diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index 2d36d14..fba412b 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -74,14 +74,93 @@ in }; }; }; + + # <100 is trusted; =>100 is untrusted. + vlans = { + lan = { + id = 1; + interface = "lan1"; + }; + servers = { + id = 10; + interface = "lan1"; + }; + management = { + id = 21; + interface = "lan1"; + }; + iot = { + id = 100; + interface = "lan1"; + }; + guest = { + id = 110; + interface = "lan1"; + }; + }; }; - services.udev.extraRules = '' - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" - ''; + services = { + udev.extraRules = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" + ''; + dhcpd4 = { + enable = true; + interfaces = [ + "lan" + "servers" + "management" + "iot" + "guest" + ]; + extraConfig = '' + option domain-name-servers 9.9.9.9, 149.112.112.112; + option subnet-mask 255.255.255.0; + + subnet 172.16.1.0 netmask 255.255.255.0 { + option broadcast-address 172.16.1.255; + option routers 172.16.1.1; + interface lan; + range 172.16.1.50 172.16.1.254; + } + subnet 172.16.10.0 netmask 255.255.255.0 { + option broadcast-address 172.16.10.255; + option routers 172.16.10.1; + interface servers; + range 172.16.10.50 172.16.10.254; + } + subnet 172.16.21.0 netmask 255.255.255.0 { + option broadcast-address 172.16.21.255; + option routers 172.16.21.1; + interface management; + range 172.16.21.50 172.16.21.254; + } + subnet 172.16.100.0 netmask 255.255.255.0 { + option broadcast-address 172.16.100.255; + option routers 172.16.100.1; + interface iot; + range 172.16.100.50 172.16.100.254; + } + subnet 172.16.110.0 netmask 255.255.255.0 { + option broadcast-address 172.16.110.255; + option routers 172.16.110.1; + interface guest; + range 172.16.110.50 172.16.110.254; + } + ''; + }; + avahi = { + enable = true; + reflector = true; + interfaces = [ + "lan" + "iot" + ]; + }; + }; networking.hostName = "lily"; @@ -91,5 +170,7 @@ in kitty.terminfo tcpdump dnsutils + bind + ethtool ]; } diff --git a/modules/core/sshd.nix b/modules/core/sshd.nix index 2cd550c..012b44a 100644 --- a/modules/core/sshd.nix +++ b/modules/core/sshd.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, config, ... }: { services.openssh = { enable = true; @@ -11,6 +11,8 @@ }; }; + networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ]; + users.users.liv.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone diff --git a/modules/services/gokapi.nix b/modules/services/gokapi.nix index fff1400..8755939 100644 --- a/modules/services/gokapi.nix +++ b/modules/services/gokapi.nix @@ -1,8 +1,15 @@ -{ lib, config, pkgs, ... }: { +{ + lib, + config, + pkgs, + ... +}: +{ services = { nginx.virtualHosts."share.liv.town" = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://localhost:53842"; }; diff --git a/modules/services/grafana.nix b/modules/services/grafana.nix index b0c0184..a4dfb68 100644 --- a/modules/services/grafana.nix +++ b/modules/services/grafana.nix @@ -11,8 +11,9 @@ }; nginx.virtualHosts.${config.services.grafana.domain} = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; diff --git a/modules/services/immich.nix b/modules/services/immich.nix index 301f192..6b66e76 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -1,11 +1,11 @@ -{ config, ... }: { +{ config, ... }: +{ services.immich = { enable = true; port = 2283; }; # services.nginx.virtualHosts."" = { - # enableACME = true; # forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:${toString config.services.immich.port}"; diff --git a/modules/services/invidious.nix b/modules/services/invidious.nix index 532e3fb..e4465b8 100644 --- a/modules/services/invidious.nix +++ b/modules/services/invidious.nix @@ -12,7 +12,8 @@ virtualHosts = { "video.liv.town" = { forceSSL = true; - enableACME = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; }; diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index 848e838..a22d5f9 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -26,8 +26,6 @@ networking.firewall = { allowedTCPPorts = [ 9001 - 22 - 9123 # always also allow ssh :screaming: ]; }; } diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index bef0680..952473a 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -1,4 +1,11 @@ -{ pkgs, config, lib, ... }: { +{ + pkgs, + config, + lib, + ... +}: +{ + security.acme = { acceptTerms = true; defaults.email = lib.mkDefault "ahwx@ahwx.org"; @@ -10,7 +17,15 @@ dnsProvider = "desec"; environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] webroot = null; - }; + }; + "quack.social" = { + domain = "*.quack.social"; + extraDomainNames = [ "quack.social" ]; + group = config.services.nginx.group; + dnsProvider = "desec"; + environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] + webroot = null; + }; }; }; @@ -22,8 +37,42 @@ recommendedProxySettings = true; clientMaxBodySize = lib.mkDefault "10G"; + defaultListen = + let + listen = [ + { + addr = "[::]"; + port = 80; + extraParameters = [ "proxy_protocol" ]; + } + { + addr = "[::]"; + port = 443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + in + map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; + # Hardened TLS and HSTS preloading appendHttpConfig = '' + # Proxying + # real_ip_header proxy_protocol; + + server { + listen 80 proxy_protocol; + listen 443 ssl proxy_protocol; + # set_real_ip_from 10.7.0.0/24; + } + + ssl_certificate /var/lib/acme/quack.social/cert.pem; + ssl_certificate_key /var/lib/acme/quack.social/key.pem; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_protocol_addr; + # Add HSTS header with preloading to HTTPS requests. # Do not add HSTS header to HTTP requests. map $scheme $hsts_header { @@ -49,5 +98,24 @@ add_header pronouns "any but neopronouns"; add_header locale "[en_US, nl_NL]"; ''; + appendConfig = '' + # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ + # set_real_ip_from 213.210.34.27; + + # real_ip_header proxy_protocol; + + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_protocol_addr; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-Server $host; + ''; + }; + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; }; } diff --git a/modules/services/ntfy.nix b/modules/services/ntfy.nix index d7c9424..19c3fba 100644 --- a/modules/services/ntfy.nix +++ b/modules/services/ntfy.nix @@ -2,7 +2,8 @@ let hostname = "notify.liv.town"; port = 2586; url = "https://" + hostname; -in { +in +{ services = { ntfy-sh = { enable = true; @@ -16,8 +17,9 @@ in { }; }; nginx.virtualHosts.${hostname} = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; diff --git a/modules/services/sharkey-proxy.nix b/modules/services/sharkey-proxy.nix index 416bfe9..166876c 100644 --- a/modules/services/sharkey-proxy.nix +++ b/modules/services/sharkey-proxy.nix @@ -2,8 +2,9 @@ { services = { nginx.virtualHosts."quack.social" = { - enableACME = true; forceSSL = true; + sslCertificate = "/var/lib/acme/quack.social/cert.pem"; + sslCertificateKey = "/var/lib/acme/quack.social/key.pem"; locations."/" = { proxyPass = "http://localhost:3000"; proxyWebsockets = true; @@ -16,26 +17,6 @@ ''; }; - locations."/files/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $remote_addr; - - # Try cache? - # proxy_cache sharkey; - # proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m; - # proxy_cache_lock on; - # proxy_cache_use_stale updating; - # proxy_force_ranges on; - # add_header X-Cache $upstream_cache_status; - ''; - }; - locations."/wiki/" = { # Nepenthis proxyPass = "http://localhost:8893";