From e642b3879c1eeb3a86eb8c42acfb3fcf1a018d39 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Tue, 25 Apr 2023 16:33:32 -0700 Subject: [PATCH] [MATRIX, WEB SERVERS] Improvements, DNS-01 --- nixos/roles/matrix-server/nginx.nix | 37 ++++++++ nixos/roles/matrix-server/role.nix | 92 ------------------- nixos/roles/matrix-server/secrets.nix | 10 ++ nixos/roles/matrix-server/synapse.nix | 43 +++++++++ nixos/roles/postgres-server.nix | 3 + nixos/roles/server.nix | 2 + nixos/roles/web-server/acme.nix | 15 +++ nixos/roles/web-server/firewall.nix | 6 ++ .../{web-server.nix => web-server/nginx.nix} | 2 - nixos/roles/web-server/scalpel.nix | 18 ++++ nixos/roles/web-server/secrets.nix | 13 +++ nixos/roles/web-server/secrets.yaml | 43 +++++++++ systems/yukari.nix | 1 + 13 files changed, 191 insertions(+), 94 deletions(-) create mode 100644 nixos/roles/matrix-server/nginx.nix delete mode 100644 nixos/roles/matrix-server/role.nix create mode 100644 nixos/roles/matrix-server/secrets.nix create mode 100644 nixos/roles/matrix-server/synapse.nix create mode 100644 nixos/roles/postgres-server.nix create mode 100644 nixos/roles/web-server/acme.nix create mode 100644 nixos/roles/web-server/firewall.nix rename nixos/roles/{web-server.nix => web-server/nginx.nix} (79%) create mode 100644 nixos/roles/web-server/scalpel.nix create mode 100644 nixos/roles/web-server/secrets.nix create mode 100644 nixos/roles/web-server/secrets.yaml diff --git a/nixos/roles/matrix-server/nginx.nix b/nixos/roles/matrix-server/nginx.nix new file mode 100644 index 00000000..6baa3b61 --- /dev/null +++ b/nixos/roles/matrix-server/nginx.nix @@ -0,0 +1,37 @@ +{config, ...}: let + fqdn = "${config.networking.hostName}.${config.networking.domain}"; + clientConfig = { + "m.homeserver".base_url = "https://${fqdn}"; + "m.identity_server".base_url = "https://vector.im"; + }; + serverConfig."m.server" = "${fqdn}:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + services.nginx = { + virtualHosts = { + "kittywit.ch" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "${fqdn}" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + extraConfig = '' + http2_max_requests 100000; + keepalive_requests 100000; + ''; + }; + }; + }; +} diff --git a/nixos/roles/matrix-server/role.nix b/nixos/roles/matrix-server/role.nix deleted file mode 100644 index ecd6bf5a..00000000 --- a/nixos/roles/matrix-server/role.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - lib, - config, - ... -}: let - inherit (lib.modules) mkDefault; - fqdn = "${config.networking.hostName}.${config.networking.domain}"; - clientConfig = { - "m.homeserver".base_url = "https://${fqdn}"; - "m.identity_server".base_url = "https://vector.im"; - }; - serverConfig."m.server" = "${fqdn}:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { - sops.secrets.matrix_shared_registration_secret = { - format = "yaml"; - sopsFile = ./secrets.yaml; - }; - - scalpels = [ - ./scalpel.nix - ]; - - services.postgresql.enable = true; - - services.nginx = { - virtualHosts = { - "kittywit.ch" = { - enableACME = true; - forceSSL = true; - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - "${fqdn}" = { - enableACME = true; - forceSSL = true; - locations."/".extraConfig = '' - return 404; - ''; - locations."/_matrix".proxyPass = "http://[::1]:8008"; - locations."/_synapse/client".proxyPass = "http://[::1]:8008"; - extraConfig = '' - http2_max_requests 100000; - keepalive_requests 100000; - ''; - }; - }; - }; - - services.matrix-synapse = { - enable = true; - settings = { - server_name = "kittywit.ch"; - max_upload_size = "512M"; - rc_messages_per_second = mkDefault 0.1; - rc_message_burst_count = mkDefault 25; - public_baseurl = "https://${fqdn}"; - url_preview_enabled = mkDefault true; - enable_registration = mkDefault false; - enable_metrics = mkDefault false; - report_stats = mkDefault false; - dynamic_thumbnails = mkDefault true; - registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!"; - allow_guest_access = mkDefault true; - suppress_key_server_warning = mkDefault true; - listeners = [ - { - port = 8008; - bind_addresses = ["::1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = ["client" "federation"]; - compress = true; - } - ]; - } - ]; - }; - }; - - security.acme = { - email = "acme@inskip.me"; - acceptTerms = true; - }; -} diff --git a/nixos/roles/matrix-server/secrets.nix b/nixos/roles/matrix-server/secrets.nix new file mode 100644 index 00000000..50ec8a8b --- /dev/null +++ b/nixos/roles/matrix-server/secrets.nix @@ -0,0 +1,10 @@ +_: { + sops.secrets.matrix_shared_registration_secret = { + format = "yaml"; + sopsFile = ./secrets.yaml; + }; + + scalpels = [ + ./scalpel.nix + ]; +} diff --git a/nixos/roles/matrix-server/synapse.nix b/nixos/roles/matrix-server/synapse.nix new file mode 100644 index 00000000..171f6433 --- /dev/null +++ b/nixos/roles/matrix-server/synapse.nix @@ -0,0 +1,43 @@ +{ + lib, + config, + ... +}: let + inherit (lib.modules) mkDefault; + fqdn = "${config.networking.hostName}.${config.networking.domain}"; +in { + services.matrix-synapse = { + enable = true; + settings = { + server_name = "kittywit.ch"; + max_upload_size = "512M"; + rc_messages_per_second = mkDefault 0.1; + rc_message_burst_count = mkDefault 25; + rc_invites.per_user.per_second = 0.5; + public_baseurl = "https://${fqdn}"; + url_preview_enabled = mkDefault true; + enable_registration = mkDefault false; + enable_metrics = mkDefault false; + report_stats = mkDefault false; + dynamic_thumbnails = mkDefault true; + registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!"; + allow_guest_access = mkDefault true; + suppress_key_server_warning = mkDefault true; + listeners = [ + { + port = 8008; + bind_addresses = ["::1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + }; +} diff --git a/nixos/roles/postgres-server.nix b/nixos/roles/postgres-server.nix new file mode 100644 index 00000000..86f8bdc0 --- /dev/null +++ b/nixos/roles/postgres-server.nix @@ -0,0 +1,3 @@ +_: { + services.postgresql.enable = true; +} diff --git a/nixos/roles/server.nix b/nixos/roles/server.nix index af0bf288..71f34c19 100644 --- a/nixos/roles/server.nix +++ b/nixos/roles/server.nix @@ -16,4 +16,6 @@ in { services.tailscale = { enable = true; }; + + programs.mosh.enable = true; } diff --git a/nixos/roles/web-server/acme.nix b/nixos/roles/web-server/acme.nix new file mode 100644 index 00000000..e23b31ed --- /dev/null +++ b/nixos/roles/web-server/acme.nix @@ -0,0 +1,15 @@ +_: { + environment.etc."ssl/credentials_template".text = '' + CF_API_EMAIL=!!CLOUDFLARE_EMAIL!! + CF_DNS_API_TOKEN=!!CLOUDFLARE_TOKEN!! + CF_ZONE_API_TOKEN=!!CLOUDFLARE_TOKEN!! + ''; + + security.acme = { + defaults = { + dnsProvider = "cloudflare"; + email = "acme@inskip.me"; + }; + acceptTerms = true; + }; +} diff --git a/nixos/roles/web-server/firewall.nix b/nixos/roles/web-server/firewall.nix new file mode 100644 index 00000000..dae4ea0e --- /dev/null +++ b/nixos/roles/web-server/firewall.nix @@ -0,0 +1,6 @@ +_: { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/nixos/roles/web-server.nix b/nixos/roles/web-server/nginx.nix similarity index 79% rename from nixos/roles/web-server.nix rename to nixos/roles/web-server/nginx.nix index d610d784..cf0fbe39 100644 --- a/nixos/roles/web-server.nix +++ b/nixos/roles/web-server/nginx.nix @@ -6,6 +6,4 @@ _: { recommendedGzipSettings = true; recommendedProxySettings = true; }; - - networking.firewall.allowedTCPPorts = [80 443]; } diff --git a/nixos/roles/web-server/scalpel.nix b/nixos/roles/web-server/scalpel.nix new file mode 100644 index 00000000..8096cbb2 --- /dev/null +++ b/nixos/roles/web-server/scalpel.nix @@ -0,0 +1,18 @@ +{ + lib, + config, + pkgs, + prev, + ... +}: { + scalpel.trafos."credentials_file" = { + source = "/etc/ssl/credentials_template"; + matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path; + matchers."CLOUDFLARE_TOKEN".secret = config.sops.secrets.cloudflare_token.path; + owner = "acme"; + group = "acme"; + mode = "0440"; + }; + + security.acme.defaults.credentialsFile = config.scalpel.trafos."credentials_file".destination; +} diff --git a/nixos/roles/web-server/secrets.nix b/nixos/roles/web-server/secrets.nix new file mode 100644 index 00000000..cb35bea8 --- /dev/null +++ b/nixos/roles/web-server/secrets.nix @@ -0,0 +1,13 @@ +_: let + secretConfig = { + format = "yaml"; + sopsFile = ./secrets.yaml; + }; +in { + sops.secrets.cloudflare_email = secretConfig; + sops.secrets.cloudflare_token = secretConfig; + + scalpels = [ + ./scalpel.nix + ]; +} diff --git a/nixos/roles/web-server/secrets.yaml b/nixos/roles/web-server/secrets.yaml new file mode 100644 index 00000000..d48fb6e7 --- /dev/null +++ b/nixos/roles/web-server/secrets.yaml @@ -0,0 +1,43 @@ +cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str] +cloudflare_token: ENC[AES256_GCM,data:gEiJNdzrQhHMRFLHZ5ZMe2T6VyZgMnXfufbu6LbtiVyQST53TBo7pQ==,iv:a/J6bUZbHQIQBRy8DV7MJe4TffElFBlDRAm3/j5E9hQ=,tag:n/07dZNyBWNpFKQCctkuBw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVG5kTUFmcHdZNmtUZlFO + Mm9wWVV5NkdRb1hCZmNyZDU5Y3UxZ2NRSGxnCjl0QktuWHgzTk1lQW9hQUxzVzdU + QllDZXcvYVJVVnliQ3BCcFhIeWRGdjQKLS0tIFplZzdnMmx2RS9TbEZESHVnSHlP + VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB + o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-25T23:06:23Z" + mac: ENC[AES256_GCM,data:w+3/oRHEdhUG7jUlRfMDtjY1W1ybyIlINopzuxLxvLWj6yTVA8/D8mp99V3kg7MvKBWW43hA0mQ+MkH8EtPfEDIXZKaMvmY89mKygc2FMGrFcgHVV9zg3qqxk84Zp1lg8+G4gwsgRuNAumFHrlvgCsZUVqEZGjy+cf+R4Dpmw2s=,iv:ax1E/PcwQ0ZcXlsdwY0hQvRp6b38o4qfEhNQASuxQoM=,tag:zEthuo4DoG/1DX28aogntw==,type:str] + pgp: + - created_at: "2023-04-25T23:00:27Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//fd8bxMcv1cIrBPEc1w0LKWaQtpeRhHmVOaU+DdHvzo5L + ++aw+pe8Tz/+D5lfz67Aw0U3R4eBrBnjetZ5C+sjVHqrzaKEReddlk22dG0NF9JM + Ejepxo/G85PwWsC3cXgoBeJs2IqcWdAhtS6dH9GoiM4Wwhx0Am4JvLrvo9OJO7dR + ZpSGpBeC9OJGw+nkPLrwMK7dVtfx9JO5A1jdAvapGa+XwP8XxC31IhRHOH0hSwjQ + JQuQFOPz/MqjHb8eHuZa6GPUxjQTX5RN9RbvtRNI5h/fvQxNycQR4GETI/Y+P5Pb + r55+jgR8acJ8p/Z6R7uQLF5tbcHdtM2SY6ANDVgcoBoHe29hAXe6gpLzme54Wo3j + Cm/pt5+TS14uKGKiQjeHJ84EGUsOr+GL2Hpm1qu8VKSkznI19f3zyqcDNWQTYKJA + P5EGO4c4vMp2ihqnDqZC8FurKmzkFpFLgua+snNOd5rVy5kC8f8BA6lQyIdA5dOf + KHf1OjpfbwASr4RrHdNLKj8Z7bkJ+yQ7fmkP2z3uQjk7WveMVa+1r5GNaMk/wYUV + YUOl3TSZNuNaIOnqIqjTCYntbkuwliyenREB8GN1iZA8pCp/mEwa1zyvU6xP8x17 + zPhwveevs96GgZBK4QMLJfYoUD5wCaMuXKIvUGHvM653+eL+Fk6Z1v3lo9+pPC3S + XAEQAzvt47ZhTvQVzWHEnBh9KlsxC6hS0vqbdIddSGXYZ7vsQMszG2r8CNGAGjJ2 + OIq2LsKlrW1KVgrBCWrYnH6HxPi+t+TBVjgehAWZ6qiVoTkI09yNC9MarC64 + =4AdG + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/systems/yukari.nix b/systems/yukari.nix index a60fb5fc..9d0fac44 100644 --- a/systems/yukari.nix +++ b/systems/yukari.nix @@ -12,6 +12,7 @@ _: let ++ (with tree.nixos.roles; [ server web-server + postgres-server matrix-server ]);