diff --git a/host/fermi.nix b/host/fermi.nix index 4b120a8..e387f58 100644 --- a/host/fermi.nix +++ b/host/fermi.nix @@ -27,6 +27,9 @@ in { aftgraphs = true; blog = true; searx.enable = true; + + ip = "170.130.165.174"; + ipv6 = "2a0b:7140:8:1:5054:ff:fe84:ed8c"; }; znc.enable = true; diff --git a/host/opt/www/blog.nix b/host/opt/www/blog.nix index 87931d7..4a81942 100644 --- a/host/opt/www/blog.nix +++ b/host/opt/www/blog.nix @@ -29,34 +29,32 @@ in { forceSSL = true; useACMEHost = cfg.hostname; - locations = - { - "/".tryFiles = "$uri $uri/ =404"; + locations = { + "/".tryFiles = "$uri $uri/ =404"; - "/searx/${cfg.searx.subdomain}".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/static/?$args"; - "/searx".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args"; + "/searx/${cfg.searx.subdomain}".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/static/?$args"; + "/searx".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args"; - "/advent2023/" = mkIf cfg.adventofcode { - alias = "${cfg.root}/advent2023/"; - extraConfig = '' - fancyindex on; - fancyindex_exact_size off; - fancyindex_localtime on; - ''; - }; + "/advent2023/" = mkIf cfg.adventofcode { + alias = "${cfg.root}/advent2023/"; + extraConfig = '' + fancyindex on; + fancyindex_exact_size off; + fancyindex_localtime on; + ''; + }; - "/aftgraphs/" = mkIf cfg.aftgraphs { - alias = "${cfg.root}/simulations/"; - extraConfig = '' - fancyindex on; - fancyindex_exact_size off; - fancyindex_localtime on; - add_header "Cross-Origin-Opener-Policy" "same-origin"; - add_header "Cross-Origin-Embedder-Policy" "require-corp"; - ''; - }; - } - // cfg.acme-location-block; + "/aftgraphs/" = mkIf cfg.aftgraphs { + alias = "${cfg.root}/simulations/"; + extraConfig = '' + fancyindex on; + fancyindex_exact_size off; + fancyindex_localtime on; + add_header "Cross-Origin-Opener-Policy" "same-origin"; + add_header "Cross-Origin-Embedder-Policy" "require-corp"; + ''; + }; + }; }; }; } diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix index d974162..1bcc477 100644 --- a/host/opt/www/default.nix +++ b/host/opt/www/default.nix @@ -19,6 +19,15 @@ in { type = lib.types.str; }; + ip = mkOption { + default = ""; + type = lib.types.str; + }; + ipv6 = mkOption { + default = ""; + type = lib.types.str; + }; + root = mkOption { default = "/srv"; type = lib.types.str; @@ -34,16 +43,10 @@ in { type = lib.types.str; }; - acme-location-block = mkOption { - default = { - "^~ /.well-known/acme-challenge".extraConfig = '' - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root ${cfg.root}/acme; - } - ''; - }; - readOnly = true; + keys = mkOption { + default = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmFgG1EuQDoJb8pQcxnhjqbncrpJGZ3iNon/gu0bXiE aftix@aftix.xyz" + ]; }; }; @@ -54,26 +57,66 @@ in { password = ""; shell = "/run/current-system/sw/bin/nologin"; isSystemUser = true; + home = cfg.root; + openssh.authorizedKeys.keys = cfg.keys; }; groups.${cfg.group} = {}; }; networking.firewall = { - allowedTCPPorts = [80 443]; - allowedUDPPorts = [80 443]; + allowedTCPPorts = [53 80 443]; + allowedUDPPorts = [53 80 443]; }; - services.nginx = { - inherit (cfg) user group; - enable = true; - enableReload = true; + services = { + nginx = { + inherit (cfg) user group; + enable = true; + enableReload = true; - additionalModules = with pkgs.nginxModules; [fancyindex]; + additionalModules = with pkgs.nginxModules; [fancyindex]; - appendHttpConfig = '' - limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s; - ''; + virtualHosts."auth.${cfg.hostname}" = { + serverName = "auth.${cfg.hostname} www.auth.${cfg.hostname}"; + kTLS = true; + forceSSL = true; + useACMEHost = cfg.hostname; + + locations."/" = { + proxyPass = "http://[::1]:4443/"; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + + appendHttpConfig = '' + limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s; + ''; + }; + + acme-dns = { + enable = true; + settings = { + api = { + ip = "[::1]"; + port = 4443; + }; + general = rec { + listen = "[::1]:53"; + domain = "auth." + cfg.hostname; + nsname = domain; + nsadmin = "admin." + cfg.hostname; + records = [ + "${nsname}. A ${cfg.ip}" + "${nsname}. AAAA ${cfg.ipv6}" + "${nsname}. NS ${nsname}." + ]; + }; + }; + }; }; systemd.tmpfiles.rules = [ @@ -83,14 +126,26 @@ in { security.acme = { acceptTerms = true; + defaults = { email = "aftix@aftix.xyz"; - webroot = cfg.root + "/acme"; + dnsProvider = "acme-dns"; + environmentFile = pkgs.writeTextFile { + name = "lego-acme-dns.env"; + text = '' + ACME_DNS_API_BASE="http://[::1]:4443" + ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json + ''; + }; }; certs.${cfg.hostname} = { inherit (cfg) group; - extraDomainNames = ["www.${cfg.hostname}"]; + extraDomainNames = [ + "www.${cfg.hostname}" + "auth.${cfg.hostname}" + "www.auth.${cfg.hostname}" + ]; }; }; }; diff --git a/host/opt/www/searx.nix b/host/opt/www/searx.nix index a594c4d..e9017b4 100644 --- a/host/opt/www/searx.nix +++ b/host/opt/www/searx.nix @@ -69,16 +69,14 @@ in { forceSSL = true; useACMEHost = wwwCfg.hostname; - locations = - { - "/".extraConfig = '' - include uwsgi_params; - uwsgi_pass unix:${socket}; - ''; - - "/static/".alias = "${config.services.searx.package}/share/static"; - } - // wwwCfg.acme-location-block; + locations = { + "/".extraConfig = '' + include uwsgi_params; + uwsgi_pass unix:${socket}; + ''; + + "/static/".alias = "${config.services.searx.package}/share/static"; + }; }; redis.servers.searx.user = mkForce config.services.searx.uwsgiConfig.immediate-uid; @@ -96,7 +94,6 @@ in { environmentFile = config.sops.templates."searx.env".path; settings = { - use_default_settings = mkForce false; instance_name = "searx"; contact_url = "mailto:aftix@aftix.xyz"; server = { diff --git a/host/opt/www/znc.nix b/host/opt/www/znc.nix index 48ea154..e640dc3 100644 --- a/host/opt/www/znc.nix +++ b/host/opt/www/znc.nix @@ -34,23 +34,32 @@ in { }; }; + security.acme.certs.${hostname}.extraDomainNames = [ + "${subdomain}.${hostname}" + "www.${subdomain}.${hostname}" + ]; + systemd = { + tmpfiles.rules = [ + "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} -" + "d ${cfg.dataDir}/configs 0750 ${cfg.user} ${cfg.group} -" + ]; + services = { znc-init = { + inherit (config.systemd.services.znc) preStart; description = "Initialize znc settings"; + requires = ["local-fs.target"]; + after = ["local-fs.target"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; User = cfg.user; Group = cfg.group; - RuntimeDirectory = cfg.dataDir; - RuntimeDirectoryMode = "750"; NoNewPrivileges = true; ProtectSystem = "strict"; ReadWritePaths = cfg.dataDir; ProtectHome = true; - StateDirectory = cfg.dataDir; - StateDirectoryMode = "755"; PrivateTmp = true; ProtectHostname = true; ProtectClock = true; @@ -94,27 +103,23 @@ in { forceSSL = true; useACMEHost = hostname; - locations = - { - "/" = { - proxyPass = "http://[[::1]]:7001/"; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - } - // config.my.www.acme-location-block; + locations."/" = { + proxyPass = "http://[::1]:7001/"; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; }; streamConfig = '' upstream znc { - server [::1]::7000; + server [::1]:7000; } server { - listen 0.0.0.0:6697 http2 ssl; - listen [::0]:6697 http2 ssl; + listen 0.0.0.0:6697 ssl; + listen [::0]:6697 ssl; ssl_certificate ${config.security.acme.certs.${hostname}.directory}/fullchain.pem; ssl_certificate_key ${config.security.acme.certs.${hostname}.directory}/key.pem; @@ -216,7 +221,6 @@ in { "keepnick" "savebuff" "clientbuffer" - "autoadd" "route_replies" ]; FloodBurst = 9; diff --git a/host/srv_secrets.yaml b/host/srv_secrets.yaml index 7c5198a..fa4317e 100644 --- a/host/srv_secrets.yaml +++ b/host/srv_secrets.yaml @@ -35,8 +35,8 @@ sops: Y1A3cVp1ZjlQTFlNYXpCNU0vdFo2K2cKW6HKJa8xsl+dPiU/pn/e4OzdYl1dAd2E I80O0jS0TQ/8Ifjr/a4V1f911/ShSWiAis8mHEa4wf3pVJ26CI9D9Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-12T18:44:09Z" - mac: ENC[AES256_GCM,data:GwLhZj83Pbz6dk1mXxiAgKWHf8hJ7YBZZrro2yqxOgxbdi6hIwMTAWoBmw4SEKGKhFER7YSY4jCSS4oyZUhP9HIdvCaqMc5u8rC+2UO3nlLsTTLB21vp5QBm0x5/CGH8K4r1S8Xi9bHzdb39+goI9sIARlNkD0fcS02jgb92ErA=,iv:emRl+fQ+CpcpaCcwZKGEBd0ckW6XyDUmrl9XBa+n+zc=,tag:SXcmB4SKp9hy31Yo6KcV9Q==,type:str] + lastmodified: "2024-05-17T20:53:15Z" + mac: ENC[AES256_GCM,data:hw2FncYLmzAUNRvP5K8CxcNBjvvU7617NuvyvWUukw4sx84a5LCDY6IFeY655/3JwuEupPqnqf5rmhx0g8R4aXimyvNglpB9MliFCt5MwX6o4w2bxDkiycQeuqoGQ1X3fmsr2AHMkFllcO3CjrxYBC62dpPy4hKFVOrP3TLtbFk=,iv:LWuUdEmScKBuO9j+TCl8pip+wh2LXtStev2NMgT0I74=,tag:EkMxDjYZ5duoBctpJb5K1g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1