From 049221505733174c7c91e4de1cc0e32bd29c5e60 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 15 Jul 2024 23:08:14 +0200 Subject: [PATCH 01/15] feat: adds matrix --- modules/services/violet.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/services/violet.nix b/modules/services/violet.nix index 74b86d7..21b656a 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -1,5 +1,6 @@ { ...}: { imports = - [(import ./iceshrimp.nix)]; + [(import ./iceshrimp.nix)] + ++ [(import ./matrix/default.nix)]; # ++ [(import ./tmux.nix)]; } From fe310e218fe38bfb0a5984b1024ac94181cea010 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 15 Jul 2024 23:16:09 +0200 Subject: [PATCH 02/15] fix: acme emails n stuff --- modules/services/matrix/default.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index fdd6bbe..6f8cb75 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: let - fqdn = "quack.social"; + fqdn = "liv.town"; baseUrl = "https://${fqdn}"; clientConfig."m.homeserver".base_url = baseUrl; serverConfig."m.server" = "${fqdn}:443"; @@ -10,9 +10,10 @@ let return 200 '${builtins.toJSON data}'; ''; in { - #age.secrets.matrix-synapse = { - # file = "../../../secrets/matrix-synapse.age"; - #}; + security.acme = { + acceptTerms = true; + defaults.email = "ahwx@ahwx.org"; + }; services = { # postgresql.enable = true; From cfc7821a40e3693d48fa741074d304cf50ba1f19 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 18:37:05 +0200 Subject: [PATCH 03/15] feat: adds wireguard connection for `violet` with keys in root --- modules/core/wireguard.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 modules/core/wireguard.nix diff --git a/modules/core/wireguard.nix b/modules/core/wireguard.nix new file mode 100644 index 0000000..7ca3965 --- /dev/null +++ b/modules/core/wireguard.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.7.0.2/24" "fddd:2c4:2c4:2c4::2/64" ]; + dns = [ "9.9.9.9" "149.112.112.112" ]; + privateKeyFile = "/root/wireguard-keys/privatekey"; + + peers = [{ + publicKey = "GfrFhe2JV8FS/711WAdx6CLF/QIEj1KoOGP/ErxBHkg="; + presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "57.129.46.171:51820"; + persistentKeepalive = 25; + }]; + }; + }; +} From 602a886234ac578bb9e727df19ac4890d655304b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 18:41:59 +0200 Subject: [PATCH 04/15] feat: adds wireguard connection (2) --- modules/core/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/core/default.nix b/modules/core/default.nix index b7b9e22..4062d89 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -11,6 +11,7 @@ ++ [(import ./security.nix)] ++ [(import ./services.nix)] ++ [(import ./system.nix)] + ++ [(import ./wireguard.nix)] ++ [(import ./user.nix)]; # ++ [(import ./bluetooth.nix)] # ++ [(import ./yubikey.nix)] From 404036359af7c52e9b0a99a1d07711a875b7f28e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 18:42:50 +0200 Subject: [PATCH 05/15] fix: disable `cpu-autofreq` as it causes issues --- hosts/violet/default.nix | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/hosts/violet/default.nix b/hosts/violet/default.nix index 8ecee1a..953a68c 100644 --- a/hosts/violet/default.nix +++ b/hosts/violet/default.nix @@ -31,19 +31,19 @@ criticalPowerAction = "PowerOff"; }; - auto-cpufreq = { - enable = true; - settings = { - battery = { - governor = "powersave"; - turbo = "auto"; - }; - charger = { - governor = "performance"; - turbo = "auto"; - }; - }; - }; + # auto-cpufreq = { + # enable = true; + # settings = { + # battery = { + # governor = "powersave"; + # turbo = "auto"; + # }; + # charger = { + # governor = "performance"; + # turbo = "auto"; + # }; + # }; + # }; }; boot = { From 05a2f0a80f397a59ac37a62171e6b04fa1690548 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 20:58:08 +0200 Subject: [PATCH 06/15] fix: comply with hsts --- modules/services/matrix/default.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 6f8cb75..1454b40 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -31,6 +31,32 @@ in { recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; + + # Hardened TLS and HSTS preloading + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Do not add HSTS header to HTTP requests. + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts = { # If the A and AAAA DNS records on example.org do not point on the same host as the # records for myhostname.example.org, you can easily move the /.well-known From 62773f907cd9d2cd55d8a6494376f00a48c339ca Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:10:44 +0200 Subject: [PATCH 07/15] feat: adds database for synapse --- modules/services/matrix/default.nix | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 1454b40..5fc51bd 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -94,14 +94,25 @@ in { }; }; + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + matrix-synapse = { enable = true; settings = { - # database.name = "psycopg2"; - # database.args = { - # user = "matrix-synapse"; - # password = "synapse"; - # }; + database.name = "matrix-synapse"; + database.args = { + user = "matrix-synapse"; + password = "synapse"; + }; server_name = "${fqdn}"; public_baseurl = "https://${fqdn}"; enable_registration = false; From 4a1ce0d5387d3f20a2be16432d3134230d0b43e8 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:12:32 +0200 Subject: [PATCH 08/15] fix: database type for synapse --- modules/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 5fc51bd..2159542 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -108,7 +108,7 @@ in { matrix-synapse = { enable = true; settings = { - database.name = "matrix-synapse"; + database.name = "psycopg2"; database.args = { user = "matrix-synapse"; password = "synapse"; From ea868297bf6d93c76e54b8e91988e5b7e7beca79 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:19:15 +0200 Subject: [PATCH 09/15] feat: adds database for `iceshrimp` --- modules/services/iceshrimp.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/modules/services/iceshrimp.nix b/modules/services/iceshrimp.nix index edb3709..69dc2f7 100644 --- a/modules/services/iceshrimp.nix +++ b/modules/services/iceshrimp.nix @@ -2,12 +2,17 @@ { services = { - # redis.servers.iceshrimp = { - # enable = true; - # port = 6380; - # bind = "0.0.0.0"; - # settings.protected-mode = "no"; - # }; + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + iceshrimp = { enable = true; From 79c682fa64d007c9ef4d27bd9c7f167c9cfd5bae Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:19:55 +0200 Subject: [PATCH 10/15] hotfix: remove `Access-Control-Allow-Origin *` header --- modules/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 2159542..4c96601 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -6,7 +6,7 @@ let serverConfig."m.server" = "${fqdn}:443"; mkWellKnown = data: '' default_type application/json; - add_header Access-Control-Allow-Origin *; + # add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { From ae12f8abdcb2c94d221c5a1f1c046fa68442a9cd Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:35:36 +0200 Subject: [PATCH 11/15] feat: adds agenix to `violet` --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index ca21552..08fa9a6 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ }; }; - outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs: + outputs = { nixpkgs, self, agenix, iceshrimp, , ...} @ inputs: let selfPkgs = import ./pkgs; username = "liv"; @@ -71,7 +71,7 @@ modules = [( import ./hosts/violet )]; - specialArgs = { host="violet"; inherit self inputs username iceshrimp ; }; + specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; }; }; vm = nixpkgs.lib.nixosSystem { From 7a0b5e08d26f06889e77f14d9ed36282073fe5e1 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:51:44 +0200 Subject: [PATCH 12/15] feat: adds extra config using agenix --- modules/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 4c96601..af3faa3 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -116,7 +116,7 @@ in { server_name = "${fqdn}"; public_baseurl = "https://${fqdn}"; enable_registration = false; - #registration_shared_secret = config.age.secrets.matrix-synapse; + extraConfig = config.age.secrets.matrix-synapse; #macaroon_secret_key = config.age.secrets.matrix-synapse; listeners = [ { port = 8008; From 7c545fe36d1ac226fc919ebb1fa7074be218e977 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 21:52:41 +0200 Subject: [PATCH 13/15] feat: adds catppuccin --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 08fa9a6..8f9434c 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ }; }; - outputs = { nixpkgs, self, agenix, iceshrimp, , ...} @ inputs: + outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs: let selfPkgs = import ./pkgs; username = "liv"; From 599c273fc560289cb307091f6189fac818041039 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 22:02:09 +0200 Subject: [PATCH 14/15] feat: adds extra config using agenix (2) --- modules/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index af3faa3..272f5d1 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, ... }: +{ pkgs, lib, config, agenix, ... }: let fqdn = "liv.town"; baseUrl = "https://${fqdn}"; From a0693e6983355dcdc4bad41b21aa4c16a5526064 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 16 Jul 2024 22:33:32 +0200 Subject: [PATCH 15/15] feat: adds extra config using agenix (4) --- flake.nix | 2 +- hosts/violet/default.nix | 3 ++- modules/services/matrix/default.nix | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 8f9434c..da203c2 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ }; }; - outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs: + outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs: let selfPkgs = import ./pkgs; username = "liv"; diff --git a/hosts/violet/default.nix b/hosts/violet/default.nix index 953a68c..9369fcf 100644 --- a/hosts/violet/default.nix +++ b/hosts/violet/default.nix @@ -1,10 +1,11 @@ -{ pkgs, config, iceshrimp, ... }: +{ pkgs, config, iceshrimp, agenix, ... }: { imports = [ ./hardware-configuration.nix ./../../modules/core ./../../modules/services/violet.nix iceshrimp.nixosModules.default + agenix.nixosModules.default ]; networking.hostName = "violet"; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 272f5d1..e717fc3 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -116,7 +116,7 @@ in { server_name = "${fqdn}"; public_baseurl = "https://${fqdn}"; enable_registration = false; - extraConfig = config.age.secrets.matrix-synapse; + registration_shared_secret = config.age.secrets.matrix-synapse; #macaroon_secret_key = config.age.secrets.matrix-synapse; listeners = [ { port = 8008;