From 595a0983cb23648f24c931741479aeb666463293 Mon Sep 17 00:00:00 2001 From: kat Date: Sun, 25 Sep 2022 17:42:17 -0700 Subject: [PATCH] feat: new networking abstractions full adoption --- nixos/network.nix | 51 ++++++++++++++++----- nixos/systems/daiyousei.nix | 6 +++ services/filehost.nix | 2 +- services/fusionpbx.nix | 53 ---------------------- services/glauth.nix | 83 ----------------------------------- services/hedgedoc.nix | 10 ++--- services/keycloak.nix | 35 +++++++-------- services/mail/dns.nix | 8 ++-- services/mail/dovecot.nix | 28 +++++------- services/mail/postfix.nix | 28 ++++++------ services/mail/sogo.nix | 4 +- services/murmur.nix | 17 +++---- services/openldap/default.nix | 9 ++-- services/prosody.nix | 22 +++++----- services/synapse.nix | 6 +-- services/syncplay.nix | 32 ++++++++------ services/vaultwarden.nix | 2 +- services/website.nix | 2 - services/weechat.nix | 2 +- services/znc.nix | 6 +-- tf | 2 +- 21 files changed, 146 insertions(+), 262 deletions(-) delete mode 100644 services/fusionpbx.nix delete mode 100644 services/glauth.nix diff --git a/nixos/network.nix b/nixos/network.nix index 38c2c6d1..93a99b5e 100644 --- a/nixos/network.nix +++ b/nixos/network.nix @@ -38,9 +38,9 @@ type = nullOr str; default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; }; - dn = mkOption { + cname = mkOption { type = nullOr str; - default = lib.removeSuffix "." config.domain; + default = "${config.domain}.${config.zone}"; }; prefix = mkOption { type = nullOr str; @@ -50,6 +50,14 @@ type = nullOr str; default = "kittywit.ch."; }; + key_path = mkOption { + type = nullOr str; + default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-key".path else null; + }; + cert_path = mkOption { + type = nullOr str; + default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-cert".path else null; + }; target = mkOption { type = nullOr str; default = if (config.type == "cname" && config.host != nixos.networking.hostName) then @@ -136,13 +144,25 @@ }; create_domain = mkOption { type = bool; - default = false; + default = config.extra_domains != []; + }; + create_cert = mkOption { + type = bool; + default = config.extra_domains != []; }; extra_domains = mkOption { type = listOf str; description = "Domains to add to the certificate generated for this network."; default = []; }; + key_path = mkOption { + type = nullOr str; + default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-key".path else null; + }; + cert_path = mkOption { + type = nullOr str; + default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-cert".path else null; + }; domain = mkOption { type = nullOr str; default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; @@ -155,6 +175,10 @@ type = nullOr str; default = "kittywit.ch."; }; + domain_dotless = mkOption { + type = nullOr str; + default = lib.removeSuffix "." config.target; + }; target = mkOption { type = nullOr str; default = "${config.domain}.${config.zone}"; @@ -190,6 +214,7 @@ interfaces = singleton "tailscale0"; zone = "inskip.me."; create_domain = true; + create_cert = true; } ]; }; @@ -230,11 +255,12 @@ extraDomainedNetworks = filterAttrs (_: settings: settings.extra_domains != []) networks'; extraDomains = listToAttrs (concatLists (mapAttrsToList (network: settings: map (domain: let - split_domain = splitString "." domain; - isRoot = (length split_domain) == 2; - in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain (length split_domain -2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." { - zone = "${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}."; - domain = if isRoot then null + split_domain = splitString "." domain; + isRoot = (length split_domain) <= 2; + in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain ((length split_domain) - 2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." { + zone = if isRoot then "${domain}." else "${concatStringsSep "." (sublist ((length split_domain) - 2) (length split_domain) split_domain)}."; + enable = true; + domain = if isRoot then "@" else elemAt split_domain (length split_domain - 2); cname = { inherit (settings) target; }; }) settings.extra_domains) extraDomainedNetworks)); @@ -247,7 +273,6 @@ enable = mkForce settings.ipv6_defined; } else { enable = mkForce settings.ipv4_defined; - #a.address = if settings.ipv4_defined then settings.ipv4 else "127.0.0.1"; a.address = settings.ipv4; }) )) networks') address_families; @@ -275,9 +300,9 @@ keyType = "4096"; dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains); }; - network_certs = mapAttrs' nvP sane_networks; + network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks); domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains); - in network_certs // domain_certs; + in domain_certs // network_certs; }; variables = { @@ -312,6 +337,7 @@ text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem; owner = "nginx"; group = "domain-auth"; + mode = "0440"; } ) sane_networks; networks' = mapAttrs' (network: settings: @@ -319,6 +345,7 @@ text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem; owner = "nginx"; group = "domain-auth"; + mode = "0440"; } ) sane_networks; domains = mapAttrs' (network: settings: @@ -326,6 +353,7 @@ text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem; owner = settings.owner; group = settings.group; + mode = "0440"; } ) (filterAttrs (network: settings: settings.create_cert) config.domains); domains' = mapAttrs' (network: settings: @@ -333,6 +361,7 @@ text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem; owner = settings.owner; group = settings.group; + mode = "0440"; } ) (filterAttrs (network: settings: settings.create_cert) config.domains); in networks // networks' // domains // domains'; diff --git a/nixos/systems/daiyousei.nix b/nixos/systems/daiyousei.nix index 6ca3a3f5..401e574c 100644 --- a/nixos/systems/daiyousei.nix +++ b/nixos/systems/daiyousei.nix @@ -37,5 +37,11 @@ }; }; + networks.internet = { + extra_domains = [ + "kittywit.ch" + ]; + }; + system.stateVersion = "21.11"; } diff --git a/services/filehost.nix b/services/filehost.nix index 4abbf6ff..9875fb81 100644 --- a/services/filehost.nix +++ b/services/filehost.nix @@ -180,8 +180,8 @@ location CHANGELOG.md { }; domains.kittywitch-filehost = { + network = "internet"; domain = "files"; type = "cname"; - inherit (config.networks.internet) target; }; } diff --git a/services/fusionpbx.nix b/services/fusionpbx.nix deleted file mode 100644 index a0ace593..00000000 --- a/services/fusionpbx.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, pkgs, tf, lib, ... }: with lib; - -{ - deploy.tf.dns.records.services_fusionpbx = { - inherit (config.network.dns) zone; - domain = "pbx"; - cname = { inherit (config.network.addresses.private) target; }; - }; - - kw.secrets.variables = mapListToAttrs - (field: - nameValuePair "fusionpbx-${field}" { - path = "services/fusionpbx"; - inherit field; - }) [ "username" "password" ]; - - secrets.files.fusionpbx_env = { - text = '' - USER_NAME=${tf.variables.fusionpbx-username.ref} - USER_PASSWORD=${tf.variables.fusionpbx-password.ref} - ''; - owner = "fusionpbx"; - group = "fusionpbx"; - }; - - security.acme.certs.services_fusionpbx = { - domain = "pbx.${config.network.dns.domain}"; - group = "fusionpbx"; - dnsProvider = "rfc2136"; - credentialsFile = config.secrets.files.dns_creds.path; - postRun = "systemctl restart nginx"; - }; - - services.fusionpbx = { - enable = true; - openFirewall = true; - useLocalPostgreSQL = true; - environmentFile = config.secrets.files.fusionpbx_env.path; - hardphones = true; - useACMEHost = "services_fusionpbx"; - domain = "pbx.${config.network.dns.domain}"; - package = with pkgs; fusionpbxWithApps [ fusionpbx-apps.sms ]; - freeSwitchPackage = with pkgs; freeswitch; - }; - - services.nginx.virtualHosts."altar.kittywit.ch" = { - locations = { - "app/sms/hook/" = { - proxyPass = "http://pbx.kittywit.ch/app/sms/hook"; - }; - }; - }; -} diff --git a/services/glauth.nix b/services/glauth.nix deleted file mode 100644 index 49e9e83e..00000000 --- a/services/glauth.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, tf, lib, ... }: with lib; { - network.firewall.public.tcp.ports = [ 636 ]; - - network.extraCerts.domain-auth = "auth.${config.network.dns.domain}"; - users.groups.domain-auth.members = [ "nginx" "glauth" "keycloak" ]; - security.acme.certs.domain-auth.group = "domain-auth"; - - services.glauth = { - enable = true; - configFile = config.secrets.files.glauth-config-file.path; - database = { - enable = true; - local = true; - type = "postgres"; - passwordFile = config.secrets.files.glauth-postgres-file.path; - }; - settings = { - syslog = true; - ldap = { - enabled = false; - listen = "0.0.0.0:3893"; - }; - ldaps = { - enabled = true; - listen = "0.0.0.0:636"; - cert = "/var/lib/acme/domain-auth/fullchain.pem"; - key = "/var/lib/acme/domain-auth/key.pem"; - }; - backend = { - baseDN = "dc=kittywitc,dc=ch"; - }; - users = [ - { - name = "kat"; - mail = "kat@kittywit.ch"; - loginshell="/usr/bin/env zsh"; - homedirectory="/home/kat"; - passsha256 = tf.variables.glauth-password-hash.ref; - uidnumber = 1000; - primarygroup = 1500; - givenname = "kat"; - sn = "witch"; - } - { - name = "kc"; - passsha256 = tf.variables.glauth-kc-password-hash.ref; - uidnumber = 999; - primarygroup = 1499; - } - ]; - groups = [ - { - name = "admins"; - gidnumber = 1499; - } - { - name = "users"; - gidnumber = 1500; - } - ]; - }; - }; - - kw.secrets.variables = mapListToAttrs - (field: - nameValuePair "glauth-${field}" { - path = "services/glauth"; - inherit field; - }) [ "password-hash" "kc-password-hash" "postgres" ]; - - secrets.files = { - glauth-postgres-file = { - text = tf.variables.glauth-postgres.ref; - owner = "postgres"; - group = "glauth"; - }; - glauth-config-file = { - text = toTOML config.services.glauth.settings; - owner = "glauth"; - group = "glauth"; - }; - }; -} diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix index 7f0a92ca..df406e22 100644 --- a/services/hedgedoc.nix +++ b/services/hedgedoc.nix @@ -24,7 +24,7 @@ services.hedgedoc = { enable = true; - configuration = { + settings = { debug = true; path = "/run/hedgedoc/hedgedoc.sock"; domain = "md.kittywit.ch"; @@ -50,10 +50,10 @@ environmentFile = config.secrets.files.hedgedoc-env.path; }; - deploy.tf.dns.records.services_hedgedoc = { - inherit (config.network.dns) zone; + domains.kittywitch_hedgedoc = { + network = "internet"; + type = "cname"; domain = "md"; - cname = { inherit (config.network.addresses.public) target; }; }; systemd.services.hedgedoc = { @@ -75,8 +75,6 @@ users.users.nginx.extraGroups = [ "hedgedoc" ]; services.nginx.virtualHosts."md.kittywit.ch" = { - enableACME = true; - forceSSL = true; locations."/" = { proxyPass = "http://unix:/run/hedgedoc/hedgedoc.sock"; proxyWebsockets = true; diff --git a/services/keycloak.nix b/services/keycloak.nix index 14775d41..c639b1c1 100644 --- a/services/keycloak.nix +++ b/services/keycloak.nix @@ -1,12 +1,11 @@ { config, pkgs, lib, tf, ... }: with lib; let - keystore-pass = "zZX3eS"; + id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id"; in { services.keycloak = { enable = builtins.getEnv "CI_PLATFORM" == "impure"; package = (pkgs.keycloak.override { jre = pkgs.openjdk11; }); - initialAdminPassword = "mewpymewlymewlies"; database.passwordFile = config.secrets.files.keycloak-postgres-file.path; settings = { http-enabled = true; @@ -18,27 +17,31 @@ in { hostname-strict = false; http-relative-path = "/auth"; hostname-strict-backchannel = true; - https-key-store-file = "/var/lib/acme/auth.kittywit.ch/trust-store.jks"; - https-key-store-password = keystore-pass; + https-key-store-file = "/run/keycloak/${id}.jks"; + https-key-store-password = id; }; }; + domains.kittywitch-keycloak = { + network = "internet"; + type = "cname"; + domain = "auth"; + }; users.groups.domain-auth = { gid = 10600; members = [ "keycloak" ]; }; -/* - security.acme.certs."auth.kittywit.ch" = { - group = "domain-auth"; - postRun = '' - ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks - ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem - chown acme:domain-auth ./trust-store.jks - ''; - };*/ + + systemd.services.keycloak.script = lib.mkBefore '' + mkdir -p /run/keycloak + if [[ ! -e /run/keycloak/${id}.jks ]]; then + ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path} + fi + ''; users.groups.keycloak = { }; + users.users.keycloak = { isSystemUser = true; group = "keycloak"; @@ -64,10 +67,4 @@ in { "/auth".proxyPass = "http://127.0.0.1:8089/auth"; }; }; - - domains.kittywitch-keycloak = { - network = "internet"; - type = "cname"; - domain = "auth"; - }; } diff --git a/services/mail/dns.nix b/services/mail/dns.nix index c5b17b07..6941721f 100644 --- a/services/mail/dns.nix +++ b/services/mail/dns.nix @@ -13,26 +13,26 @@ in { deploy.tf.dns.records = mkMerge (map (domain: let - zoneGet = domain: if domain == "dork" then "dork.dev." else config.network.dns.zone; + zoneGet = domain: if domain == "dork" then "dork.dev." else config.networks.internet.zone; in { "services_mail_${domain}_autoconfig_cname" = { zone = zoneGet domain; domain = "autoconfig"; - cname = { inherit (config.network.addresses.public) target; }; + cname = { inherit (config.networks.internet) target; }; }; "services_mail_${domain}_mx" = { zone = zoneGet domain; mx = { priority = 10; - inherit (config.network.addresses.public) target; + inherit (config.networks.internet) target; }; }; "services_mail_${domain}_spf" = { zone = zoneGet domain; - txt.value = "v=spf1 ip4:${config.network.addresses.public.tf.ipv4.address} ip6:${config.network.addresses.public.tf.ipv6.address} -all"; + txt.value = "v=spf1 ip4:${config.networks.internet.ipv4} ip6:${config.networks.internet.ipv6} -all"; }; "services_mail_${domain}_dmarc" = { diff --git a/services/mail/dovecot.nix b/services/mail/dovecot.nix index 8a14aa6d..7972140e 100644 --- a/services/mail/dovecot.nix +++ b/services/mail/dovecot.nix @@ -40,23 +40,19 @@ let ''; in { - security.acme.certs.dovecot_domains = { - inherit (config.network.dns) domain; - group = "postfix"; - dnsProvider = "rfc2136"; - credentialsFile = config.secrets.files.dns_creds.path; - postRun = "systemctl restart dovecot2"; - extraDomainNames = - [ - config.network.dns.domain - "mail.${config.network.dns.domain}" - config.network.addresses.public.domain - "dork.dev" - ]; - }; + networks.internet.extra_domains = [ + "mail.kittywit.ch" + "dork.dev" + ]; + + users.groups.domain_auth.members = [ + "postfix" + "dovecot2" + ]; services.dovecot2 = { enable = true; + group = "domain_auth"; enableImap = true; enableLmtp = true; enablePAM = false; @@ -99,7 +95,7 @@ in } protocol lmtp { postmaster_address=postmaster@kittywit.ch - hostname=${config.network.addresses.public.domain} + hostname=${config.networks.internet.domain_dotless} mail_plugins = $mail_plugins sieve } service auth { @@ -198,7 +194,7 @@ in sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig-services} > /run/dovecot2/ldap-services.conf ''; - networking.firewall.allowedTCPPorts = [ + networks.internet.tcp = [ 143 # imap 993 # imaps 4190 # sieve diff --git a/services/mail/postfix.nix b/services/mail/postfix.nix index 687f381e..7ba9421b 100644 --- a/services/mail/postfix.nix +++ b/services/mail/postfix.nix @@ -1,9 +1,9 @@ { pkgs, lib, config, tf, ... }: let - publicCert = "public_${config.networking.hostName}"; + publicCert = "daiyousei.kittywit.ch"; - ldaps = "ldaps://auth.${config.network.dns.domain}:636"; + ldaps = "ldaps://auth.${config.networks.internet.domain_dotless}:636"; virtualRegex = pkgs.writeText "virtual-regex" '' /^kat\.[^@.]+@kittywit\.ch$/ kat@kittywit.ch @@ -13,8 +13,8 @@ let ''; helo_access = pkgs.writeText "helo_access" '' - ${if tf.state.enable then config.network.addresses.public.nixos.ipv4.selfaddress else ""} REJECT Get lost - you're lying about who you are - ${if tf.state.enable then config.network.addresses.public.nixos.ipv6.selfaddress else ""} REJECT Get lost - you're lying about who you are + ${if tf.state.enable then config.networks.internet.ipv4 else ""} REJECT Get lost - you're lying about who you are + ${if tf.state.enable then config.networks.internet.ipv6 else ""} REJECT Get lost - you're lying about who you are kittywit.ch REJECT Get lost - you're lying about who you are dork.dev REJECT Get lost - you're lying about who you are ''; @@ -24,8 +24,6 @@ in { field = "password"; }; - services.redis.enable = true; - secrets.files = { domains-ldap = { text = '' @@ -92,8 +90,8 @@ in { services.postfix = { enable = true; enableSubmission = true; - hostname = config.network.addresses.public.domain; - domain = config.network.dns.domain; + hostname = config.networks.internet.domain_dotless; + domain = "kittywit.ch"; masterConfig."465" = { type = "inet"; @@ -117,7 +115,7 @@ in { extraConfig = '' smtp_bind_address = ${if tf.state.enable then tf.resources.${config.networking.hostName}.getAttr "private_ip" else ""} - smtp_bind_address6 = ${if tf.state.enable then config.network.addresses.public.nixos.ipv6.selfaddress else ""} + smtp_bind_address6 = ${if tf.state.enable then config.networks.internet.ipv6 else ""} mailbox_transport = lmtp:unix:private/dovecot-lmtp masquerade_domains = ldap:${config.secrets.files.domains-ldap.path} virtual_mailbox_domains = ldap:${config.secrets.files.domains-ldap.path} @@ -146,9 +144,9 @@ in { smtpd_tls_security_level = may smtpd_tls_auth_only = yes - smtpd_tls_cert_file = /var/lib/acme/${publicCert}/full.pem - smtpd_tls_key_file = /var/lib/acme/${publicCert}/key.pem - smtpd_tls_CAfile = /var/lib/acme/${publicCert}/fullchain.pem + smtpd_tls_cert_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path} + smtpd_tls_key_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-key".path} + smtpd_tls_CAfile = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path} smtpd_tls_dh512_param_file = ${config.security.dhparams.params.postfix512.path} smtpd_tls_dh1024_param_file = ${config.security.dhparams.params.postfix2048.path} @@ -205,8 +203,8 @@ in { ''; }; - systemd.services.postfix.wants = [ "openldap.service" "acme-${publicCert}.service" ]; - systemd.services.postfix.after = [ "openldap.service" "acme-${publicCert}.service" "network.target" ]; + systemd.services.postfix.wants = [ "openldap.service" ]; + systemd.services.postfix.after = [ "openldap.service" "network.target" ]; security.dhparams = { enable = true; @@ -214,7 +212,7 @@ in { params.postfix2048.bits = 1024; }; - networking.firewall.allowedTCPPorts = [ + networks.internet.tcp = [ 25 # smtp 465 # stmps 587 # submission diff --git a/services/mail/sogo.nix b/services/mail/sogo.nix index 4fe629a9..bef4c7e7 100644 --- a/services/mail/sogo.nix +++ b/services/mail/sogo.nix @@ -46,8 +46,8 @@ SOGoMailingMechanism = "smtp"; SOGoForceExternalLoginWithEmail = YES; SOGoSMTPAuthenticationType = PLAIN; - SOGoSMTPServer = "smtps://${config.network.addresses.public.domain}:465"; - SOGoIMAPServer = "imaps://${config.network.addresses.public.domain}:993"; + SOGoSMTPServer = "smtps://${config.networks.internet.domain_dotless}:465"; + SOGoIMAPServer = "imaps://${config.networks.internet.domain_dotless}:993"; SOGoUserSources = ( { type = ldap; diff --git a/services/murmur.nix b/services/murmur.nix index 314298d6..2402a5aa 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -65,8 +65,8 @@ in package = pkgs.murmur.override (old: { iceSupport = true; }); password = tf.variables.murmur-password.ref; extraConfig = '' - sslCert=/var/lib/acme/services_murmur/fullchain.pem - sslKey=/var/lib/acme/services_murmur/key.pem + sslCert=${config.networks.internet.cert_path} + sslKey=${config.networks.internet.key_path} ice="tcp -h 127.0.0.1 -p 6502" icesecretread=${tf.variables.murmur-ice.ref} icesecretwrite=${tf.variables.murmur-ice.ref} @@ -106,11 +106,10 @@ in networks.internet = { extra_domains = [ - "kittywit.ch" - "sync.kittywit.ch" "voice.kittywit.ch" ]; }; + users.groups."domain-auth".members = [ "murmur" ]; # Certs /* @@ -122,12 +121,6 @@ in extraDomainNames = [ config.networks.internet.dn ]; };*/ - domains.kittywitch-murmur = { - network = "internet"; - type = "cname"; - domain = "voice"; - }; - deploy.tf.dns.records = { services_murmur_tcp_srv = { inherit (config.networks.internet) zone; @@ -138,7 +131,7 @@ in priority = 0; weight = 5; port = 64738; - target = kittywitch-murmur.target; + inherit (config.networks.internet) target; }; }; @@ -151,7 +144,7 @@ in priority = 0; weight = 5; port = 64738; - target = kittywitch-murmur.target; + inherit (config.networks.internet) target; }; }; }; diff --git a/services/openldap/default.nix b/services/openldap/default.nix index edc9448c..bc2e788d 100644 --- a/services/openldap/default.nix +++ b/services/openldap/default.nix @@ -1,6 +1,7 @@ { config, pkgs, tf, lib, ... }: with lib; { networks.internet.tcp = [ 636 ]; + users.groups.domain-auth.members = [ "openldap" ]; services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; @@ -9,9 +10,9 @@ objectClass = "olcGlobal"; cn = "config"; olcPidFile = "/run/slapd/slapd.pid"; - olcTLSCACertificateFile = "/var/lib/acme/domain-auth/fullchain.pem"; - olcTLSCertificateFile = "/var/lib/acme/domain-auth/cert.pem"; - olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem"; + olcTLSCACertificateFile = config.domains.kittywitch-keycloak.cert_path; + olcTLSCertificateFile = config.domains.kittywitch-keycloak.cert_path; + olcTLSCertificateKeyFile = config.domains.kittywitch-keycloak.key_path; }; children = { "cn=module" = { @@ -72,7 +73,7 @@ attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/db/ldap"; + olcDbDirectory = "/var/lib/openldap/db"; olcSuffix = "dc=kittywit,dc=ch"; olcRootDN = "cn=root,dc=kittywit,dc=ch"; olcRootPW.path = config.secrets.files.openldap-root-password-file.path; diff --git a/services/prosody.nix b/services/prosody.nix index 8997cb40..b415f2c7 100644 --- a/services/prosody.nix +++ b/services/prosody.nix @@ -52,10 +52,10 @@ with lib; ''; virtualHosts = { "xmpp.kittywit.ch" = { - domain = config.network.dns.domain; + domain = "kittywit.ch"; enabled = true; - ssl.cert = "/var/lib/acme/prosody/fullchain.pem"; - ssl.key = "/var/lib/acme/prosody/key.pem"; + ssl.cert = config.networks.internet.cert_path; + ssl.key = config.networks.internet.key_path; }; }; muc = [{ domain = "conference.kittywit.ch"; }]; @@ -66,7 +66,7 @@ with lib; deploy.tf.dns.records = { services_prosody_muc = { - inherit (config.domains.kittywitch-prosody) zone; + inherit (config.networks.internet) zone; domain = "conference"; srv = { service = "xmpp-server"; @@ -74,12 +74,12 @@ with lib; priority = 0; weight = 5; port = 5269; - target = config.domains.kittywitch-prosody.target; + target = config.networks.internet.target; }; }; services_prosody_client_srv = { - inherit (config.domains.kittywitch-prosody) zone; + inherit (config.networks.internet) zone; domain = "@"; srv = { service = "xmpp-client"; @@ -87,12 +87,12 @@ with lib; priority = 0; weight = 5; port = 5222; - target = config.domains.kittywitch-prosody.target; + target = config.networks.internet.target; }; }; services_prosody_secure_client_srv = { - inherit (config.domains.kittywitch-prosody) zone; + inherit (config.networks.internet) zone; domain = "@"; srv = { service = "xmpps-client"; @@ -100,12 +100,12 @@ with lib; priority = 0; weight = 5; port = 5223; - target = config.domains.kittywitch-prosody.target; + target = config.networks.internet.target; }; }; services_prosody_server_srv = { - inherit (config.domains.kittywitch-prosody) zone; + inherit (config.networks.internet) zone; domain = "@"; srv = { service = "xmpp-server"; @@ -113,7 +113,7 @@ with lib; priority = 0; weight = 5; port = 5269; - target = config.domains.kittywitch-prosody.target; + target = config.networks.internet.target; }; }; }; diff --git a/services/synapse.nix b/services/synapse.nix index 154e2b50..0a41defb 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -228,7 +228,7 @@ CONFIG = { settings = { homeserver = { address = "https://kittywit.ch"; - domain = config.network.dns.domain; + domain = "kittywit.ch"; }; appservice = { provisioning.enabled = false; @@ -294,7 +294,7 @@ CONFIG = { }; domains.kittywitch-matrix = { - inherit (config.networks.internet) target; + network = "internet"; type = "cname"; domain = "matrix"; }; @@ -323,7 +323,7 @@ CONFIG = { locations = { "/_matrix" = { proxyPass = "http://[::1]:8008"; }; "= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "${config.network.dns.domain}:443"; }; + let server = { "m.server" = "kittywit.ch:443"; }; in '' add_header Content-Type application/json; diff --git a/services/syncplay.nix b/services/syncplay.nix index 9ae8fb1c..01299b54 100644 --- a/services/syncplay.nix +++ b/services/syncplay.nix @@ -15,19 +15,10 @@ with lib; field = fieldAdapt field; }) [ "pass" "salt" ]; - users.users.syncplay = { isSystemUser = true; group = "sync-cert"; }; + users.users.syncplay = { isSystemUser = true; group = "domain-auth"; }; users.groups."domain-auth".members = [ "syncplay" ]; - security.acme = { - certs."kittywit.ch" = { - postRun = '' - cp key.pem privkey.pem - chown acme:voice-cert privkey.pem - ''; - }; - }; - networks.internet.tcp = [ 8999 ]; domains.kittywitch-syncplay = { @@ -42,20 +33,33 @@ with lib; SYNCPLAY_SALT=${tf.variables.syncplay-salt.ref} ''; owner = "syncplay"; - group = "sync-cert"; + group = "domain-auth"; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/syncplay 0711 syncplay domain-auth 90" + ]; + + networks.internet = { + extra_domains = [ + "sync.kittywit.ch" + ]; }; systemd.services.syncplay = { description = "Syncplay Service"; wantedBy = singleton "multi-user.target"; after = singleton "network-online.target"; - + preStart = '' + cp ${config.networks.internet.cert_path} /var/lib/syncplay/fullchain.pem + cp ${config.networks.internet.key_path} /var/lib/syncplay/privkey.pem + ''; serviceConfig = { EnvironmentFile = config.secrets.files.syncplay-env.path; ExecStart = - "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.network.dns.domain}/ --disable-ready"; + "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/syncplay --disable-ready"; User = "syncplay"; - Group = "sync-cert"; + Group = "domain-auth"; }; }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index de34fbf8..b0058914 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -68,7 +68,7 @@ }; domains.kittywitch-vault = { - inherit (config.networks.internet) target; + network = "internet"; type = "cname"; domain = "vault"; }; diff --git a/services/website.nix b/services/website.nix index 6b4d22d8..b677ab0a 100644 --- a/services/website.nix +++ b/services/website.nix @@ -4,8 +4,6 @@ services.nginx.virtualHosts = { "kittywit.ch" = { root = pkgs.gensokyoZone; - enableACME = true; - forceSSL = true; }; }; } diff --git a/services/weechat.nix b/services/weechat.nix index 96bb737e..e3b2d605 100644 --- a/services/weechat.nix +++ b/services/weechat.nix @@ -12,9 +12,9 @@ }; domains.kittywitch_irc = { + network = "internet"; domain = "irc"; type = "cname"; - inherit (config.networks.internet) target; }; } diff --git a/services/znc.nix b/services/znc.nix index a9416ac7..852e53fe 100644 --- a/services/znc.nix +++ b/services/znc.nix @@ -127,10 +127,10 @@ in locations = { "/".proxyPass = "http://127.0.0.1:5002"; }; }; - deploy.tf.dns.records.services_znc = { - inherit (config.network.dns) zone; + domains.kittywitch_znc = { + network = "internet"; + type = "cname"; domain = "znc"; - cname = { inherit (config.network.addresses.public) target; }; }; services.znc = { diff --git a/tf b/tf index c281c5cf..6a4d5a1c 160000 --- a/tf +++ b/tf @@ -1 +1 @@ -Subproject commit c281c5cfbf4529748948974e8f85dd3db8e24995 +Subproject commit 6a4d5a1c8ff9ba3a89be70f4a45131c495999038