diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index fba412b..2d36d14 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -74,93 +74,14 @@ in }; }; }; - - # <100 is trusted; =>100 is untrusted. - vlans = { - lan = { - id = 1; - interface = "lan1"; - }; - servers = { - id = 10; - interface = "lan1"; - }; - management = { - id = 21; - interface = "lan1"; - }; - iot = { - id = 100; - interface = "lan1"; - }; - guest = { - id = 110; - interface = "lan1"; - }; - }; }; - services = { - udev.extraRules = '' - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" - ''; - dhcpd4 = { - enable = true; - interfaces = [ - "lan" - "servers" - "management" - "iot" - "guest" - ]; - extraConfig = '' - option domain-name-servers 9.9.9.9, 149.112.112.112; - option subnet-mask 255.255.255.0; - - subnet 172.16.1.0 netmask 255.255.255.0 { - option broadcast-address 172.16.1.255; - option routers 172.16.1.1; - interface lan; - range 172.16.1.50 172.16.1.254; - } - subnet 172.16.10.0 netmask 255.255.255.0 { - option broadcast-address 172.16.10.255; - option routers 172.16.10.1; - interface servers; - range 172.16.10.50 172.16.10.254; - } - subnet 172.16.21.0 netmask 255.255.255.0 { - option broadcast-address 172.16.21.255; - option routers 172.16.21.1; - interface management; - range 172.16.21.50 172.16.21.254; - } - subnet 172.16.100.0 netmask 255.255.255.0 { - option broadcast-address 172.16.100.255; - option routers 172.16.100.1; - interface iot; - range 172.16.100.50 172.16.100.254; - } - subnet 172.16.110.0 netmask 255.255.255.0 { - option broadcast-address 172.16.110.255; - option routers 172.16.110.1; - interface guest; - range 172.16.110.50 172.16.110.254; - } - ''; - }; - avahi = { - enable = true; - reflector = true; - interfaces = [ - "lan" - "iot" - ]; - }; - }; + services.udev.extraRules = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" + ''; networking.hostName = "lily"; @@ -170,7 +91,5 @@ in kitty.terminfo tcpdump dnsutils - bind - ethtool ]; } diff --git a/modules/core/sshd.nix b/modules/core/sshd.nix index 012b44a..2cd550c 100644 --- a/modules/core/sshd.nix +++ b/modules/core/sshd.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, ... }: { services.openssh = { enable = true; @@ -11,8 +11,6 @@ }; }; - networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ]; - users.users.liv.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone diff --git a/modules/services/gokapi.nix b/modules/services/gokapi.nix index 8755939..fff1400 100644 --- a/modules/services/gokapi.nix +++ b/modules/services/gokapi.nix @@ -1,15 +1,8 @@ -{ - lib, - config, - pkgs, - ... -}: -{ +{ lib, config, pkgs, ... }: { services = { nginx.virtualHosts."share.liv.town" = { + useACMEHost = "liv.town"; forceSSL = true; - sslCertificate = "/var/lib/acme/liv.town/cert.pem"; - sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://localhost:53842"; }; diff --git a/modules/services/grafana.nix b/modules/services/grafana.nix index a4dfb68..b0c0184 100644 --- a/modules/services/grafana.nix +++ b/modules/services/grafana.nix @@ -11,9 +11,8 @@ }; nginx.virtualHosts.${config.services.grafana.domain} = { + useACMEHost = "liv.town"; forceSSL = true; - sslCertificate = "/var/lib/acme/liv.town/cert.pem"; - sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; diff --git a/modules/services/immich.nix b/modules/services/immich.nix index 6b66e76..301f192 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -1,11 +1,11 @@ -{ config, ... }: -{ +{ config, ... }: { services.immich = { enable = true; port = 2283; }; # services.nginx.virtualHosts."" = { + # enableACME = true; # forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:${toString config.services.immich.port}"; diff --git a/modules/services/invidious.nix b/modules/services/invidious.nix index e4465b8..532e3fb 100644 --- a/modules/services/invidious.nix +++ b/modules/services/invidious.nix @@ -12,8 +12,7 @@ virtualHosts = { "video.liv.town" = { forceSSL = true; - sslCertificate = "/var/lib/acme/liv.town/cert.pem"; - sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; }; diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index a22d5f9..848e838 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -26,6 +26,8 @@ networking.firewall = { allowedTCPPorts = [ 9001 + 22 + 9123 # always also allow ssh :screaming: ]; }; } diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 952473a..bef0680 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -1,11 +1,4 @@ -{ - pkgs, - config, - lib, - ... -}: -{ - +{ pkgs, config, lib, ... }: { security.acme = { acceptTerms = true; defaults.email = lib.mkDefault "ahwx@ahwx.org"; @@ -17,15 +10,7 @@ dnsProvider = "desec"; environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] webroot = null; - }; - "quack.social" = { - domain = "*.quack.social"; - extraDomainNames = [ "quack.social" ]; - group = config.services.nginx.group; - dnsProvider = "desec"; - environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] - webroot = null; - }; + }; }; }; @@ -37,42 +22,8 @@ recommendedProxySettings = true; clientMaxBodySize = lib.mkDefault "10G"; - defaultListen = - let - listen = [ - { - addr = "[::]"; - port = 80; - extraParameters = [ "proxy_protocol" ]; - } - { - addr = "[::]"; - port = 443; - ssl = true; - extraParameters = [ "proxy_protocol" ]; - } - ]; - in - map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; - # Hardened TLS and HSTS preloading appendHttpConfig = '' - # Proxying - # real_ip_header proxy_protocol; - - server { - listen 80 proxy_protocol; - listen 443 ssl proxy_protocol; - # set_real_ip_from 10.7.0.0/24; - } - - ssl_certificate /var/lib/acme/quack.social/cert.pem; - ssl_certificate_key /var/lib/acme/quack.social/key.pem; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Forwarded-For $proxy_protocol_addr; - # Add HSTS header with preloading to HTTPS requests. # Do not add HSTS header to HTTP requests. map $scheme $hsts_header { @@ -98,24 +49,5 @@ add_header pronouns "any but neopronouns"; add_header locale "[en_US, nl_NL]"; ''; - appendConfig = '' - # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ - # set_real_ip_from 213.210.34.27; - - # real_ip_header proxy_protocol; - - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $proxy_protocol_addr; - # proxy_set_header X-Forwarded-For $proxy_protocol_addr; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Host $host; - # proxy_set_header X-Forwarded-Server $host; - ''; - }; - networking.firewall = { - allowedTCPPorts = [ - 80 - 443 - ]; }; } diff --git a/modules/services/ntfy.nix b/modules/services/ntfy.nix index 19c3fba..d7c9424 100644 --- a/modules/services/ntfy.nix +++ b/modules/services/ntfy.nix @@ -2,8 +2,7 @@ let hostname = "notify.liv.town"; port = 2586; url = "https://" + hostname; -in -{ +in { services = { ntfy-sh = { enable = true; @@ -17,9 +16,8 @@ in }; }; nginx.virtualHosts.${hostname} = { + useACMEHost = "liv.town"; forceSSL = true; - sslCertificate = "/var/lib/acme/liv.town/cert.pem"; - sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; diff --git a/modules/services/sharkey-proxy.nix b/modules/services/sharkey-proxy.nix index 166876c..416bfe9 100644 --- a/modules/services/sharkey-proxy.nix +++ b/modules/services/sharkey-proxy.nix @@ -2,9 +2,8 @@ { services = { nginx.virtualHosts."quack.social" = { + enableACME = true; forceSSL = true; - sslCertificate = "/var/lib/acme/quack.social/cert.pem"; - sslCertificateKey = "/var/lib/acme/quack.social/key.pem"; locations."/" = { proxyPass = "http://localhost:3000"; proxyWebsockets = true; @@ -17,6 +16,26 @@ ''; }; + locations."/files/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $remote_addr; + + # Try cache? + # proxy_cache sharkey; + # proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m; + # proxy_cache_lock on; + # proxy_cache_use_stale updating; + # proxy_force_ranges on; + # add_header X-Cache $upstream_cache_status; + ''; + }; + locations."/wiki/" = { # Nepenthis proxyPass = "http://localhost:8893";