spoof attempts. # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 @@ -61,10 +60,10 @@ services.unbound = { # # It may result in maybe 0.4% of domains getting no answers # due to no support on the authoritative server side - use-caps-for-id: yes + use-caps-for-id = true; - #cache-min-ttl: 3600 - cache-max-ttl: 86400 + #cache-min-ttl = 3600; + cache-max-ttl = 86400; # Perform prefetching of close to expired message cache entries. If a client # requests the dns lookup and the TTL of the cached hostname is going to @@ -72,61 +71,64 @@ services.unbound = { # host to the client and (2nd) pre-fetch the DNS request from the remote DNS server. # This method has been shown to increase the amount of cached hits by # local clients by 10% on average. - prefetch: yes + prefetch = true; # Number of threads to create. 1 disables threading. # This should equal the number of CPU cores in the host. - num-threads: ${toString host.CPUs} + num-threads = host.CPUs; # The number of slabs to use for cache and must be a power of 2 times the # number of num-threads set above. more slabs reduce lock contention, # but fragment memory usage. - msg-cache-slabs: 8 - rrset-cache-slabs: 8 - infra-cache-slabs: 8 - key-cache-slabs: 8 + msg-cache-slabs = 8; + rrset-cache-slabs = 8; + infra-cache-slabs = 8; + key-cache-slabs = 8; # Increase the memory size of the cache. Use roughly twice as much rrset cache # memory as you use msg cache memory. Due to malloc overhead, the total memory # usage is likely to rise to double (or 2.5x) the total cache memory. - rrset-cache-size: 32m - msg-cache-size: 16m + rrset-cache-size = "32m"; + msg-cache-size = "16m"; # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets # the kernel buffer larger so that no messages are lost in spikes in the traffic. - so-rcvbuf: 1m + so-rcvbuf = "1m"; # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. # Protects against 'DNS Rebinding' (uses browser as network proxy). # Only 'private-domain' and 'local-data' names are allowed # to have these private addresses. No default. - private-address: 192.168.0.0/16 - private-address: 172.16.0.0/12 - private-address: 10.0.0.0/8 + private-address = [ + "192.168.0.0/16" + "172.16.0.0/12" + "10.0.0.0/8" + ]; # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. - #private-domain: "home.lan" + #private-domain = "home.lan"; # If nonzero, unwanted replies are not only reported in statistics, but also # a running total is kept per thread. If it reaches the threshold, a warning # is printed and a defensive action is taken, the cache is cleared to flush # potential poison out of it. A suggested value is 10000000, the default is # 0 (turned off). calomel.org thinks 10K is a good value. - unwanted-reply-threshold: 10000 + unwanted-reply-threshold = 10000; # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on # localhost you will want to allow the resolver to send queries to localhost. - # Make sure to set do-not-query-localhost: yes. - do-not-query-localhost: yes + # Make sure to set do-not-query-localhost = true;. + do-not-query-localhost = true; # Should additional section of secure message also be kept clean of unsecure # data. Useful to shield the users of this validator from potential bogus # data in the additional section. All unsigned data in the additional section # is removed from secure messages. - val-clean-additional: yes - ''; + val-clean-additional = true; + }; + }; }; networking.nftables.ruleset = '' add rule inet filter fw2net tcp dport 53 skuid ${users.unbound.name} counter accept comment "Unbound" @@ -138,7 +140,7 @@ systemd.services.unbound = { RuntimeDirectoryMode = "0700"; }; preStart = '' - install -m 444 -o unbound -g nogroup \ + install -m 444 \ ${../../var/named.root} \ /var/lib/unbound/named.root ''; diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 3cbdd15..99d1dc0 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -2,7 +2,7 @@ { meta.description = "sanoid: fix sanoid.conf generation"; url = "https://github.com/NixOS/nixpkgs/pull/83904.diff"; - sha256 = "sha256-a1Pu8tAEZ4vzni9vWqt7UitQ1cA1y3U7lKtAumTk45Y="; + sha256 = "sha256-szsAWFzYlXfqjKgNWvSCxiFX3ksFjl8JYqZl37Y3080="; } /* { @@ -30,13 +30,11 @@ url = "https://github.com/NixOS/nixpkgs/pull/93659.diff"; sha256 = "sha256-rMAaoFSC97ANp6upZl7WLCDHGXSwU0yTiKBphfZcpkA="; } -/* { meta.description = "transmission: use freeformType on settings"; url = "https://github.com/NixOS/nixpkgs/pull/96655.diff"; - sha256 = "sha256-lRKe8WnGPc8ojaD9W8ZS+NVMhIoGOCOj9njhqQhzaCM="; + sha256 = "sha256-LdOBpreZtRzcCdbKM09puPbzd0RlB03UtZOg66Ho2aU="; } -*/ /* { meta.description = "nixos/tor: improve type-checking and hardening"; -- 2.47.2 From 21de1d5e1c6555b18ab4a8801fed0dd63b7eb926 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 22 May 2021 07:48:13 +0200 Subject: [PATCH 03/16] git: ignore .direnv/ --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1372988..4a5aba6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .cache/ -.config/nix/nix.conf +.direnv/ .git/ .mnt/ .old/ -- 2.47.2 From 2f23c3a4c5d3bd4d0ffa12915ab28ec8a80a9469 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 22 May 2021 19:42:46 +0200 Subject: [PATCH 04/16] public-inbox: fix test --- nixpkgs/patches/public-inbox.diff | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 nixpkgs/patches/public-inbox.diff diff --git a/nixpkgs/patches/public-inbox.diff b/nixpkgs/patches/public-inbox.diff new file mode 100644 index 0000000..a319c9f --- /dev/null +++ b/nixpkgs/patches/public-inbox.diff @@ -0,0 +1,16 @@ +diff --git a/pkgs/servers/mail/public-inbox/default.nix b/pkgs/servers/mail/public-inbox/default.nix +index 0e44e315637..2a6e1637a68 100644 +--- a/pkgs/servers/mail/public-inbox/default.nix ++++ b/pkgs/servers/mail/public-inbox/default.nix +@@ -35,6 +35,11 @@ let + # perl5.32.0-public-inbox> # at t/eml.t line 272. + # perl5.32.0-public-inbox> Wide character in print at /nix/store/38vxlxrvg3yji3jms44qn94lxdysbj5j-perl-5.32.0/lib/perl5/5.32.0/Test2/Formatter/TAP.pm line 125. + "eml" ++ # Failed test 'Makefile OK' ++ # at t/hl_mod.t line 19. ++ # got: 'makefile' ++ # expected: 'make' ++ "hl_mod" + ]; + + testConditions = with lib; -- 2.47.2 From 21adb3ba0861cf7ce43fb70900cd8a6b73f192a8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 26 May 2021 04:48:10 +0200 Subject: [PATCH 05/16] mermet: fail2ban: add intranet on the ignoreIP --- hosts/mermet/fail2ban.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/mermet/fail2ban.nix b/hosts/mermet/fail2ban.nix index a822c78..75ec45f 100644 --- a/hosts/mermet/fail2ban.nix +++ b/hosts/mermet/fail2ban.nix @@ -22,6 +22,7 @@ services.fail2ban = { packageFirewall = pkgs.nftables; ignoreIP = [ hosts.mermet.extraArgs.ipv4 + hosts.losurdo.extraArgs.wireguard.wg-intra.ipv4 "losurdo.sourcephile.fr" "vpn.riseup.net" ]; -- 2.47.2 From dabaf7b221e9e88a96454b01e5d7697ad1ec5aaa Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 26 May 2021 04:48:59 +0200 Subject: [PATCH 06/16] nix: update julm-nix --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index a13651e..7c951fa 100644 --- a/flake.lock +++ b/flake.lock @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1621532831, - "narHash": "sha256-IZW90FX0C+r4xsYxXKSXmdpNDko785p4/I/3TIZW5qM=", + "lastModified": 1621978558, + "narHash": "sha256-dX18B8umOuiO76XjfvakAVTilnV3wq8DeXgVIo7XI6I=", "ref": "master", - "rev": "c715cf6150d9b20ff01799396da2f216efa17119", - "revCount": 132, + "rev": "624e84d579ab417c05181b8a5cd5d57d558abde0", + "revCount": 134, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, -- 2.47.2 From 2aacf04eeee75ca80b6c337ede720f1c6d154499 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 27 May 2021 00:56:14 +0200 Subject: [PATCH 07/16] nix: use nix-direnv --- .envrc | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.envrc b/.envrc index 40cbab6..3550a30 100644 --- a/.envrc +++ b/.envrc @@ -1,10 +1 @@ -use_flake() { - watch_file flake.nix - watch_file flake.lock - profile="$(direnv_layout_dir)"/flake-profile - mkdir -p "$(direnv_layout_dir)" - eval "$(time nix print-dev-env --show-trace --profile "$profile" || echo false)" && - nix-store --add-root "shell.root" --indirect --realise "$profile" && - nix-env --delete-generations +1 --profile "$profile" -} use flake -- 2.47.2 From 6f8c7b64990669b147b41d97a8535eca1ceef527 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 5 Jun 2021 08:52:07 +0200 Subject: [PATCH 08/16] nix: update input flakes --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 7c951fa..91d99e2 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-utils": { "locked": { - "lastModified": 1620759905, - "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=", + "lastModified": 1622445595, + "narHash": "sha256-m+JRe6Wc5OZ/mKw2bB3+Tl0ZbtyxxxfnAWln8Q5qs+Y=", "owner": "numtide", "repo": "flake-utils", - "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8", + "rev": "7d706970d94bc5559077eb1a6600afddcd25a7c8", "type": "github" }, "original": { @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1621978558, - "narHash": "sha256-dX18B8umOuiO76XjfvakAVTilnV3wq8DeXgVIo7XI6I=", + "lastModified": 1622743708, + "narHash": "sha256-0hwFvk0mKw8dbPFjpbetVzJ83K4IaPNff0pXEOkT7PY=", "ref": "master", - "rev": "624e84d579ab417c05181b8a5cd5d57d558abde0", - "revCount": 134, + "rev": "2a12c2345f326ad500ed44bf79deef7ad3a17aa4", + "revCount": 142, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, -- 2.47.2 From 519a4f18573fcaf119798634c6726a37f0464cbe Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 7 Jun 2021 17:39:01 +0200 Subject: [PATCH 09/16] losurdo: setup prometheus and grafana --- flake.lock | 8 +- hosts/losurdo.nix | 1 + .../losurdo/nginx/sourcephile.fr/cryptpad.nix | 8 +- hosts/losurdo/prometheus.nix | 126 +++++++++++++++++- 4 files changed, 134 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 91d99e2..7925dd6 100644 --- a/flake.lock +++ b/flake.lock @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1622743708, - "narHash": "sha256-0hwFvk0mKw8dbPFjpbetVzJ83K4IaPNff0pXEOkT7PY=", + "lastModified": 1623059458, + "narHash": "sha256-1sBsLgfpK1SX0Ac5eCy0ggklKx0Ifd8ZjvB09LN67p4=", "ref": "master", - "rev": "2a12c2345f326ad500ed44bf79deef7ad3a17aa4", - "revCount": 142, + "rev": "a21fe4429c72decc9f2562759989e54164e13da6", + "revCount": 145, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, diff --git a/hosts/losurdo.nix b/hosts/losurdo.nix index 74ea7b2..8a168c3 100644 --- a/hosts/losurdo.nix +++ b/hosts/losurdo.nix @@ -35,6 +35,7 @@ modules = [ losurdo/nginx.nix losurdo/postfix.nix losurdo/postgresql.nix + losurdo/prometheus.nix losurdo/redis.nix losurdo/sanoid.nix losurdo/security.nix diff --git a/hosts/losurdo/nginx/sourcephile.fr/cryptpad.nix b/hosts/losurdo/nginx/sourcephile.fr/cryptpad.nix index 42f2b39..410d958 100644 --- a/hosts/losurdo/nginx/sourcephile.fr/cryptpad.nix +++ b/hosts/losurdo/nginx/sourcephile.fr/cryptpad.nix @@ -73,8 +73,8 @@ services.cryptpad = { httpUnsafeOrigin: 'https://${main_domain}/', httpSafeOrigin: "https://${sandbox_domain}/", httpAddress: '::1', - httpPort: 3000, - httpSafePort: 3001, + httpPort: 3100, + httpSafePort: 3101, maxWorkers: 1, /* ===================== @@ -183,7 +183,7 @@ services.nginx.virtualHosts.${main_domain} = { # We prefer to serve static content from nginx directly and to leave the API server to handle # the dynamic content that only it can manage. This is primarily an optimization locations."^~ /cryptpad_websocket" = { - proxyPass = "http://[::1]:3000"; + proxyPass = "http://[::1]:3100"; proxyWebsockets = true; }; @@ -202,7 +202,7 @@ services.nginx.virtualHosts.${main_domain} = { # the caching variable which is applied to every other resource # which is loaded during that session. locations."= /api/config" = { - proxyPass = "http://[::1]:3000"; + proxyPass = "http://[::1]:3100"; }; # encrypted blobs are immutable and are thus cached for a year diff --git a/hosts/losurdo/prometheus.nix b/hosts/losurdo/prometheus.nix index 377da8f..5e17279 100644 --- a/hosts/losurdo/prometheus.nix +++ b/hosts/losurdo/prometheus.nix @@ -1,6 +1,130 @@ -{ pkgs, lib, config, ... }: +{ pkgs, lib, config, hostName, ... }: +let + inherit (config.services) prometheus; + listenAddress = "127.0.0.1"; +in { services.prometheus = { enable = true; + inherit listenAddress; + port = 9090; + extraFlags = [ + "--storage.tsdb.retention.time 30d" + ]; + exporters = { + apcupsd = { + enable = true; + inherit listenAddress; + }; + node = { + enable = true; + inherit listenAddress; + #enabledCollectors = [ "wifi" ]; + }; + smokeping = { + #enable = true; + inherit listenAddress; + buckets = "0.0001,0.001,0.005,0.01,0.02,0.04,0.06,0.08,0.16,0.24,0.32,0.4,0.48,0.8,1.6,3.2,6.4"; + hosts = [ "www.fdn.fr" "8.8.8.8" ]; + pingInterval = "3s"; + }; + systemd = { + enable = true; + inherit listenAddress; + }; + wireguard = { + #enable = true; + inherit listenAddress; + withRemoteIp = true; + }; + }; + scrapeConfigs = [ + { + job_name = hostName; + static_configs = [ + { + targets = [ + "${listenAddress}:${toString prometheus.exporters.apcupsd.port}" + "${listenAddress}:${toString prometheus.exporters.node.port}" + #"[${listenAddress}:${toString prometheus.exporters.smokeping.port}" + "${listenAddress}:${toString prometheus.exporters.systemd.port}" + #"${listenAddress}:${toString prometheus.exporters.wireguard.port}" + ]; + } + ]; + } + ]; + /* + alertmanagers = [ + { + static_configs = [ { targets = [ "${listenAddress}:9093" ]; } ]; + } + ]; + alertmanager = { + enable = true; + inherit listenAddress; + configuration = { + global = { + "smtp_smarthost" = "localhost:25"; + "smtp_require_tls" = false; + "smtp_from" = "alertmanager@${domain}"; + }; + route = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "12h"; + "receiver" = "root"; + }; + receivers = [ + { + "name" = "root"; + "email_configs" = [ + { + "to" = "root+alertmanager@${domain}"; + "send_resolved" = true; + } + ]; + } + ]; + }; + }; + rules = [ + '' + groups: + - name: custom_rules + rules: + - record: battery_percent + expr: 100 * battery_energy_now / battery_energy_full + - alert: battery_soon_out + expr: predict_linear(battery_percent[30m], 3600) <= 10 + for: 5m + labels: + severity: warning + annotations: + summary: "Instance [{{ $labels.instance }}] battery about 1h left" + description: "[{{ $labels.instance }}] battery in 1h estimated to {{ $value }}%" + '' + ]; + */ +}; +services.grafana = { + enable = true; + addr = listenAddress; + port = 3000; + analytics.reporting.enable = false; + extraOptions = { + ANALYTICS_CHECK_FOR_UPDATES = "false"; + }; +}; +# override systemd exporter execstart to enable option... +# FIXME: use extraFlags +systemd.services.prometheus-systemd-exporter.serviceConfig = { + ExecStart = lib.mkForce '' + ${pkgs.prometheus-systemd-exporter}/bin/systemd_exporter \ + --web.listen-address=${listenAddress}:${toString prometheus.exporters.systemd.port} \ + --collector.enable-ip-accounting \ + --collector.enable-restart-count + ''; }; } -- 2.47.2 From ed0ec775b2bff627c51aa6f568f2fe53daf508e5 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 16 Jun 2021 04:26:29 +0200 Subject: [PATCH 10/16] nix: update nixpkgs --- flake.lock | 8 ++++---- flake.nix | 4 ++-- hosts/losurdo/xserver.nix | 2 +- nixos/defaults/security.nix | 3 ++- nixos/modules.nix | 2 ++ nixos/profiles/services/nginx.nix | 1 + nixpkgs/patches.nix | 13 ++++--------- .../system/smartmontools/smartctl-tbw/default.nix | 6 +++--- nixpkgs/pkgs/tools/system/swaplist/default.nix | 6 +++--- 9 files changed, 22 insertions(+), 23 deletions(-) diff --git a/flake.lock b/flake.lock index 7925dd6..dc2a0e3 100644 --- a/flake.lock +++ b/flake.lock @@ -63,17 +63,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1621420722, - "narHash": "sha256-dVnq/0eaN6HaAbgxgK6muSy0t2fD/Ayss2WUfvkJ5qs=", + "lastModified": 1623786084, + "narHash": "sha256-cOKphbBTexY8BMN8xDverIOVx7P3I0xlWPFDfIhndxI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7013a0f2791da4c38c7e6f56d48139aeb344991b", + "rev": "fd374934efcd10061cbdc7e314d8e1c67d329200", "type": "github" }, "original": { "owner": "NixOS", "repo": "nixpkgs", - "rev": "7013a0f2791da4c38c7e6f56d48139aeb344991b", + "rev": "fd374934efcd10061cbdc7e314d8e1c67d329200", "type": "github" } }, diff --git a/flake.nix b/flake.nix index b6c6f6d..72ebd62 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { # Pin down nixpkgs from github, instead of using global, system or user registries. -inputs.nixpkgs.url = "github:NixOS/nixpkgs/7013a0f2791da4c38c7e6f56d48139aeb344991b"; +inputs.nixpkgs.url = "github:NixOS/nixpkgs/fd374934efcd10061cbdc7e314d8e1c67d329200"; #inputs.nixpkgs.url = "flake:nixpkgs"; inputs.flake-utils.url = "github:numtide/flake-utils"; inputs.home-manager.follows = "julm-nix/home-manager"; @@ -17,7 +17,7 @@ outputs = inputs: let #nixpkgs/patches/transmission.diff #nixpkgs/patches/apparmor.diff #nixpkgs/patches/ifcopenshell.diff - nixpkgs/patches/public-inbox.diff + #nixpkgs/patches/public-inbox.diff #nixpkgs/patches/zerobin.diff #nixpkgs/patches/gitolite.diff #nixpkgs/patches/tor.diff diff --git a/hosts/losurdo/xserver.nix b/hosts/losurdo/xserver.nix index e35614c..b7d0d5b 100644 --- a/hosts/losurdo/xserver.nix +++ b/hosts/losurdo/xserver.nix @@ -33,7 +33,7 @@ environment.systemPackages = [ console.useXkbConfig = true; sound.enable = true; hardware.pulseaudio.enable = true; -programs.x2goserver = { +services.x2goserver = { enable = true; }; /* diff --git a/nixos/defaults/security.nix b/nixos/defaults/security.nix index b7be606..637805f 100644 --- a/nixos/defaults/security.nix +++ b/nixos/defaults/security.nix @@ -1,6 +1,7 @@ { inputs, pkgs, lib, config, ... }: { -boot.kernelPackages = pkgs.linuxPackages_latest_hardened; +boot.kernelPackages = pkgs.linuxPackages_hardened; +#boot.kernelPackages = pkgs.linuxPackages_latest_hardened; #environment.memoryAllocator.provider = "libc"; nix.allowedUsers = [ "@users" ]; security.allowSimultaneousMultithreading = false; diff --git a/nixos/modules.nix b/nixos/modules.nix index de29f80..cb5abea 100644 --- a/nixos/modules.nix +++ b/nixos/modules.nix @@ -9,6 +9,7 @@ imports = [ modules/services/networking/upnpc.nix #modules/services/security/tor.nix #modules/services/backup/syncoid.nix + #modules/services/backup/sanoid.nix #modules/services/torrent/transmission.nix #modules/security/gnupg.nix #modules/services/networking/biboumi.nix @@ -34,5 +35,6 @@ disabledModules = [ #"services/networking/openvpn.nix" #"services/torrent/transmission.nix" #"services/games/freeciv.nix" + #"services/backup/sanoid.nix" ]; } diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix index 4d721da..29b4011 100644 --- a/nixos/profiles/services/nginx.nix +++ b/nixos/profiles/services/nginx.nix @@ -24,6 +24,7 @@ systemd.tmpfiles.rules = [ "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -" ]; systemd.services.nginx = { + requires = [ "systemd-tmpfiles-setup-dev.service" ]; serviceConfig = { # FIXME: remove all the mkForce in LogsDirectory # whenever upstream uses a list instead of a string. diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 99d1dc0..4524f7c 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -2,7 +2,7 @@ { meta.description = "sanoid: fix sanoid.conf generation"; url = "https://github.com/NixOS/nixpkgs/pull/83904.diff"; - sha256 = "sha256-szsAWFzYlXfqjKgNWvSCxiFX3ksFjl8JYqZl37Y3080="; + sha256 = "sha256-lDY3kIsvaWkGdoApwQo8CPSHh3Gn5h8SPWNdteq+dJs="; } /* { @@ -33,7 +33,7 @@ { meta.description = "transmission: use freeformType on settings"; url = "https://github.com/NixOS/nixpkgs/pull/96655.diff"; - sha256 = "sha256-LdOBpreZtRzcCdbKM09puPbzd0RlB03UtZOg66Ho2aU="; + sha256 = "sha256-IoWUdLQxtgdi3kMmF8T0HNrPa3vrBbxK0PCSWXGjx+0="; } /* { @@ -55,7 +55,7 @@ { meta.description = "nixos/syncoid: split in multiple systemd services and harden them"; url = "https://github.com/NixOS/nixpkgs/pull/98455.diff"; - sha256 = "sha256-09ECRsdNQfVab4b/V9LxZQdj3JjHjZhCwwyYtViGW+8="; + sha256 = "sha256-6JgDfU6cIgW7Ei2eY4Wtd6tiFwFEAy9V9/+G42B6kp4="; } /* { @@ -67,7 +67,7 @@ { meta.description = "Update public-inbox to 1.6.1 and add systemd services"; url = "https://github.com/NixOS/nixpkgs/pull/104457.diff"; - sha256 = "sha256-dVoMeYPivSpZmhO6rwjxYUUJX+n603Y6ytL+2ZNnb9o="; + sha256 = "sha256-pplampG4pdUH+rWNSUMb1t7e6Mc0OiXXHo/FcemgyQ8="; } /* { @@ -81,11 +81,6 @@ url = "https://github.com/NixOS/nixpkgs/pull/109643.diff"; sha256 = "sha256-i9dhidO/Yf/u6wE08ZIL/s6A/LoaXfz14+Xqc2YvJQg="; } -{ - meta.description = "x2goserver"; - url = "https://github.com/averelld/nixpkgs/commit/ac2b1e9915c3176879361fb5fbeab50b177fcce3.diff"; - sha256 = "sha256-FjYTQD6d6jukLfusYwfHF7wDwE9IAGIvLLyeOs3HHV0="; -} /* { meta.description = ""; diff --git a/nixpkgs/pkgs/tools/system/smartmontools/smartctl-tbw/default.nix b/nixpkgs/pkgs/tools/system/smartmontools/smartctl-tbw/default.nix index 7d20fa1..8e1abe8 100644 --- a/nixpkgs/pkgs/tools/system/smartmontools/smartctl-tbw/default.nix +++ b/nixpkgs/pkgs/tools/system/smartmontools/smartctl-tbw/default.nix @@ -1,13 +1,13 @@ -{ coreutils +{ lib +, coreutils , gawk , gnused , smartmontools -, stdenv , sudo , writeShellScriptBin , utillinux }: -let PATH = stdenv.lib.makeBinPath +let PATH = lib.makeBinPath [ coreutils gawk gnused diff --git a/nixpkgs/pkgs/tools/system/swaplist/default.nix b/nixpkgs/pkgs/tools/system/swaplist/default.nix index e203e5b..8c5644e 100644 --- a/nixpkgs/pkgs/tools/system/swaplist/default.nix +++ b/nixpkgs/pkgs/tools/system/swaplist/default.nix @@ -1,8 +1,8 @@ -{ coreutils -, stdenv +{ lib +, coreutils , writeShellScriptBin }: -let PATH = stdenv.lib.concatStringsSep ":" [ "${coreutils}/bin" ]; +let PATH = lib.concatStringsSep ":" [ "${coreutils}/bin" ]; in writeShellScriptBin "swaplist" '' # SYNTAX: -- 2.47.2 From 0de2c9c365636d5b4c5ffc6c14649570672321c3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 18 Jun 2021 11:51:42 +0200 Subject: [PATCH 11/16] julm-nix: update --- flake.lock | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index dc2a0e3..1f8da61 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-utils": { "locked": { - "lastModified": 1622445595, - "narHash": "sha256-m+JRe6Wc5OZ/mKw2bB3+Tl0ZbtyxxxfnAWln8Q5qs+Y=", + "lastModified": 1623875721, + "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", "owner": "numtide", "repo": "flake-utils", - "rev": "7d706970d94bc5559077eb1a6600afddcd25a7c8", + "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", "type": "github" }, "original": { @@ -22,17 +22,17 @@ ] }, "locked": { - "lastModified": 1617824794, - "narHash": "sha256-UGkvzx0nIXHhNq/KwJLjXvKAQRE2V33MuX+UirvqrkQ=", + "lastModified": 1623773486, + "narHash": "sha256-JqifiS2MkLomI/O1KlKLMlm0q2/CtPXYYPPVpYjlmic=", "owner": "nix-community", "repo": "home-manager", - "rev": "2aa20ae969f2597c4df10a094440a66e9d7f8c86", + "rev": "e0f2949c981a636ff1a75bd075e2a614af3bafb1", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-20.09", "repo": "home-manager", + "rev": "e0f2949c981a636ff1a75bd075e2a614af3bafb1", "type": "github" } }, @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1623059458, - "narHash": "sha256-1sBsLgfpK1SX0Ac5eCy0ggklKx0Ifd8ZjvB09LN67p4=", + "lastModified": 1624007125, + "narHash": "sha256-qYEoyrdn9p4EO466IXaML/qwZe9nPIlvVMtaj/3MMgc=", "ref": "master", - "rev": "a21fe4429c72decc9f2562759989e54164e13da6", - "revCount": 145, + "rev": "1505ca57487cb1b6830b561be1428577de6a4627", + "revCount": 159, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, -- 2.47.2 From 94fbae42a591ed5ba09f5822f12f659f04b75df7 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 18 Jun 2021 12:24:42 +0200 Subject: [PATCH 12/16] secrets: update --- flake.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 1f8da61..224d2dd 100644 --- a/flake.lock +++ b/flake.lock @@ -80,7 +80,7 @@ "pass": { "flake": false, "locked": { - "narHash": "sha256-nRHB1KJP9g2Z0CRvRF33UQB/PaRzvcNQCwaqPwMJRLk=", + "narHash": "sha256-Pvt2rSuhnk8Lg6E8l/aYnr4RfWLrU+yS97gNd6Ic58U=", "path": "./pass", "type": "path" }, @@ -106,7 +106,7 @@ "secrets": { "flake": false, "locked": { - "narHash": "sha256-N8SAonk7vb1CXokiLgU4pKpn7h47XoJAH4T9lFLhl4M=", + "narHash": "sha256-7O/36St1ofCXqRbn3/GsSqMcf0/fc/zDhWopJUcZCuI=", "path": "./sec", "type": "path" }, -- 2.47.2 From 5010c390a5b39556aba94ca0b57733ab5f7e6391 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 19 Jun 2021 06:53:41 +0200 Subject: [PATCH 13/16] sanoid: dispatch datasets --- hosts/mermet/dovecot.nix | 5 + hosts/mermet/gitolite.nix | 10 +- hosts/mermet/nginx.nix | 12 +- hosts/mermet/public-inbox.nix | 378 +++++++++++++++++----------------- hosts/mermet/redis.nix | 8 + hosts/mermet/sanoid.nix | 37 ---- hosts/mermet/users.nix | 16 +- 7 files changed, 231 insertions(+), 235 deletions(-) diff --git a/hosts/mermet/dovecot.nix b/hosts/mermet/dovecot.nix index 041c867..17b6f99 100644 --- a/hosts/mermet/dovecot.nix +++ b/hosts/mermet/dovecot.nix @@ -103,6 +103,11 @@ fileSystems."/var/lib/dovecot" = { device = "rpool/var/mail"; fsType = "zfs"; }; +services.sanoid.datasets."rpool/var/mail" = { + use_template = [ "local" ]; + hourly = 12; + daily = 7; +}; services.dovecot2 = { enable = true; modules = [ diff --git a/hosts/mermet/gitolite.nix b/hosts/mermet/gitolite.nix index 2a36814..10ff8e3 100644 --- a/hosts/mermet/gitolite.nix +++ b/hosts/mermet/gitolite.nix @@ -60,9 +60,9 @@ systemd.services.git-daemon = { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - User = users."git-daemon".name; - Group = groups."git-daemon".name; - Restart = "always"; + User = users."git-daemon".name; + Group = groups."git-daemon".name; + Restart = "always"; RestartSec = 5; }; script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr" @@ -79,4 +79,8 @@ fileSystems."/var/lib/gitolite" = { device = "rpool/var/git"; fsType = "zfs"; }; +services.sanoid.datasets."rpool/var/git" = { + use_template = [ "local" ]; + daily = 7; +}; } diff --git a/hosts/mermet/nginx.nix b/hosts/mermet/nginx.nix index 5ee6588..529d756 100644 --- a/hosts/mermet/nginx.nix +++ b/hosts/mermet/nginx.nix @@ -15,10 +15,6 @@ networking.nftables.ruleset = '' add rule inet filter net2fw tcp dport 80 counter accept comment "HTTP" add rule inet filter net2fw tcp dport 443 counter accept comment "HTTPS" ''; -fileSystems."/var/lib/nginx" = { - device = "rpool/var/www"; - fsType = "zfs"; -}; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -35,4 +31,12 @@ services.nginx = { useACMEHost = networking.domain; }; }; +fileSystems."/var/lib/nginx" = { + device = "rpool/var/www"; + fsType = "zfs"; +}; +services.sanoid.datasets."rpool/var/www" = { + use_template = [ "local" ]; + daily = 7; +}; } diff --git a/hosts/mermet/public-inbox.nix b/hosts/mermet/public-inbox.nix index 519b995..c600f7a 100644 --- a/hosts/mermet/public-inbox.nix +++ b/hosts/mermet/public-inbox.nix @@ -1,8 +1,23 @@ { pkgs, lib, config, ... }: -let inherit (config.services) public-inbox; - inherit (config.users) groups; - orga = "sourcephile"; - domain = "${orga}.fr"; +let + inherit (config.services) public-inbox; + inherit (config.users) groups; + orga = "sourcephile"; + domain = "${orga}.fr"; + inboxes = [ + "doclang" + "majurity" + "reloto" + "symantic" + "symantic-atom" + "symantic-base" + "symantic-cli" + "symantic-compta" + "symantic-document" + "symantic-http" + "symantic-parser" + "symantic-xml" + ]; in # Pour supprimer un message : # curl https://mails.sourcephile.fr/inbox/environnement/8ea699887ca47797b4460053588cbef2d115829ab4@vieber.ru/raw | @@ -43,197 +58,180 @@ systemd.services = { }; }; }; -services = let - inbox-git = name: { - postfix.virtual = '' - ${name}@${domain} public-inbox@localhost - ''; - public-inbox.inboxes.${name} = { +services.public-inbox = { + enable = true; + settings.publicinbox = { + css = [ "href=https://mails.${domain}/style/light.css" ]; + nntpserver = [ "nntps://news.${domain}" ]; + wwwlisting = "match=domain"; + }; + mda = { + enable = true; + args = [ "--no-precheck" ]; # Allow Bcc: + }; + http = { + enable = true; + port = "/run/public-inbox-http.sock"; + #port = 8080; + args = ["-W0"]; + mounts = [ + "https://mails.${domain}/inbox" + "https://public-inbox.${domain}/inbox" + ]; + }; + nntp = { + enable = true; + #port = 563; + args = ["-W0"]; + cert = "/var/lib/acme/${domain}/fullchain.pem"; + key = "/var/lib/acme/${domain}/key.pem"; + }; + imap = { + enable = true; + # FIXME: find an IP or .onion to put 993 + port = null; + args = [ "-W0" "--listen" "imaps://0.0.0.0:1993" ]; + #args = ["-W0"]; + cert = "/var/lib/acme/${domain}/fullchain.pem"; + key = "/var/lib/acme/${domain}/key.pem"; + }; + inboxes = { + news = { address = [ - "${name}@${domain}" - "public-inbox+${name}@${domain}" + "news@${domain}" + "public-inbox+news@${domain}" ]; description = '' - ${name}@${domain} : - discussions concernant ${name}. + news@${domain} : + annonces d'informations concernant importantes ''; - url = "https://mails.${domain}/inbox/${name}"; - newsgroup = "inbox.comp.${orga}.${name}"; - coderepo = [ name ]; + url = "https://mails.${domain}/inbox/news"; + newsgroup = "inbox.comp.${orga}.news"; + #coderepo = [ "sourcephile-txt" ]; }; - public-inbox.settings.coderepo.${name} = { - dir = "/var/lib/gitolite/repositories/${name}.git"; - cgitUrl = "https://code.${domain}/${name}.git"; + chat = { + address = [ + "chat@${domain}" + "public-inbox+chat@${domain}" + ]; + description = '' + chat@${domain} : + discussions concernant l'informatique en général. + ''; + url = "https://mails.${domain}/inbox/chat"; + newsgroup = "inbox.comp.${orga}.chat"; }; - }; in lib.mkMerge ( - map inbox-git [ - "comptalang" - "doclang" - "majurity" - "reloto" - "symantic" - "symantic-atom" - "symantic-base" - "symantic-cli" - "symantic-document" - "symantic-http" - "symantic-parser" - "symantic-xml" - ] ++ - [{ public-inbox = { - enable = true; - settings.publicinbox = { - css = [ "href=https://mails.${domain}/style/light.css" ]; - nntpserver = [ "nntps://news.${domain}" ]; - wwwlisting = "match=domain"; - }; - mda = { - enable = true; - args = [ "--no-precheck" ]; # Allow Bcc: - }; - http = { - enable = true; - port = "/run/public-inbox-http.sock"; - #port = 8080; - args = ["-W0"]; - mounts = [ - "https://mails.${domain}/inbox" - "https://public-inbox.${domain}/inbox" - ]; - }; - nntp = { - enable = true; - #port = 563; - args = ["-W0"]; - cert = "/var/lib/acme/${domain}/fullchain.pem"; - key = "/var/lib/acme/${domain}/key.pem"; - }; - imap = { - enable = true; - # FIXME: find an IP or .onion to put 993 - port = null; - args = [ "-W0" "--listen" "imaps://0.0.0.0:1993" ]; - #args = ["-W0"]; - cert = "/var/lib/acme/${domain}/fullchain.pem"; - key = "/var/lib/acme/${domain}/key.pem"; - }; - inboxes = { - news = { - address = [ - "news@${domain}" - "public-inbox+news@${domain}" - ]; - description = '' - news@${domain} : - annonces d'informations concernant importantes - ''; - url = "https://mails.${domain}/inbox/news"; - newsgroup = "inbox.comp.${orga}.news"; - #coderepo = [ "sourcephile-txt" ]; - }; - chat = { - address = [ - "chat@${domain}" - "public-inbox+chat@${domain}" - ]; - description = '' - chat@${domain} : - discussions concernant l'informatique en général. - ''; - url = "https://mails.${domain}/inbox/chat"; - newsgroup = "inbox.comp.${orga}.chat"; - }; - contact = { - address = [ - "contact@${domain}" - "public-inbox+contact@${domain}" - ]; - description = '' - contact@${domain} : - discussions avec le grand public. - ''; - url = "https://mails.${domain}/inbox/contact"; - newsgroup = "inbox.comp.${orga}.contact"; - #coderepo = [ "${orga}" ]; - }; - environnement = { - address = [ - "environnement@${domain}" - "public-inbox+environnement@${domain}" - ]; - description = '' - environnement@${domain} : - discussions sur les impacts environnementaux de l'informatique. - ''; - url = "https://mails.${domain}/inbox/environnement"; - newsgroup = "inbox.comp.${orga}.environnement"; - #coderepo = [ "sourcephile-txt" ]; - }; - labo = { - address = [ - "labo@${domain}" - "public-inbox+labo@${domain}" - ]; - description = '' - labo@${domain} : - discussions concernant la science de l'informatique. - ''; - url = "https://mails.${domain}/inbox/labo"; - newsgroup = "inbox.comp.${orga}.labo"; - # TODO: list many source code repositories - #coderepo = [ "sourcephile-txt" ]; - }; - prod = { - address = [ - "prod@${domain}" - "public-inbox+prod@${domain}" - ]; - description = '' - prod@${domain} : - discussions concernant l'administration technique de l'infrastructure informatique. - ''; - url = "https://mails.${domain}/inbox/prod"; - newsgroup = "inbox.comp.${orga}.prod"; - #coderepo = [ "sourcephile-txt" "sourcephile-nix" ]; - }; - orga = { - address = [ - "orga@${domain}" - "public-inbox+orga@${domain}" - ]; - description = '' - orga@${domain} : - discussions à l'attention de l'ensemble des personnes à bord. - ''; - url = "https://mails.${domain}/inbox/orga"; - newsgroup = "inbox.comp.${orga}.orga"; - #coderepo = [ "sourcephile-txt" ]; - }; - test = { - address = [ - "test@${domain}" - "public-inbox+test@${domain}" - ]; - description = '' - test@${domain} : - une cible de test pour effectuer des tirs de mails. - ''; - url = "https://mails.${domain}/inbox/test"; - newsgroup = "inbox.comp.${orga}.test"; - hide = [ /* FIXME: doesn't work for IMAP */"imap" "www" "manifest" ]; - }; - }; - settings.coderepo = { - sourcephile-txt = { - dir = "/var/lib/gitolite/repositories/sourcephile-txt.git"; - cgitUrl = "https://code.${domain}/sourcephile-txt.git"; - }; - sourcephile-nix = { - dir = "/var/lib/gitolite/repositories/sourcephile-nix.git"; - cgitUrl = "https://code.${domain}/sourcephile-nix.git"; - }; - }; + contact = { + address = [ + "contact@${domain}" + "public-inbox+contact@${domain}" + ]; + description = '' + contact@${domain} : + discussions avec le grand public. + ''; + url = "https://mails.${domain}/inbox/contact"; + newsgroup = "inbox.comp.${orga}.contact"; + #coderepo = [ "${orga}" ]; }; - }] - ); + environnement = { + address = [ + "environnement@${domain}" + "public-inbox+environnement@${domain}" + ]; + description = '' + environnement@${domain} : + discussions sur les impacts environnementaux de l'informatique. + ''; + url = "https://mails.${domain}/inbox/environnement"; + newsgroup = "inbox.comp.${orga}.environnement"; + #coderepo = [ "sourcephile-txt" ]; + }; + labo = { + address = [ + "labo@${domain}" + "public-inbox+labo@${domain}" + ]; + description = '' + labo@${domain} : + discussions concernant la science de l'informatique. + ''; + url = "https://mails.${domain}/inbox/labo"; + newsgroup = "inbox.comp.${orga}.labo"; + # TODO: list many source code repositories + #coderepo = [ "sourcephile-txt" ]; + }; + prod = { + address = [ + "prod@${domain}" + "public-inbox+prod@${domain}" + ]; + description = '' + prod@${domain} : + discussions concernant l'administration technique de l'infrastructure informatique. + ''; + url = "https://mails.${domain}/inbox/prod"; + newsgroup = "inbox.comp.${orga}.prod"; + #coderepo = [ "sourcephile-txt" "sourcephile-nix" ]; + }; + orga = { + address = [ + "orga@${domain}" + "public-inbox+orga@${domain}" + ]; + description = '' + orga@${domain} : + discussions à l'attention de l'ensemble des personnes à bord. + ''; + url = "https://mails.${domain}/inbox/orga"; + newsgroup = "inbox.comp.${orga}.orga"; + #coderepo = [ "sourcephile-txt" ]; + }; + test = { + address = [ + "test@${domain}" + "public-inbox+test@${domain}" + ]; + description = '' + test@${domain} : + une cible de test pour effectuer des tirs de mails. + ''; + url = "https://mails.${domain}/inbox/test"; + newsgroup = "inbox.comp.${orga}.test"; + hide = [ /* FIXME: doesn't work for IMAP */"imap" "www" "manifest" ]; + }; + } // lib.mapAttrs (name: { + address = [ + "${name}@${domain}" + "public-inbox+${name}@${domain}" + ]; + description = '' + ${name}@${domain} : + discussions concernant ${name}. + ''; + url = "https://mails.${domain}/inbox/${name}"; + newsgroup = "inbox.comp.${orga}.${name}"; + coderepo = [ name ]; + }) inboxes; + settings.coderepo = { + sourcephile-txt = { + dir = "/var/lib/gitolite/repositories/sourcephile-txt.git"; + cgitUrl = "https://code.${domain}/sourcephile-txt.git"; + }; + sourcephile-nix = { + dir = "/var/lib/gitolite/repositories/sourcephile-nix.git"; + cgitUrl = "https://code.${domain}/sourcephile-nix.git"; + }; + } // lib.mapAttrs (name: { + dir = "/var/lib/gitolite/repositories/${name}.git"; + cgitUrl = "https://code.${domain}/${name}.git"; + }); +}; +services.postfix.virtual = lib.concatMapStringsSep "\n" (name: '' + ${name}@${domain} public-inbox@localhost +'') inboxes; +services.sanoid.datasets."rpool/var/public-inbox" = { + use_template = [ "local" ]; + daily = 7; +}; } diff --git a/hosts/mermet/redis.nix b/hosts/mermet/redis.nix index 68c18d3..3633223 100644 --- a/hosts/mermet/redis.nix +++ b/hosts/mermet/redis.nix @@ -34,4 +34,12 @@ boot.kernel.sysctl."vm.overcommit_memory" = 1; system.activationScripts.redis = '' echo never >/sys/kernel/mm/transparent_hugepage/enabled ''; + +services.sanoid.datasets."rpool/var/redis" = { + use_template = [ "local" ]; + hourly = 0; + daily = 7; + monthly = 0; + yearly = 0; +}; } diff --git a/hosts/mermet/sanoid.nix b/hosts/mermet/sanoid.nix index f0cb6b3..bfbb890 100644 --- a/hosts/mermet/sanoid.nix +++ b/hosts/mermet/sanoid.nix @@ -34,43 +34,6 @@ services.sanoid = { #"--debug" ]; datasets = { - "rpool/var/git" = { - use_template = [ "local" ]; - daily = 7; - }; - "rpool/var/mail" = { - use_template = [ "local" ]; - hourly = 12; - daily = 7; - }; - "rpool/var/public-inbox" = { - use_template = [ "local" ]; - daily = 7; - }; - "rpool/var/www" = { - use_template = [ "local" ]; - daily = 7; - }; - "rpool/var/redis" = { - use_template = [ "local" ]; - hourly = 0; - daily = 7; - }; - "rpool/home/julm/mail" = { - use_template = [ "local" ]; - hourly = 12; - daily = 7; - }; - "rpool/home/julm/log" = { - use_template = [ "local" ]; - hourly = 12; - daily = 7; - monthly = 1; - }; - "rpool/backup/losurdo/home/julm/work" = { - use_template = [ "remote" ]; - daily = 31; - }; "rpool/backup/losurdo/var/postgresql" = { use_template = [ "remote" ]; daily = 31; diff --git a/hosts/mermet/users.nix b/hosts/mermet/users.nix index f3eb61c..3793801 100644 --- a/hosts/mermet/users.nix +++ b/hosts/mermet/users.nix @@ -28,7 +28,21 @@ users = { ]; }; }; - +services.sanoid.datasets."rpool/home/julm/mail" = { + use_template = [ "local" ]; + hourly = 12; + daily = 7; +}; +services.sanoid.datasets."rpool/home/julm/log" = { + use_template = [ "local" ]; + hourly = 12; + daily = 7; + monthly = 1; +}; +services.sanoid.datasets."rpool/backup/losurdo/home/julm/work" = { + use_template = [ "remote" ]; + daily = 31; +}; networking.nftables.ruleset = '' add rule inet filter fw2net tcp dport {25,465} skuid ${users.julm.name} counter accept comment "SMTP" add rule inet filter fw2net tcp dport 43 skuid ${users.julm.name} counter accept comment "Whois" -- 2.47.2 From b7131539696b214507554a7e8445268b9ebf86b0 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 19 Jun 2021 06:54:17 +0200 Subject: [PATCH 14/16] wireguard: clean up a bit --- flake.lock | 8 +-- hosts/losurdo/networking/ssh.nix | 2 + .../losurdo/networking/wireguard/intranet.nix | 55 ++++++++++++++----- hosts/mermet.nix | 1 - hosts/mermet/coturn.nix | 14 ++--- hosts/mermet/networking/wireguard.nix | 31 +++++++---- hosts/mermet/prosody.nix | 5 +- hosts/mermet/public-inbox.nix | 6 +- nixos/defaults/security.nix | 8 ++- shell.nix | 1 - 10 files changed, 87 insertions(+), 44 deletions(-) diff --git a/flake.lock b/flake.lock index 224d2dd..9d2ff01 100644 --- a/flake.lock +++ b/flake.lock @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1624007125, - "narHash": "sha256-qYEoyrdn9p4EO466IXaML/qwZe9nPIlvVMtaj/3MMgc=", + "lastModified": 1624093784, + "narHash": "sha256-fmxFFEzF2LKTVFDJ4G1x6sEOtc169+7YQWkqu1gA/ZI=", "ref": "master", - "rev": "1505ca57487cb1b6830b561be1428577de6a4627", - "revCount": 159, + "rev": "889dbb8c5c0642c0163fba156624ebcc10f4a749", + "revCount": 166, "type": "git", "url": "git://git.sourcephile.fr/julm/julm-nix" }, diff --git a/hosts/losurdo/networking/ssh.nix b/hosts/losurdo/networking/ssh.nix index 8e48f0d..455a6e0 100644 --- a/hosts/losurdo/networking/ssh.nix +++ b/hosts/losurdo/networking/ssh.nix @@ -26,6 +26,8 @@ boot.initrd.network.ssh = { port = 2222; authorizedKeys = users.root.openssh.authorizedKeys.keys; hostKeys = [ "/root/initrd/ssh.key" ]; + extraConfig = '' + ''; }; services.openssh = { forwardX11 = true; diff --git a/hosts/losurdo/networking/wireguard/intranet.nix b/hosts/losurdo/networking/wireguard/intranet.nix index bdfe0de..becab9d 100644 --- a/hosts/losurdo/networking/wireguard/intranet.nix +++ b/hosts/losurdo/networking/wireguard/intranet.nix @@ -4,13 +4,29 @@ let inherit (config.security) gnupg; inherit (config.boot) initrd; wg = "wg-intra"; - relay = hosts.mermet.extraArgs.wireguard."${wg}"; + relay = hosts.mermet.extraArgs.wireguard.${wg}; peers = lib.filterAttrs (peerName: host: hasAttr "${wg}" host.extraArgs.wireguard - ) (removeAttrs hosts [hostName]); + ) (removeAttrs hosts [hostName]) // { + "oignon".extraArgs.wireguard.${wg} = rec { + ipv4 = "192.168.42.3"; + peer = { + publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA="; + allowedIPs = [ "${ipv4}/32" ]; + }; + }; + }; in { -security.gnupg.secrets."wireguard/${wg}/privateKey" = {}; +security.gnupg.secrets."wireguard/${wg}/privateKey" = { +/* + systemdConfig.serviceConfig = { + before = [ "wireguard-${wg}.service" ]; + wantedBy = [ "wireguard-${wg}.service" ]; + requiredBy = [ "wireguard-${wg}.service" ]; + }; +*/ +}; systemd.services."wireguard-${wg}" = { after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; @@ -18,9 +34,9 @@ systemd.services."wireguard-${wg}" = { networking.nftables.ruleset = '' # Allow initiating connection for ${wg} add rule inet filter fw2net ip daddr ${hosts.mermet.extraArgs.ipv4} udp dport ${toString relay.listenPort} counter accept comment "${wg}" - #add rule inet filter fw2net udp sport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}" + #add rule inet filter fw2net udp sport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" # Allow peers to initiate connection for ${wg} - #add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}" + add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" # Hook ${wg} into relevant chains add rule inet filter input iifname "${wg}" jump intra2fw @@ -34,24 +50,30 @@ networking.nftables.ruleset = '' add rule inet filter forward iifname "${wg}" jump fwd-intra ''; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -networking.wireguard.interfaces."${wg}" = { - ips = [ "${wireguard."${wg}".ipv4}/24" ]; - listenPort = wireguard."${wg}".listenPort; +networking.wireguard.interfaces.${wg} = { + ips = [ "${wireguard.${wg}.ipv4}/24" ]; + listenPort = wireguard.${wg}.listenPort; privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path; peers = lib.mapAttrsToList (peerName: host: - host.extraArgs.wireguard."${wg}".peer // - { inherit (wireguard."${wg}") persistentKeepalive; } + host.extraArgs.wireguard.${wg}.peer // + { inherit (wireguard.${wg}) persistentKeepalive; } ) peers; }; -networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair - host.extraArgs.wireguard."${wg}".ipv4 - [ "${hostName}.intranet" ] +networking.hosts = lib.mapAttrs' (peerName: peer: lib.nameValuePair + peer.extraArgs.wireguard.${wg}.ipv4 + [ "${peerName}.wg" ] ) peers; +services.upnpc.redirections = [ + { description = "WireGuard"; externalPort = wireguard.${wg}.listenPort; protocol = "UDP"; duration = 30 * 60; + service.wantedBy = ["wireguard-${wg}.service"]; + service.partOf = ["wireguard-${wg}.service"]; + } +]; # Open a wireguard tunnel to a relay # in case the host is hosted behind a NAT and has no SSH port forwarding. # This enables to send the disk password to the initrd, like that: -# ssh -J mermet.sourcephile.fr root@losurdo.intranet -p 2222 +# ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222 boot.initrd.secrets."/root/initrd/${wg}.key" = "/root/initrd/${wg}.key"; /* installer.ssh-nixos.script = '' @@ -68,7 +90,7 @@ boot.initrd.extraUtilsCommands = '' ''; boot.initrd.network.postCommands = '' ip link add dev ${wg} type wireguard - ip address add ${wireguard."${wg}".ipv4}/24 dev ${wg} + ip address add ${wireguard.${wg}.ipv4}/24 dev ${wg} wg set ${wg} private-key /root/initrd/${wg}.key \ listen-port ${toString wireguard."${wg}".listenPort} ip link set up dev ${wg} @@ -81,4 +103,7 @@ boot.initrd.network.postCommands = '' boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 '' ip link del dev ${wg} ''; +environment.systemPackages = [ + pkgs.natpunch-go +]; } diff --git a/hosts/mermet.nix b/hosts/mermet.nix index 3cdeb15..895167b 100644 --- a/hosts/mermet.nix +++ b/hosts/mermet.nix @@ -39,7 +39,6 @@ modules = [ mermet/openldap.nix mermet/postfix.nix mermet/prosody.nix - (inputs.secrets + "/hosts/mermet/prosody.nix") mermet/public-inbox.nix mermet/redis.nix mermet/rspamd.nix diff --git a/hosts/mermet/coturn.nix b/hosts/mermet/coturn.nix index 2a326c6..63095eb 100644 --- a/hosts/mermet/coturn.nix +++ b/hosts/mermet/coturn.nix @@ -1,6 +1,6 @@ { inputs, pkgs, lib, config, hostName, ipv4, ... }: let - inherit (config) networking; + inherit (config.networking) domain; inherit (config.services) coturn; inherit (config.users) users; in @@ -16,21 +16,21 @@ networking.nftables.ruleset = '' add rule inet filter fw2net meta skuid ${users.turnserver.name} counter accept comment "Coturn" ''; users.groups.acme.members = [ users.turnserver.name ]; -security.acme.certs."${networking.domain}" = { +security.acme.certs."${domain}" = { postRun = "systemctl try-restart coturn"; }; environment.systemPackages = [pkgs.coturn]; systemd.services.coturn = { - wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"]; - after = [ "acme-selfsigned-${networking.domain}.service" ]; + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; }; services.coturn = { enable = true; - realm = "turn.${networking.domain}"; + realm = "turn.${domain}"; use-auth-secret = true; static-auth-secret = builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"); - pkey = "/var/lib/acme/${networking.domain}/key.pem"; - cert = "/var/lib/acme/${networking.domain}/fullchain.pem"; + pkey = "/var/lib/acme/${domain}/key.pem"; + cert = "/var/lib/acme/${domain}/fullchain.pem"; dh-file = inputs.secrets + "/openssl/dh.pem"; listening-ips = [ipv4]; relay-ips = [ipv4]; diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/networking/wireguard.nix index 8684c7a..592afec 100644 --- a/hosts/mermet/networking/wireguard.nix +++ b/hosts/mermet/networking/wireguard.nix @@ -4,8 +4,16 @@ let inherit (config.security.gnupg) secrets; wg = "wg-intra"; peers = lib.filterAttrs (peerName: host: - hasAttr "${wg}" host.extraArgs.wireguard - ) (removeAttrs hosts [hostName]); + hasAttr wg host.extraArgs.wireguard + ) (removeAttrs hosts [hostName]) // { + "oignon".extraArgs.wireguard.${wg} = rec { + ipv4 = "192.168.42.3"; + peer = { + publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA="; + allowedIPs = [ "${ipv4}/32" ]; + }; + }; + }; in { security.gnupg.secrets."wireguard/${wg}/privateKey" = {}; @@ -15,7 +23,7 @@ systemd.services."wireguard-${wg}" = { }; networking.nftables.ruleset = '' # Allow peers to initiate connection for ${wg} - add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}" + add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" # Hook ${wg} into relevant chains add rule inet filter input iifname "${wg}" jump intra2fw @@ -25,16 +33,19 @@ networking.nftables.ruleset = '' # ${wg} firewalling add rule inet filter fw2intra counter accept - add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo" + add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard.${wg}.ipv4} counter accept comment "losurdo" ''; -networking.wireguard.interfaces."${wg}" = { - ips = [ "${wireguard."${wg}".ipv4}/24" ]; - listenPort = wireguard."${wg}".listenPort; +networking.wireguard.interfaces.${wg} = { + ips = [ "${wireguard.${wg}.ipv4}/24" ]; + listenPort = wireguard.${wg}.listenPort; privateKeyFile = secrets."wireguard/${wg}/privateKey".path; - peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard."${wg}".peer) peers; + peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard.${wg}.peer) peers; }; networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair - host.extraArgs.wireguard."${wg}".ipv4 - [ "${hostName}.intranet" ] + host.extraArgs.wireguard.${wg}.ipv4 + [ "${hostName}.wg" ] ) peers; +environment.systemPackages = [ + pkgs.natpunch-go +]; } diff --git a/hosts/mermet/prosody.nix b/hosts/mermet/prosody.nix index 22afd2d..5cc608d 100644 --- a/hosts/mermet/prosody.nix +++ b/hosts/mermet/prosody.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, hosts, ipv4, ... }: +{ pkgs, lib, config, inputs, hosts, ipv4, ... }: let inherit (config) networking; inherit (config.services) prosody; @@ -102,6 +102,9 @@ services.prosody = { turncredentials_host = "turn.${networking.domain}" turncredentials_port = 3478 + turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}"; + smacks_enabled_s2s = true; + smacks_s2s_resend = true; --http_files_dir = "/var/lib/prosody/files" --http_external_url = "https://tmp.${networking.domain}:5281" diff --git a/hosts/mermet/public-inbox.nix b/hosts/mermet/public-inbox.nix index c600f7a..75ca9af 100644 --- a/hosts/mermet/public-inbox.nix +++ b/hosts/mermet/public-inbox.nix @@ -200,7 +200,7 @@ services.public-inbox = { newsgroup = "inbox.comp.${orga}.test"; hide = [ /* FIXME: doesn't work for IMAP */"imap" "www" "manifest" ]; }; - } // lib.mapAttrs (name: { + } // lib.genAttrs inboxes (name: { address = [ "${name}@${domain}" "public-inbox+${name}@${domain}" @@ -212,7 +212,7 @@ services.public-inbox = { url = "https://mails.${domain}/inbox/${name}"; newsgroup = "inbox.comp.${orga}.${name}"; coderepo = [ name ]; - }) inboxes; + }); settings.coderepo = { sourcephile-txt = { dir = "/var/lib/gitolite/repositories/sourcephile-txt.git"; @@ -222,7 +222,7 @@ services.public-inbox = { dir = "/var/lib/gitolite/repositories/sourcephile-nix.git"; cgitUrl = "https://code.${domain}/sourcephile-nix.git"; }; - } // lib.mapAttrs (name: { + } // lib.genAttrs inboxes (name: { dir = "/var/lib/gitolite/repositories/${name}.git"; cgitUrl = "https://code.${domain}/${name}.git"; }); diff --git a/nixos/defaults/security.nix b/nixos/defaults/security.nix index 637805f..a0509b5 100644 --- a/nixos/defaults/security.nix +++ b/nixos/defaults/security.nix @@ -4,6 +4,7 @@ boot.kernelPackages = pkgs.linuxPackages_hardened; #boot.kernelPackages = pkgs.linuxPackages_latest_hardened; #environment.memoryAllocator.provider = "libc"; nix.allowedUsers = [ "@users" ]; +networking.firewall.pingLimit = "--limit 60/minute --limit-burst 5"; security.allowSimultaneousMultithreading = false; security.apparmor.enable = true; security.forcePageTableIsolation = true; @@ -104,12 +105,15 @@ boot.kernel.sysctl = { "net.ipv4.tcp_dsack" = 0; "net.ipv4.tcp_fack" = 0; */ - # generate a random IPv6 address + # Generate a random IPv6 address "net.ipv6.conf.all.use_tempaddr" = 2; "net.ipv6.conf.default.use_tempaddr" = 2; - # restricts usage of ptrace to only processes + # Restricts usage of ptrace to only processes # with the CAP_SYS_PTRACE capability "kernel.yama.ptrace_scope" = 2; + # Do source validation by confirming reverse path + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; }; boot.kernelParams = [ "slab_nomerge" diff --git a/shell.nix b/shell.nix index 96bbc0b..7697c99 100644 --- a/shell.nix +++ b/shell.nix @@ -142,7 +142,6 @@ pkgs.mkShell { #enableParallelBuilding = true; PASSWORD_STORE_DIR = "pass"; - PATH = "$NIX_SHELL_PATH:$PATH"; NIX_PATH = pkgs.lib.concatStringsSep ":" [ "nixpkgs=${pkgs.path}" ("nixpkgs-overlays=" + pkgs.writeText "overlays.nix" '' -- 2.47.2 From eb53868fa8c94165e798cda343bf356372ecd1c1 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 22 Jun 2021 19:48:33 +0200 Subject: [PATCH 15/16] wireguard: enable hole punching --- hosts/losurdo.nix | 12 -- hosts/losurdo/fail2ban.nix | 4 +- .../losurdo/networking/wireguard/intranet.nix | 125 +++++++++--------- hosts/mermet.nix | 12 -- hosts/mermet/fail2ban.nix | 1 - hosts/mermet/networking/wireguard.nix | 61 ++++----- networking/wireguard/wg-intra.nix | 52 ++++++++ nixos/modules.nix | 2 + nixpkgs/patches.nix | 8 +- 9 files changed, 142 insertions(+), 135 deletions(-) create mode 100644 networking/wireguard/wg-intra.nix diff --git a/hosts/losurdo.nix b/hosts/losurdo.nix index 8a168c3..9aff90e 100644 --- a/hosts/losurdo.nix +++ b/hosts/losurdo.nix @@ -7,18 +7,6 @@ system = "x86_64-linux"; #config.allowUnfree = true; extraArgs = { CPUs = 2; - wireguard = rec { - wg-intra = { - ipv4 = "192.168.42.2"; - listenPort = 43642; - #listenPort = null; - persistentKeepalive = 25; - peer = { - publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0="; - allowedIPs = [ "${wg-intra.ipv4}/32" ]; - }; - }; - }; }; modules = [ ../nixos/defaults.nix diff --git a/hosts/losurdo/fail2ban.nix b/hosts/losurdo/fail2ban.nix index 854c22a..c150e83 100644 --- a/hosts/losurdo/fail2ban.nix +++ b/hosts/losurdo/fail2ban.nix @@ -1,4 +1,7 @@ { pkgs, lib, config, hosts, ... }: +let + wg-intra = import ../../networking/wireguard/wg-intra.nix; +in { services.openssh.logLevel = "VERBOSE"; services.postgresql.logLinePrefix = "%h "; @@ -30,7 +33,6 @@ services.fail2ban = { #"224.0.0.0/3" #"240.0.0.0/5" hosts.mermet.extraArgs.ipv4 - hosts.mermet.extraArgs.wireguard.wg-intra.ipv4 "losurdo.sourcephile.fr" "vpn.riseup.net" ]; diff --git a/hosts/losurdo/networking/wireguard/intranet.nix b/hosts/losurdo/networking/wireguard/intranet.nix index becab9d..bb27bde 100644 --- a/hosts/losurdo/networking/wireguard/intranet.nix +++ b/hosts/losurdo/networking/wireguard/intranet.nix @@ -1,86 +1,79 @@ -{ pkgs, lib, config, hosts, hostName, wireguard, ... }: +{ pkgs, lib, config, hosts, ... }: let inherit (builtins) hasAttr removeAttrs; inherit (config.security) gnupg; inherit (config.boot) initrd; - wg = "wg-intra"; - relay = hosts.mermet.extraArgs.wireguard.${wg}; - peers = lib.filterAttrs (peerName: host: - hasAttr "${wg}" host.extraArgs.wireguard - ) (removeAttrs hosts [hostName]) // { - "oignon".extraArgs.wireguard.${wg} = rec { - ipv4 = "192.168.42.3"; - peer = { - publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA="; - allowedIPs = [ "${ipv4}/32" ]; - }; - }; - }; + iface = "wg-intra"; + wg = config.networking.wireguard.interfaces.${iface}; + relay = + hosts.mermet.extraArgs // + hosts.mermet.config.networking.wireguard.interfaces.${iface} // + lib.head (lib.filter (peer: + peer.endpoint != null && + builtins.match "^\(.*\):[0-9]*$" peer.endpoint == + [hosts.mermet.extraArgs.ipv4]) + wg.peers); in { -security.gnupg.secrets."wireguard/${wg}/privateKey" = { +imports = [ + ../../../../networking/wireguard/wg-intra.nix +]; +config = { +networking.wireguard.interfaces.${iface} = { + privateKeyFile = gnupg.secrets."wireguard/${iface}/privateKey".path; +}; +security.gnupg.secrets."wireguard/${iface}/privateKey" = { /* systemdConfig.serviceConfig = { - before = [ "wireguard-${wg}.service" ]; - wantedBy = [ "wireguard-${wg}.service" ]; - requiredBy = [ "wireguard-${wg}.service" ]; + before = [ "wireguard-${iface}.service" ]; + wantedBy = [ "wireguard-${iface}.service" ]; + requiredBy = [ "wireguard-${iface}.service" ]; }; */ }; -systemd.services."wireguard-${wg}" = { - after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; - requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ]; +systemd.services."wireguard-${iface}" = { + after = [ gnupg.secrets."wireguard/${iface}/privateKey".service ]; + requires = [ gnupg.secrets."wireguard/${iface}/privateKey".service ]; + serviceConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ]; }; networking.nftables.ruleset = '' - # Allow initiating connection for ${wg} - add rule inet filter fw2net ip daddr ${hosts.mermet.extraArgs.ipv4} udp dport ${toString relay.listenPort} counter accept comment "${wg}" - #add rule inet filter fw2net udp sport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" - # Allow peers to initiate connection for ${wg} - add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" + # Allow initiating connection to and from other peers + add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "${iface} output to peers" + add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface} input from peers" - # Hook ${wg} into relevant chains - add rule inet filter input iifname "${wg}" jump intra2fw - add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop - add rule inet filter output oifname "${wg}" jump fw2intra - add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop + # Hook ${iface} into relevant chains + add rule inet filter input iifname "${iface}" jump intra2fw + add rule inet filter input iifname "${iface}" log level warn prefix "intra2fw: " counter drop + add rule inet filter output oifname "${iface}" jump fw2intra + add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop - # ${wg} firewalling + # ${iface} firewalling add rule inet filter fw2intra counter accept - add rule inet filter intra2fw ip saddr ${relay.ipv4} counter accept comment "relay" - add rule inet filter forward iifname "${wg}" jump fwd-intra + ${lib.concatMapStringsSep "\n" (ip: '' + add rule inet filter intra2fw ip saddr ${ip} counter accept comment "relay" + '') relay.ips} + add rule inet filter forward iifname "${iface}" jump fwd-intra ''; -boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -networking.wireguard.interfaces.${wg} = { - ips = [ "${wireguard.${wg}.ipv4}/24" ]; - listenPort = wireguard.${wg}.listenPort; - privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path; - peers = lib.mapAttrsToList (peerName: host: - host.extraArgs.wireguard.${wg}.peer // - { inherit (wireguard.${wg}) persistentKeepalive; } - ) peers; -}; -networking.hosts = lib.mapAttrs' (peerName: peer: lib.nameValuePair - peer.extraArgs.wireguard.${wg}.ipv4 - [ "${peerName}.wg" ] - ) peers; +# Apparently required to get NAT reflection. services.upnpc.redirections = [ - { description = "WireGuard"; externalPort = wireguard.${wg}.listenPort; protocol = "UDP"; duration = 30 * 60; - service.wantedBy = ["wireguard-${wg}.service"]; - service.partOf = ["wireguard-${wg}.service"]; + { description = "WireGuard"; externalPort = wg.listenPort; protocol = "UDP"; duration = 30 * 60; + service.requiredBy = [ "wireguard-${iface}.service" ]; + service.before = [ "wireguard-${iface}.service" ]; } ]; +boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # Open a wireguard tunnel to a relay # in case the host is hosted behind a NAT and has no SSH port forwarding. # This enables to send the disk password to the initrd, like that: # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222 -boot.initrd.secrets."/root/initrd/${wg}.key" = "/root/initrd/${wg}.key"; +boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key"; /* installer.ssh-nixos.script = '' # Send the wireguard key of the initrd - gpg --decrypt '${gnupg.store}/wireguard/${wg}/privateKey.gpg' | + gpg --decrypt '${gnupg.store}/wireguard/${iface}/privateKey.gpg' | ssh '${config.installer.ssh-nixos.target}' \ - install -D -m 400 -o root -g root /dev/stdin /root/initrd/${wg}.key + install -D -m 400 -o root -g root /dev/stdin /root/initrd/${iface}.key ''; */ boot.initrd.kernelModules = [ "wireguard" ]; @@ -89,21 +82,21 @@ boot.initrd.extraUtilsCommands = '' cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg ''; boot.initrd.network.postCommands = '' - ip link add dev ${wg} type wireguard - ip address add ${wireguard.${wg}.ipv4}/24 dev ${wg} - wg set ${wg} private-key /root/initrd/${wg}.key \ - listen-port ${toString wireguard."${wg}".listenPort} - ip link set up dev ${wg} - wg set ${wg} peer ${relay.peer.publicKey} \ - endpoint ${hosts.mermet.extraArgs.ipv4}:${toString relay.listenPort} \ + ip link add dev ${iface} type wireguard + ${lib.concatMapStringsSep "\n" (ip: '' + ip address add ${ip} dev ${iface} + '') wg.ips} + wg set ${iface} private-key /root/initrd/${iface}.key \ + listen-port ${toString wg.listenPort} + ip link set up dev ${iface} + wg set ${iface} peer ${relay.publicKey} \ + endpoint ${relay.ipv4}:${toString relay.listenPort} \ allowed-ips ${relay.ipv4}/32 \ persistent-keepalive 5 - ip route replace ${relay.ipv4}/32 dev ${wg} table main + ip route replace ${relay.ipv4}/32 dev ${iface} table main ''; boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 '' - ip link del dev ${wg} + ip link del dev ${iface} ''; -environment.systemPackages = [ - pkgs.natpunch-go -]; +}; } diff --git a/hosts/mermet.nix b/hosts/mermet.nix index 895167b..f9832f1 100644 --- a/hosts/mermet.nix +++ b/hosts/mermet.nix @@ -7,18 +7,6 @@ system = "x86_64-linux"; extraArgs = rec { CPUs = 4; ipv4 = "80.67.180.129"; - wireguard = rec { - wg-intra = { - ipv4 = "192.168.42.1"; - listenPort = 43642; - persistentKeepalive = null; - peer = { - publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI="; - allowedIPs = [ "${wg-intra.ipv4}/32" ]; - endpoint = "${ipv4}:${toString wg-intra.listenPort}"; - }; - }; - }; }; modules = [ ../nixos/defaults.nix diff --git a/hosts/mermet/fail2ban.nix b/hosts/mermet/fail2ban.nix index 75ec45f..a822c78 100644 --- a/hosts/mermet/fail2ban.nix +++ b/hosts/mermet/fail2ban.nix @@ -22,7 +22,6 @@ services.fail2ban = { packageFirewall = pkgs.nftables; ignoreIP = [ hosts.mermet.extraArgs.ipv4 - hosts.losurdo.extraArgs.wireguard.wg-intra.ipv4 "losurdo.sourcephile.fr" "vpn.riseup.net" ]; diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/networking/wireguard.nix index 592afec..3c401e2 100644 --- a/hosts/mermet/networking/wireguard.nix +++ b/hosts/mermet/networking/wireguard.nix @@ -1,51 +1,36 @@ { pkgs, lib, config, hosts, hostName, wireguard, ... }: let - inherit (builtins) hasAttr removeAttrs; inherit (config.security.gnupg) secrets; - wg = "wg-intra"; - peers = lib.filterAttrs (peerName: host: - hasAttr wg host.extraArgs.wireguard - ) (removeAttrs hosts [hostName]) // { - "oignon".extraArgs.wireguard.${wg} = rec { - ipv4 = "192.168.42.3"; - peer = { - publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA="; - allowedIPs = [ "${ipv4}/32" ]; - }; - }; - }; + iface = "wg-intra"; + wg = config.networking.wireguard.interfaces.${iface}; in { -security.gnupg.secrets."wireguard/${wg}/privateKey" = {}; -systemd.services."wireguard-${wg}" = { - after = [ secrets."wireguard/${wg}/privateKey".service ]; - requires = [ secrets."wireguard/${wg}/privateKey".service ]; +imports = [ + ../../../networking/wireguard/wg-intra.nix +]; +config = { +networking.wireguard.interfaces.${iface} = { + privateKeyFile = secrets."wireguard/${iface}/privateKey".path; +}; +security.gnupg.secrets."wireguard/${iface}/privateKey" = {}; +systemd.services."wireguard-${iface}" = { + after = [ secrets."wireguard/${iface}/privateKey".service ]; + requires = [ secrets."wireguard/${iface}/privateKey".service ]; }; networking.nftables.ruleset = '' - # Allow peers to initiate connection for ${wg} - add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}" + # Allow peers to initiate connection for ${iface} + add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}" - # Hook ${wg} into relevant chains - add rule inet filter input iifname "${wg}" jump intra2fw - add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop - add rule inet filter output oifname "${wg}" jump fw2intra - add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop + # Hook ${iface} into relevant chains + add rule inet filter input iifname "${iface}" jump intra2fw + add rule inet filter input iifname "${iface}" log level warn prefix "intra2fw: " counter drop + add rule inet filter output oifname "${iface}" jump fw2intra + add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop - # ${wg} firewalling + # ${iface} firewalling add rule inet filter fw2intra counter accept - add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard.${wg}.ipv4} counter accept comment "losurdo" + add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.port} counter accept comment "WireGuard peers announcing" + add rule inet filter intra2fw ip saddr 192.168.42.2 counter accept comment "losurdo" ''; -networking.wireguard.interfaces.${wg} = { - ips = [ "${wireguard.${wg}.ipv4}/24" ]; - listenPort = wireguard.${wg}.listenPort; - privateKeyFile = secrets."wireguard/${wg}/privateKey".path; - peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard.${wg}.peer) peers; }; -networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair - host.extraArgs.wireguard.${wg}.ipv4 - [ "${hostName}.wg" ] - ) peers; -environment.systemPackages = [ - pkgs.natpunch-go -]; } diff --git a/networking/wireguard/wg-intra.nix b/networking/wireguard/wg-intra.nix new file mode 100644 index 0000000..219764d --- /dev/null +++ b/networking/wireguard/wg-intra.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, config, hostName, ... }: +let hosts = { + mermet = rec { + ipv4 = "192.168.42.1"; + ips = ["${ipv4}/24"]; + listenPort = 43642; + peersAnnouncing.enable = true; + peer = { + publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI="; + allowedIPs = [ "${ipv4}/32" ]; + endpoint = "80.67.180.129:${toString listenPort}"; + endpointReceiving.enable = true; + }; + }; + losurdo = rec { + ipv4 = "192.168.42.2"; + ips = ["${ipv4}/24"]; + listenPort = 43642; + persistentKeepalive = 10; + peer = { + publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0="; + allowedIPs = [ "${ipv4}/32" ]; + }; + }; + oignon = rec { + ipv4 = "192.168.42.3"; + ips = ["${ipv4}/24"]; + #persistentKeepalive = 10; + peer = { + publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA="; + allowedIPs = [ "${ipv4}/32" ]; + #persistentKeepalive = 25; + #dynamicEndpointRefreshSeconds = 60; + }; + }; +}; in +{ +networking.wireguard.interfaces.wg-intra = lib.recursiveUpdate + (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"]) + { + peers = + lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate + { persistentKeepalive = hosts.${hostName}.persistentKeepalive or null; } + peer.peer + ) (removeAttrs hosts [hostName]); + }; +networking.hosts = lib.mapAttrs' (hostName: host: + lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts; +services.fail2ban.ignoreIP = lib.concatMap + (host: host.peer.allowedIPs) + (lib.attrValues hosts); +} diff --git a/nixos/modules.nix b/nixos/modules.nix index cb5abea..e384633 100644 --- a/nixos/modules.nix +++ b/nixos/modules.nix @@ -7,6 +7,7 @@ imports = [ #modules/services/mail/public-inbox.nix modules/services/mail/postfix.nix modules/services/networking/upnpc.nix + #modules/services/networking/wireguard.nix #modules/services/security/tor.nix #modules/services/backup/syncoid.nix #modules/services/backup/sanoid.nix @@ -36,5 +37,6 @@ disabledModules = [ #"services/torrent/transmission.nix" #"services/games/freeciv.nix" #"services/backup/sanoid.nix" + #"services/networking/wireguard.nix" ]; } diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 4524f7c..12a28f1 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -81,11 +81,9 @@ url = "https://github.com/NixOS/nixpkgs/pull/109643.diff"; sha256 = "sha256-i9dhidO/Yf/u6wE08ZIL/s6A/LoaXfz14+Xqc2YvJQg="; } -/* { - meta.description = ""; - url = "https://github.com/NixOS/nixpkgs/pull/98734.diff"; - sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; + meta.description = "nixos/wireguard"; + url = "https://github.com/NixOS/nixpkgs/pull/128014.diff"; + sha256 = "sha256-xF+y8NPpo95TRxZnMzx2WdIJ0W6DwKQHT8kuyB6aQKc="; } -*/ ] -- 2.47.2 From c98794575e03a7e182c52836317e2d373b1d4838 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 24 Jun 2021 15:10:41 +0200 Subject: [PATCH 16/16] syncoid: fix /dev/zfs permissions --- hosts/losurdo/syncoid.nix | 5 +++++ hosts/mermet/sanoid.nix | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/hosts/losurdo/syncoid.nix b/hosts/losurdo/syncoid.nix index 4d55d2f..6abcff8 100644 --- a/hosts/losurdo/syncoid.nix +++ b/hosts/losurdo/syncoid.nix @@ -3,6 +3,7 @@ let inherit (config) networking; inherit (config.services) syncoid; inherit (config.security) gnupg; + inherit (config.users) groups; in { networking.nftables.ruleset = '' @@ -17,9 +18,13 @@ security.gnupg.secrets."ssh/backup.ssh-ed25519" = { user = syncoid.user; }; users.groups.keys.members = [ syncoid.user ]; +systemd.tmpfiles.rules = [ + "z /dev/zfs 0660 - disk -" +]; services.syncoid = { enable = true; interval = "*-*-* *:05:00"; + group = "disk"; #interval = "*:0/1"; sshKey = gnupg.secrets."ssh/backup.ssh-ed25519".path; commonArgs = [ diff --git a/hosts/mermet/sanoid.nix b/hosts/mermet/sanoid.nix index bfbb890..3681f8d 100644 --- a/hosts/mermet/sanoid.nix +++ b/hosts/mermet/sanoid.nix @@ -1,16 +1,20 @@ { pkgs, lib, config, inputs, ... }: let inherit (builtins) readFile; - inherit (config.users) users; + inherit (config.users) users groups; in { users.users.backup = { isSystemUser = true; shell = users.root.shell; + group = groups.disk.name; openssh.authorizedKeys.keys = [ (readFile (inputs.secrets + "/hosts/losurdo/ssh/backup.ssh-ed25519.pub")) ] ++ users."julm".openssh.authorizedKeys.keys; }; +systemd.tmpfiles.rules = [ + "z /dev/zfs 0660 - disk -" +]; system.activationScripts.backup = '' ${pkgs.zfs}/bin/zfs allow -u ${users.backup.name} bookmark,hold,send rpool ${pkgs.zfs}/bin/zfs allow -u ${users.backup.name} receive,create,mount,rollback rpool/backup -- 2.47.2