first batch of de-trusted services

2026-02-09 20:39:18 -08:00 · 2021-08-17 04:46:43 +01:00 · 2021-08-17 04:46:43 +01:00 · 3e8489017b
commit 3e8489017b
parent 0d29093832
5 changed files with 124 additions and 94 deletions
--- a/depot/services/asterisk/default.nix
+++ b/depot/services/asterisk/default.nix
@ -1,61 +0,0 @@
-
-{ config, lib, pkgs, tf, ... }:
-
-with lib;
-
-{
-/*
-  network.firewall.public.tcp.ports = [ 5160 5060 ];
-  network.firewall.public.udp.ports = [ 5160 5060 ];
-
-  network.firewall.public.tcp.ranges = [{
-    from = 10000;
-    to = 20000;
-  }];
-
-  network.firewall.public.udp.ranges = [{
-    from = 10000;
-    to = 20000;
-  }];
-  */
-
-  services.fail2ban.jails = {
-    asterisk = ''
-      enabled  = true
-      filter   = asterisk
-      action   = nftables-allports
-      logpath  = /var/log/asterisk/messages
-      maxretry = 4
-    '';
-  };
-
-  environment.systemPackages = with pkgs; [ asterisk ];
-
-  users.groups.asterisk = {
-    name = "asterisk";
-  };
-
-  users.users.asterisk = {
-    name = "asterisk";
-    group = "asterisk";
-    home = "/var/lib/asterisk";
-    isSystemUser = true;
-  };
-
-  systemd.services.asterisk = {
-    enable = false;
-
-    description = "Asterisk PBX Server";
-
-    wantedBy = [ "multi-user.target" ];
-
-    restartIfChanged = false;
-
-    serviceConfig = {
-      ExecStart = "${pkgs.asterisk}/bin/asterisk -U asterisk -C /etc/asterisk/asterisk.conf -F";
-      ExecReload = "${pkgs.asterisk}/bin/asterisk -x 'core reload'";
-      Type = "forking";
-      PIDFile = "/run/asterisk/asterisk.pid";
-    };
-  };
-}
--- a/depot/services/mail/default.nix
+++ b/depot/services/mail/default.nix
@ -7,6 +7,8 @@ with lib;

  kw.secrets = [
    "mail-domainkey-kitty"
+    "mail-kat-hash"
+    "mail-gitea-hash"
  ];

  deploy.tf.dns.records.services_mail_mx = {
@ -36,29 +38,45 @@ with lib;
    txt.value = tf.variables.mail-domainkey-kitty.ref;
  };

+  secrets.files = {
+    mail-kat-hash = {
+      text = ''
+        ${tf.variables.mail-kat-hash.ref}
+      '';
+    };
+    mail-gitea-hash = {
+      text = ''
+        ${tf.variables.mail-gitea-hash.ref}
+      '';
+    };
+  };
+
  mailserver = {
    enable = true;
    fqdn = config.network.addresses.public.domain;
    domains = [ "kittywit.ch" "dork.dev" ];
-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
    certificateScheme = 1;
    certificateFile = "/var/lib/acme/${config.mailserver.fqdn}/cert.pem";
    keyFile = "/var/lib/acme/${config.mailserver.fqdn}/key.pem";
-
-    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    enableSubmission = false;
    enableSubmissionSsl = true;
-
-    # Enable the ManageSieve protocol
    enableManageSieve = true;
-
-    # whether to scan inbound emails for viruses (note that this requires at least
-    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
+
+    # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+    loginAccounts = {
+      "kat@kittywit.ch" = {
+        hashedPasswordFile = config.secrets.files.mail-kat-hash.path;
+        aliases = [ "postmaster@kittywit.ch" ];
+        catchAll = [ "kittywit.ch" "dork.dev" ];
+      };
+      "gitea@kittywit.ch" = {
+        hashedPasswordFile = config.secrets.files.mail-gitea-hash.path;
+      };
+    };
  };
 }
--- a/depot/services/murmur/default.nix
+++ b/depot/services/murmur/default.nix
@ -1,8 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, tf, ... }:

 with lib;

-{
+let
+  cfg = config.services.murmur;
+  forking = (cfg.logFile != null);
+in {
  network.firewall = {
    public = {
      tcp.ports = singleton 64738;
@ -10,25 +13,95 @@ with lib;
    };
  };

+  kw.secrets = [
+    "murmur-password"
+  ];
+
+  secrets.files.murmur-config = {
+    text = ''
+      database=/var/lib/murmur/murmur.sqlite
+      dbDriver=QSQLITE
+      autobanAttempts=${toString cfg.autobanAttempts}
+      autobanTimeframe=${toString cfg.autobanTimeframe}
+      autobanTime=${toString cfg.autobanTime}
+      logfile=${optionalString (cfg.logFile != null) cfg.logFile}
+      ${optionalString forking "pidfile=/run/murmur/murmurd.pid"}
+      welcometext="${cfg.welcometext}"
+      port=${toString cfg.port}
+      ${if cfg.hostName == "" then "" else "host="+cfg.hostName}
+      ${if cfg.password == "" then "" else "serverpassword="+cfg.password}
+      bandwidth=${toString cfg.bandwidth}
+      users=${toString cfg.users}
+      textmessagelength=${toString cfg.textMsgLength}
+      imagemessagelength=${toString cfg.imgMsgLength}
+      allowhtml=${boolToString cfg.allowHtml}
+      logdays=${toString cfg.logDays}
+      bonjour=${boolToString cfg.bonjour}
+      sendversion=${boolToString cfg.sendVersion}
+      ${if cfg.registerName     == "" then "" else "registerName="+cfg.registerName}
+      ${if cfg.registerPassword == "" then "" else "registerPassword="+cfg.registerPassword}
+      ${if cfg.registerUrl      == "" then "" else "registerUrl="+cfg.registerUrl}
+      ${if cfg.registerHostname == "" then "" else "registerHostname="+cfg.registerHostname}
+      certrequired=${boolToString cfg.clientCertRequired}
+      ${if cfg.sslCert == "" then "" else "sslCert="+cfg.sslCert}
+      ${if cfg.sslKey  == "" then "" else "sslKey="+cfg.sslKey}
+      ${if cfg.sslCa   == "" then "" else "sslCA="+cfg.sslCa}
+      ${cfg.extraConfig}
+    '';
+    owner = "murmur";
+    group = "murmur";
+  };
+
+  # Config to Template
  services.murmur = {
-    enable = true;
    hostName = "voice.${config.network.dns.domain}";
    bandwidth = 130000;
    welcometext = "mew!";
+    password = tf.variables.murmur-password.ref;
    extraConfig = ''
-      sslCert=/var/lib/acme/voice.${config.network.dns.domain}/fullchain.pem
-      sslKey=/var/lib/acme/voice.${config.network.dns.domain}/key.pem
+      sslCert=/var/lib/acme/services_murmur/fullchain.pem
+      sslKey=/var/lib/acme/services_murmur/key.pem
    '';
  };

-  services.nginx.virtualHosts."voice.${config.network.dns.domain}" = {
-    enableACME = true;
-    forceSSL = true;
+  # Service Replacement
+  users.users.murmur = {
+    description     = "Murmur Service user";
+    home            = "/var/lib/murmur";
+    createHome      = true;
+    uid             = config.ids.uids.murmur;
+    group           = "murmur";
+  };
+  users.groups.murmur = {
+    gid             = config.ids.gids.murmur;
  };

-  users.groups."voice-cert".members = [ "nginx" "murmur" ];
+  systemd.services.murmur = {
+    description = "Murmur Chat Service";
+    wantedBy    = [ "multi-user.target" ];
+    after       = [ "network-online.target "];

-  security.acme.certs = { "voice.${config.network.dns.domain}" = { group = "voice-cert"; }; };
+    serviceConfig = {
+        # murmurd doesn't fork when logging to the console.
+        Type = if forking then "forking" else "simple";
+        PIDFile = mkIf forking "/run/murmur/murmurd.pid";
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+        ExecStart = "${cfg.package}/bin/murmurd -ini ${config.secrets.files.murmur-config.path}";
+        Restart = "always";
+        RuntimeDirectory = "murmur";
+        RuntimeDirectoryMode = "0700";
+        User = "murmur";
+        Group = "murmur";
+      };
+    };
+
+  # Certs
+
+    network.extraCerts."services_murmur" = "voice.${config.network.dns.domain}";
+    users.groups."voice-cert".members = [ "nginx" "murmur" ];
+    security.acme.certs = { "services_murmur" = { group = "voice-cert"; }; };
+
+  # DNS

  deploy.tf.dns.records.services_murmur = {
    tld = config.network.dns.tld;
--- a/depot/services/radicale/default.nix
+++ b/depot/services/radicale/default.nix
@ -1,20 +1,20 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, tf, ... }:

 with lib;

-let
-  mailAccounts = config.mailserver.loginAccounts;
-  htpasswd = pkgs.writeText "radicale.users" (concatStrings
-    (flip mapAttrsToList mailAccounts
-      (mail: user: mail + ":" + user.hashedPassword + "\n")));
-in
 {
+  secrets.files.radicale_htpasswd = {
+    text = ''
+      kat@kittywit.ch:${tf.variables.mail-kat-hash.ref}
+    '';
+  };
+
  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
-        htpasswd_filename = toString htpasswd;
+        htpasswd_filename = config.secrets.files.radicale_htpasswd.path;
        htpasswd_encryption = "bcrypt";
      };
    };
--- a/nix/sources.json
+++ b/nix/sources.json
@ -53,10 +53,10 @@
        "homepage": null,
        "owner": "kittywitch",
        "repo": "nixexprs",
-        "rev": "20ea8d98164d1b1cfbe3b9fd88d3817556131b4e",
-        "sha256": "1wfk94alx0qq04z104ycmrhqa3ly6s2xjlf4722r3d130711mdb1",
+        "rev": "c6ea4f2270ea2bf06af32a397e8c13a00b59e3d1",
+        "sha256": "0r3nsgbn4s5vjgscmf8rgpyh42aj56zmwmrmissbr7n4p2d0wq54",
        "type": "tarball",
-        "url": "https://github.com/kittywitch/nixexprs/archive/20ea8d98164d1b1cfbe3b9fd88d3817556131b4e.tar.gz",
+        "url": "https://github.com/kittywitch/nixexprs/archive/c6ea4f2270ea2bf06af32a397e8c13a00b59e3d1.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "niv": {
@ -99,10 +99,10 @@
        "homepage": "https://nur.nix-community.org/",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "011e39ed06852a58fe7485fa00e14b377cf682fd",
-        "sha256": "0g2c8bzrbkl5fp3jfh86hg8raz8ssz2171k2csxwa4ipgnwc0ys5",
+        "rev": "5298d04f01a57b43e00c642304477ede0ab6896c",
+        "sha256": "19v1qvvh9kh09szi0a097l0ig1z2k4f0cf6vlj32ihg8isfx3jni",
        "type": "tarball",
-        "url": "https://github.com/nix-community/NUR/archive/011e39ed06852a58fe7485fa00e14b377cf682fd.tar.gz",
+        "url": "https://github.com/nix-community/NUR/archive/5298d04f01a57b43e00c642304477ede0ab6896c.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "tf-nix": {