From 3e8489017b7df6b510171dc6e18d0f4b00f8bef2 Mon Sep 17 00:00:00 2001 From: kat witch Date: Tue, 17 Aug 2021 04:46:43 +0100 Subject: [PATCH] first batch of de-trusted services --- depot/services/asterisk/default.nix | 61 ------------------- depot/services/mail/default.nix | 36 ++++++++--- depot/services/murmur/default.nix | 93 +++++++++++++++++++++++++---- depot/services/radicale/default.nix | 16 ++--- nix/sources.json | 12 ++-- 5 files changed, 124 insertions(+), 94 deletions(-) delete mode 100644 depot/services/asterisk/default.nix diff --git a/depot/services/asterisk/default.nix b/depot/services/asterisk/default.nix deleted file mode 100644 index ebd5cae7..00000000 --- a/depot/services/asterisk/default.nix +++ /dev/null @@ -1,61 +0,0 @@ - -{ config, lib, pkgs, tf, ... }: - -with lib; - -{ -/* - network.firewall.public.tcp.ports = [ 5160 5060 ]; - network.firewall.public.udp.ports = [ 5160 5060 ]; - - network.firewall.public.tcp.ranges = [{ - from = 10000; - to = 20000; - }]; - - network.firewall.public.udp.ranges = [{ - from = 10000; - to = 20000; - }]; - */ - - services.fail2ban.jails = { - asterisk = '' - enabled = true - filter = asterisk - action = nftables-allports - logpath = /var/log/asterisk/messages - maxretry = 4 - ''; - }; - - environment.systemPackages = with pkgs; [ asterisk ]; - - users.groups.asterisk = { - name = "asterisk"; - }; - - users.users.asterisk = { - name = "asterisk"; - group = "asterisk"; - home = "/var/lib/asterisk"; - isSystemUser = true; - }; - - systemd.services.asterisk = { - enable = false; - - description = "Asterisk PBX Server"; - - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - serviceConfig = { - ExecStart = "${pkgs.asterisk}/bin/asterisk -U asterisk -C /etc/asterisk/asterisk.conf -F"; - ExecReload = "${pkgs.asterisk}/bin/asterisk -x 'core reload'"; - Type = "forking"; - PIDFile = "/run/asterisk/asterisk.pid"; - }; - }; -} diff --git a/depot/services/mail/default.nix b/depot/services/mail/default.nix index a7835367..f21cbe82 100644 --- a/depot/services/mail/default.nix +++ b/depot/services/mail/default.nix @@ -7,6 +7,8 @@ with lib; kw.secrets = [ "mail-domainkey-kitty" + "mail-kat-hash" + "mail-gitea-hash" ]; deploy.tf.dns.records.services_mail_mx = { @@ -36,29 +38,45 @@ with lib; txt.value = tf.variables.mail-domainkey-kitty.ref; }; + secrets.files = { + mail-kat-hash = { + text = '' + ${tf.variables.mail-kat-hash.ref} + ''; + }; + mail-gitea-hash = { + text = '' + ${tf.variables.mail-gitea-hash.ref} + ''; + }; + }; + mailserver = { enable = true; fqdn = config.network.addresses.public.domain; domains = [ "kittywit.ch" "dork.dev" ]; - # Use Let's Encrypt certificates. Note that this needs to set up a stripped - # down nginx and opens port 80. certificateScheme = 1; certificateFile = "/var/lib/acme/${config.mailserver.fqdn}/cert.pem"; keyFile = "/var/lib/acme/${config.mailserver.fqdn}/key.pem"; - - # Enable IMAP and POP3 enableImap = true; enablePop3 = true; enableImapSsl = true; enablePop3Ssl = true; enableSubmission = false; enableSubmissionSsl = true; - - # Enable the ManageSieve protocol enableManageSieve = true; - - # whether to scan inbound emails for viruses (note that this requires at least - # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) virusScanning = false; + + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 + loginAccounts = { + "kat@kittywit.ch" = { + hashedPasswordFile = config.secrets.files.mail-kat-hash.path; + aliases = [ "postmaster@kittywit.ch" ]; + catchAll = [ "kittywit.ch" "dork.dev" ]; + }; + "gitea@kittywit.ch" = { + hashedPasswordFile = config.secrets.files.mail-gitea-hash.path; + }; + }; }; } diff --git a/depot/services/murmur/default.nix b/depot/services/murmur/default.nix index 8ac103af..9d690f30 100644 --- a/depot/services/murmur/default.nix +++ b/depot/services/murmur/default.nix @@ -1,8 +1,11 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, tf, ... }: with lib; -{ +let + cfg = config.services.murmur; + forking = (cfg.logFile != null); +in { network.firewall = { public = { tcp.ports = singleton 64738; @@ -10,25 +13,95 @@ with lib; }; }; + kw.secrets = [ + "murmur-password" + ]; + + secrets.files.murmur-config = { + text = '' + database=/var/lib/murmur/murmur.sqlite + dbDriver=QSQLITE + autobanAttempts=${toString cfg.autobanAttempts} + autobanTimeframe=${toString cfg.autobanTimeframe} + autobanTime=${toString cfg.autobanTime} + logfile=${optionalString (cfg.logFile != null) cfg.logFile} + ${optionalString forking "pidfile=/run/murmur/murmurd.pid"} + welcometext="${cfg.welcometext}" + port=${toString cfg.port} + ${if cfg.hostName == "" then "" else "host="+cfg.hostName} + ${if cfg.password == "" then "" else "serverpassword="+cfg.password} + bandwidth=${toString cfg.bandwidth} + users=${toString cfg.users} + textmessagelength=${toString cfg.textMsgLength} + imagemessagelength=${toString cfg.imgMsgLength} + allowhtml=${boolToString cfg.allowHtml} + logdays=${toString cfg.logDays} + bonjour=${boolToString cfg.bonjour} + sendversion=${boolToString cfg.sendVersion} + ${if cfg.registerName == "" then "" else "registerName="+cfg.registerName} + ${if cfg.registerPassword == "" then "" else "registerPassword="+cfg.registerPassword} + ${if cfg.registerUrl == "" then "" else "registerUrl="+cfg.registerUrl} + ${if cfg.registerHostname == "" then "" else "registerHostname="+cfg.registerHostname} + certrequired=${boolToString cfg.clientCertRequired} + ${if cfg.sslCert == "" then "" else "sslCert="+cfg.sslCert} + ${if cfg.sslKey == "" then "" else "sslKey="+cfg.sslKey} + ${if cfg.sslCa == "" then "" else "sslCA="+cfg.sslCa} + ${cfg.extraConfig} + ''; + owner = "murmur"; + group = "murmur"; + }; + + # Config to Template services.murmur = { - enable = true; hostName = "voice.${config.network.dns.domain}"; bandwidth = 130000; welcometext = "mew!"; + password = tf.variables.murmur-password.ref; extraConfig = '' - sslCert=/var/lib/acme/voice.${config.network.dns.domain}/fullchain.pem - sslKey=/var/lib/acme/voice.${config.network.dns.domain}/key.pem + sslCert=/var/lib/acme/services_murmur/fullchain.pem + sslKey=/var/lib/acme/services_murmur/key.pem ''; }; - services.nginx.virtualHosts."voice.${config.network.dns.domain}" = { - enableACME = true; - forceSSL = true; + # Service Replacement + users.users.murmur = { + description = "Murmur Service user"; + home = "/var/lib/murmur"; + createHome = true; + uid = config.ids.uids.murmur; + group = "murmur"; + }; + users.groups.murmur = { + gid = config.ids.gids.murmur; }; - users.groups."voice-cert".members = [ "nginx" "murmur" ]; + systemd.services.murmur = { + description = "Murmur Chat Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target "]; - security.acme.certs = { "voice.${config.network.dns.domain}" = { group = "voice-cert"; }; }; + serviceConfig = { + # murmurd doesn't fork when logging to the console. + Type = if forking then "forking" else "simple"; + PIDFile = mkIf forking "/run/murmur/murmurd.pid"; + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/murmurd -ini ${config.secrets.files.murmur-config.path}"; + Restart = "always"; + RuntimeDirectory = "murmur"; + RuntimeDirectoryMode = "0700"; + User = "murmur"; + Group = "murmur"; + }; + }; + + # Certs + + network.extraCerts."services_murmur" = "voice.${config.network.dns.domain}"; + users.groups."voice-cert".members = [ "nginx" "murmur" ]; + security.acme.certs = { "services_murmur" = { group = "voice-cert"; }; }; + + # DNS deploy.tf.dns.records.services_murmur = { tld = config.network.dns.tld; diff --git a/depot/services/radicale/default.nix b/depot/services/radicale/default.nix index 6addaf92..a7088d36 100644 --- a/depot/services/radicale/default.nix +++ b/depot/services/radicale/default.nix @@ -1,20 +1,20 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, tf, ... }: with lib; -let - mailAccounts = config.mailserver.loginAccounts; - htpasswd = pkgs.writeText "radicale.users" (concatStrings - (flip mapAttrsToList mailAccounts - (mail: user: mail + ":" + user.hashedPassword + "\n"))); -in { + secrets.files.radicale_htpasswd = { + text = '' + kat@kittywit.ch:${tf.variables.mail-kat-hash.ref} + ''; + }; + services.radicale = { enable = true; settings = { auth = { type = "htpasswd"; - htpasswd_filename = toString htpasswd; + htpasswd_filename = config.secrets.files.radicale_htpasswd.path; htpasswd_encryption = "bcrypt"; }; }; diff --git a/nix/sources.json b/nix/sources.json index 3fa87b5a..2977237a 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -53,10 +53,10 @@ "homepage": null, "owner": "kittywitch", "repo": "nixexprs", - "rev": "20ea8d98164d1b1cfbe3b9fd88d3817556131b4e", - "sha256": "1wfk94alx0qq04z104ycmrhqa3ly6s2xjlf4722r3d130711mdb1", + "rev": "c6ea4f2270ea2bf06af32a397e8c13a00b59e3d1", + "sha256": "0r3nsgbn4s5vjgscmf8rgpyh42aj56zmwmrmissbr7n4p2d0wq54", "type": "tarball", - "url": "https://github.com/kittywitch/nixexprs/archive/20ea8d98164d1b1cfbe3b9fd88d3817556131b4e.tar.gz", + "url": "https://github.com/kittywitch/nixexprs/archive/c6ea4f2270ea2bf06af32a397e8c13a00b59e3d1.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "niv": { @@ -99,10 +99,10 @@ "homepage": "https://nur.nix-community.org/", "owner": "nix-community", "repo": "NUR", - "rev": "011e39ed06852a58fe7485fa00e14b377cf682fd", - "sha256": "0g2c8bzrbkl5fp3jfh86hg8raz8ssz2171k2csxwa4ipgnwc0ys5", + "rev": "5298d04f01a57b43e00c642304477ede0ab6896c", + "sha256": "19v1qvvh9kh09szi0a097l0ig1z2k4f0cf6vlj32ihg8isfx3jni", "type": "tarball", - "url": "https://github.com/nix-community/NUR/archive/011e39ed06852a58fe7485fa00e14b377cf682fd.tar.gz", + "url": "https://github.com/nix-community/NUR/archive/5298d04f01a57b43e00c642304477ede0ab6896c.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "tf-nix": {