Fixed fermi configuration for deployment

aftix · May 17, 2024 · 45b1eed · 45b1eed
1 parent 1cece6e
commit 45b1eed
Show file tree

Hide file tree

Showing 6 changed files with 136 additions and 83 deletions.
diff --git a/host/fermi.nix b/host/fermi.nix
@@ -27,6 +27,9 @@ in {
       aftgraphs = true;
       blog = true;
       searx.enable = true;
+
+      ip = "170.130.165.174";
+      ipv6 = "2a0b:7140:8:1:5054:ff:fe84:ed8c";
     };
 
     znc.enable = true;

diff --git a/host/opt/www/blog.nix b/host/opt/www/blog.nix
@@ -29,34 +29,31 @@ in {
       forceSSL = true;
       useACMEHost = cfg.hostname;
 
-      locations =
-        {
-          "/".tryFiles = "$uri $uri/ =404";
+      locations = {
+        "/".tryFiles = "$uri $uri/ =404";
 
-          "/searx/${cfg.searx.subdomain}".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/static/?$args";
-          "/searx".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args";
+        "/searx/".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args";
 
-          "/advent2023/" = mkIf cfg.adventofcode {
-            alias = "${cfg.root}/advent2023/";
-            extraConfig = ''
-              fancyindex on;
-              fancyindex_exact_size off;
-              fancyindex_localtime on;
-            '';
-          };
+        "/advent2023/" = mkIf cfg.adventofcode {
+          alias = "${cfg.root}/advent2023/";
+          extraConfig = ''
+            fancyindex on;
+            fancyindex_exact_size off;
+            fancyindex_localtime on;
+          '';
+        };
 
-          "/aftgraphs/" = mkIf cfg.aftgraphs {
-            alias = "${cfg.root}/simulations/";
-            extraConfig = ''
-              fancyindex on;
-              fancyindex_exact_size off;
-              fancyindex_localtime on;
-              add_header "Cross-Origin-Opener-Policy" "same-origin";
-              add_header "Cross-Origin-Embedder-Policy" "require-corp";
-            '';
-          };
-        }
-        // cfg.acme-location-block;
+        "/aftgraphs/" = mkIf cfg.aftgraphs {
+          alias = "${cfg.root}/simulations/";
+          extraConfig = ''
+            fancyindex on;
+            fancyindex_exact_size off;
+            fancyindex_localtime on;
+            add_header "Cross-Origin-Opener-Policy" "same-origin";
+            add_header "Cross-Origin-Embedder-Policy" "require-corp";
+          '';
+        };
+      };
     };
   };
 }
diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix
@@ -19,6 +19,15 @@ in {
       type = lib.types.str;
     };
 
+    ip = mkOption {
+      default = "";
+      type = lib.types.str;
+    };
+    ipv6 = mkOption {
+      default = "";
+      type = lib.types.str;
+    };
+
     root = mkOption {
       default = "/srv";
       type = lib.types.str;
@@ -34,16 +43,10 @@ in {
       type = lib.types.str;
     };
 
-    acme-location-block = mkOption {
-      default = {
-        "^~ /.well-known/acme-challenge".extraConfig = ''
-          location ^~ /.well-known/acme-challenge/ {
-            default_type "text/plain";
-            root ${cfg.root}/acme;
-          }
-        '';
-      };
-      readOnly = true;
+    keys = mkOption {
+      default = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmFgG1EuQDoJb8pQcxnhjqbncrpJGZ3iNon/gu0bXiE [email protected]"
+      ];
     };
   };
 
@@ -54,26 +57,66 @@ in {
         password = "";
         shell = "/run/current-system/sw/bin/nologin";
         isSystemUser = true;
+        home = cfg.root;
+        openssh.authorizedKeys.keys = cfg.keys;
       };
 
       groups.${cfg.group} = {};
     };
 
     networking.firewall = {
-      allowedTCPPorts = [80 443];
-      allowedUDPPorts = [80 443];
+      allowedTCPPorts = [53 80 443];
+      allowedUDPPorts = [53 80 443];
     };
 
-    services.nginx = {
-      inherit (cfg) user group;
-      enable = true;
-      enableReload = true;
+    services = {
+      nginx = {
+        inherit (cfg) user group;
+        enable = true;
+        enableReload = true;
 
-      additionalModules = with pkgs.nginxModules; [fancyindex];
+        additionalModules = with pkgs.nginxModules; [fancyindex];
 
-      appendHttpConfig = ''
-        limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s;
-      '';
+        virtualHosts."auth.${cfg.hostname}" = {
+          serverName = "auth.${cfg.hostname} www.auth.${cfg.hostname}";
+          kTLS = true;
+          forceSSL = true;
+          useACMEHost = cfg.hostname;
+
+          locations."/" = {
+            proxyPass = "http://[::1]:4443/";
+            extraConfig = ''
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            '';
+          };
+        };
+
+        appendHttpConfig = ''
+          limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s;
+        '';
+      };
+
+      acme-dns = {
+        enable = true;
+        settings = {
+          api = {
+            ip = "[::1]";
+            port = 4443;
+          };
+          general = rec {
+            listen = "[::1]:53";
+            domain = "auth." + cfg.hostname;
+            nsname = domain;
+            nsadmin = "admin." + cfg.hostname;
+            records = [
+              "${nsname}. A ${cfg.ip}"
+              "${nsname}. AAAA ${cfg.ipv6}"
+              "${nsname}. NS ${nsname}."
+            ];
+          };
+        };
+      };
     };
 
     systemd.tmpfiles.rules = [
@@ -83,14 +126,26 @@ in {
 
     security.acme = {
       acceptTerms = true;
+
       defaults = {
         email = "[email protected]";
-        webroot = cfg.root + "/acme";
+        dnsProvider = "acme-dns";
+        environmentFile = pkgs.writeTextFile {
+          name = "lego-acme-dns.env";
+          text = ''
+            ACME_DNS_API_BASE="http://[::1]:4443"
+            ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json
+          '';
+        };
       };
 
       certs.${cfg.hostname} = {
         inherit (cfg) group;
-        extraDomainNames = ["www.${cfg.hostname}"];
+        extraDomainNames = [
+          "www.${cfg.hostname}"
+          "auth.${cfg.hostname}"
+          "www.auth.${cfg.hostname}"
+        ];
       };
     };
   };

diff --git a/host/opt/www/searx.nix b/host/opt/www/searx.nix
@@ -7,7 +7,7 @@
   inherit (lib.options) mkOption mkEnableOption;
   wwwCfg = config.my.www;
   cfg = wwwCfg.searx;
-  socket = "/run/uwsgi/app/searx/socket";
+  socket = "/run/uwsgi/socket";
 in {
   options.my.www.searx = {
     enable = mkEnableOption "searx";
@@ -35,9 +35,7 @@ in {
     systemd.tmpfiles.rules = let
       inherit (config.services.searx.uwsgiConfig) immediate-uid immediate-gid;
     in [
-      "d /run/uwsgi 0775 ${immediate-uid} ${immediate-gid} -"
-      "d /run/uwsgi/app 0775 ${immediate-uid} ${immediate-gid} -"
-      "d /run/uwsgi/app/searx 0775 ${immediate-uid} ${immediate-gid} -"
+      "d ${builtins.baseNameOf socket} 0775 ${immediate-uid} ${immediate-gid} -"
     ];
 
     environment.etc."nginx/uwsgi_params".text = ''
@@ -63,22 +61,19 @@ in {
 
     services = {
       nginx.virtualHosts."${cfg.subdomain}.${wwwCfg.hostname}" = {
-        root = "${config.services.searx.package}/share";
         serverName = "${cfg.subdomain}.${wwwCfg.hostname} www.${cfg.subdomain}.${wwwCfg.hostname}";
         kTLS = true;
         forceSSL = true;
         useACMEHost = wwwCfg.hostname;
 
-        locations =
-          {
-            "/".extraConfig = ''
-              include uwsgi_params;
-              uwsgi_pass unix:${socket};
-            '';
+        locations = {
+          "/".extraConfig = ''
+            include uwsgi_params;
+            uwsgi_pass unix:${socket};
+          '';
 
-            "/static/".alias = "${config.services.searx.package}/share/static";
-          }
-          // wwwCfg.acme-location-block;
+          "/static/".alias = "${config.services.searx.package}/share/static/";
+        };
       };
 
       redis.servers.searx.user = mkForce config.services.searx.uwsgiConfig.immediate-uid;
@@ -96,7 +91,6 @@ in {
         environmentFile = config.sops.templates."searx.env".path;
 
         settings = {
-          use_default_settings = mkForce false;
           instance_name = "searx";
           contact_url = "mailto:[email protected]";
           server = {

diff --git a/host/opt/www/znc.nix b/host/opt/www/znc.nix
@@ -34,23 +34,32 @@ in {
       };
     };
 
+    security.acme.certs.${hostname}.extraDomainNames = [
+      "${subdomain}.${hostname}"
+      "www.${subdomain}.${hostname}"
+    ];
+
     systemd = {
+      tmpfiles.rules = [
+        "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} -"
+        "d ${cfg.dataDir}/configs 0750 ${cfg.user} ${cfg.group} -"
+      ];
+
       services = {
         znc-init = {
+          inherit (config.systemd.services.znc) preStart;
           description = "Initialize znc settings";
+          requires = ["local-fs.target"];
+          after = ["local-fs.target"];
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
             User = cfg.user;
             Group = cfg.group;
-            RuntimeDirectory = cfg.dataDir;
-            RuntimeDirectoryMode = "750";
             NoNewPrivileges = true;
             ProtectSystem = "strict";
             ReadWritePaths = cfg.dataDir;
             ProtectHome = true;
-            StateDirectory = cfg.dataDir;
-            StateDirectoryMode = "755";
             PrivateTmp = true;
             ProtectHostname = true;
             ProtectClock = true;
@@ -94,27 +103,23 @@ in {
           forceSSL = true;
           useACMEHost = hostname;
 
-          locations =
-            {
-              "/" = {
-                proxyPass = "http://[[::1]]:7001/";
-                extraConfig = ''
-                  proxy_set_header X-Real-IP $remote_addr;
-                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                '';
-              };
-            }
-            // config.my.www.acme-location-block;
+          locations."/" = {
+            proxyPass = "http://[::1]:7001/";
+            extraConfig = ''
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            '';
+          };
         };
 
         streamConfig = ''
           upstream znc {
-            server [::1]::7000;
+            server [::1]:7000;
           }
 
           server {
-            listen 0.0.0.0:6697 http2 ssl;
-            listen [::0]:6697 http2 ssl;
+            listen 0.0.0.0:6697 ssl;
+            listen [::0]:6697 ssl;
 
             ssl_certificate ${config.security.acme.certs.${hostname}.directory}/fullchain.pem;
             ssl_certificate_key ${config.security.acme.certs.${hostname}.directory}/key.pem;
@@ -216,7 +221,6 @@ in {
                   "keepnick"
                   "savebuff"
                   "clientbuffer"
-                  "autoadd"
                   "route_replies"
                 ];
                 FloodBurst = 9;

diff --git a/host/srv_secrets.yaml b/host/srv_secrets.yaml
@@ -35,8 +35,8 @@ sops:
             Y1A3cVp1ZjlQTFlNYXpCNU0vdFo2K2cKW6HKJa8xsl+dPiU/pn/e4OzdYl1dAd2E
             I80O0jS0TQ/8Ifjr/a4V1f911/ShSWiAis8mHEa4wf3pVJ26CI9D9Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-12T18:44:09Z"
-    mac: ENC[AES256_GCM,data:GwLhZj83Pbz6dk1mXxiAgKWHf8hJ7YBZZrro2yqxOgxbdi6hIwMTAWoBmw4SEKGKhFER7YSY4jCSS4oyZUhP9HIdvCaqMc5u8rC+2UO3nlLsTTLB21vp5QBm0x5/CGH8K4r1S8Xi9bHzdb39+goI9sIARlNkD0fcS02jgb92ErA=,iv:emRl+fQ+CpcpaCcwZKGEBd0ckW6XyDUmrl9XBa+n+zc=,tag:SXcmB4SKp9hy31Yo6KcV9Q==,type:str]
+    lastmodified: "2024-05-17T20:53:15Z"
+    mac: ENC[AES256_GCM,data:hw2FncYLmzAUNRvP5K8CxcNBjvvU7617NuvyvWUukw4sx84a5LCDY6IFeY655/3JwuEupPqnqf5rmhx0g8R4aXimyvNglpB9MliFCt5MwX6o4w2bxDkiycQeuqoGQ1X3fmsr2AHMkFllcO3CjrxYBC62dpPy4hKFVOrP3TLtbFk=,iv:LWuUdEmScKBuO9j+TCl8pip+wh2LXtStev2NMgT0I74=,tag:EkMxDjYZ5duoBctpJb5K1g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1