diff --git a/.sops.yaml b/.sops.yaml index f642bf6..3f88fea 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,18 +1,15 @@ keys: # The PGP keys in keys/ - &admin_alice F63832C3080D6E1AC77EECF80B4245FFE305BC82 - - &admin_dennis 8F79E6CD6434700615867480D11A514F5095BFA8 - &admin_richie 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3 # Generate AGE keys from SSH keys with: # nix-shell -p ssh-to-age --run 'ssh some.ssh.wavelens.io cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej - - &photon age13aqs2mx66dmnyd74sygnwavufv6a4pwnvcqj4ud4l94jk0tjgu6ss57slw - &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh admins: &admins - *admin_alice - - *admin_dennis - *admin_richie servers: &servers @@ -37,24 +34,12 @@ creation_rules: age: - *palatine-hill - - path_regex: systems/photon/secrets\.yaml$ - key_groups: - - pgp: *admins - age: - - *photon - - path_regex: users/alice/secrets\.yaml$ key_groups: - pgp: - *admin_alice age: *servers - - path_regex: users/dennis/secrets\.yaml$ - key_groups: - - pgp: - - *admin_dennis - age: *servers - - path_regex: users/richie/secrets\.yaml$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index 6f357ee..b2fc0eb 100644 --- a/flake.lock +++ b/flake.lock @@ -1,44 +1,5 @@ { "nodes": { - "blobs": { - "flake": false, - "locked": { - "lastModified": 1604995301, - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "type": "gitlab" - } - }, - "c3d2-user-module": { - "inputs": { - "nixos-modules": [ - "nixos-modules" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1706398214, - "narHash": "sha256-7Lk8sFyEkYGdwinhmgarUrC1niN0iyYm4sQpllxmXq4=", - "ref": "refs/heads/master", - "rev": "6d50ac7797380dde3ada60ceb1aeecf9148cdfb6", - "revCount": 56, - "type": "git", - "url": "https://gitea.c3d2.de/C3D2/nix-user-module.git" - }, - "original": { - "type": "git", - "url": "https://gitea.c3d2.de/C3D2/nix-user-module.git" - } - }, "fenix": { "inputs": { "nixpkgs": [ @@ -61,22 +22,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -148,40 +93,9 @@ "type": "github" } }, - "mailserver": { - "inputs": { - "blobs": "blobs", - "flake-compat": "flake-compat", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-23_05": [ - "nixpkgs" - ], - "nixpkgs-23_11": [ - "nixpkgs" - ], - "utils": [ - "flake-utils" - ] - }, - "locked": { - "lastModified": 1706742486, - "narHash": "sha256-sv/MISTeD0rqeVivpZJpynboMWJp6i62OmrZX1rGl38=", - "owner": "simple-nixos-mailserver", - "repo": "nixos-mailserver", - "rev": "9e36323ae3dde787f761420465c3ae560f3dbf29", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "nixos-mailserver", - "type": "gitlab" - } - }, "nix": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat", "libgit2": "libgit2", "nixpkgs": [ "nixpkgs" @@ -327,36 +241,17 @@ "type": "github" } }, - "patch-aarch64": { - "locked": { - "lastModified": 1708156783, - "narHash": "sha256-Jx7kpeyDvHNXFITE0NTwh/5RjqefhUcQ8cQdtJ3/XXs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1cc67d9bf64b37aed93d7af74d5dfd3b76f665f8", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1cc67d9bf64b37aed93d7af74d5dfd3b76f665f8", - "type": "github" - } - }, "root": { "inputs": { - "c3d2-user-module": "c3d2-user-module", "fenix": "fenix", "flake-utils": "flake-utils", "home-manager": "home-manager", - "mailserver": "mailserver", "nix": "nix", "nix-index-database": "nix-index-database", "nix-pre-commit": "nix-pre-commit", "nixos-modules": "nixos-modules", "nixpkgs": "nixpkgs", "nixpkgs-fmt": "nixpkgs-fmt", - "patch-aarch64": "patch-aarch64", "sops-nix": "sops-nix", "systems": "systems" } diff --git a/flake.nix b/flake.nix index a62b7db..10a1d3d 100644 --- a/flake.nix +++ b/flake.nix @@ -23,9 +23,6 @@ }; inputs = { - # can not cross compile all packages - patch-aarch64.url = "github:nixos/nixpkgs?rev=1cc67d9bf64b37aed93d7af74d5dfd3b76f665f8"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; systems.url = "github:nix-systems/default"; nix-index-database = { @@ -65,16 +62,6 @@ }; }; - mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - inputs = { - nixpkgs.follows = "nixpkgs"; - nixpkgs-23_05.follows = "nixpkgs"; - nixpkgs-23_11.follows = "nixpkgs"; - utils.follows = "flake-utils"; - }; - }; - home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -95,17 +82,9 @@ flake-utils.follows = "flake-utils"; }; }; - - c3d2-user-module = { - url = "git+https://gitea.c3d2.de/C3D2/nix-user-module.git"; - inputs = { - nixpkgs.follows = "nixpkgs"; - nixos-modules.follows = "nixos-modules"; - }; - }; }; - outputs = { self, nixpkgs-fmt, nix, home-manager, mailserver, nix-pre-commit, nixos-modules, nixpkgs, sops-nix, ... }@inputs: + outputs = { self, nixpkgs-fmt, nix, home-manager, nix-pre-commit, nixos-modules, nixpkgs, sops-nix, ... }@inputs: let inherit (nixpkgs) lib; systems = [ @@ -202,7 +181,6 @@ ]; } ] ++ (if server then [ - mailserver.nixosModules.mailserver ./systems/programs.nix ./systems/configuration.nix ./systems/${hostname}/hardware.nix diff --git a/keys/dennis.asc b/keys/dennis.asc deleted file mode 100644 index 77611db..0000000 --- a/keys/dennis.asc +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mDMEZHhWiRYJKwYBBAHaRw8BAQdApLSB6EIA/rIChQzJ/DTuZo0xjZqLd0YanYZN -Hk65RDe0LkRlbm5pcyBXdWl0eiAoTUFJTikgPGRlbm5pcy5oZW5yaXF1ZUB3dWl0 -ei5kZT6IkwQTFgoAOxYhBI955s1kNHAGFYZ0gNEaUU9Qlb+oBQJkeFaJAhsDBQsJ -CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENEaUU9Qlb+oJEkA/jV6SgEqfLBH -Te5cctEeKi1I6NhF9ygQaQ3E1iOawKjNAP9AKaJU9FZxBkkdQYRUwBT1HT5a9AE5 -Sc9Kv0gGjJOxBrg4BGR4VokSCisGAQQBl1UBBQEBB0CIoOJNjVR40yMwH/tJRfvE -FvVc8Vf6S/H0Gn0jqMT5QQMBCAeIeAQYFgoAIBYhBI955s1kNHAGFYZ0gNEaUU9Q -lb+oBQJkeFaJAhsMAAoJENEaUU9Qlb+ozsYA/1WRuFNfGvkGnfxekqZVSFWzV8+7 -dxTsdFH6Rp4ShU2IAQC7p0YlJ86tH4cUKX1vgp3Fd5MwysFgwoI9GmPkIjX4BLgz -BGR4V2kWCSsGAQQB2kcPAQEHQJYHv/LMo8N6iM3zFvOKrF7ZLp3eAG/cOED0yDzr -vgkdiO8EGBYKACAWIQSPeebNZDRwBhWGdIDRGlFPUJW/qAUCZHhXaQIbIgCBCRDR -GlFPUJW/qHYgBBkWCgAdFiEErfK/dQolfE3HjkAfURC2OXTM6bgFAmR4V2kACgkQ -URC2OXTM6bjzbwD9Hpa0WcBU6yeSXR/6rmXImdEZSQUrT2T/KGBQQGMoDO8BAO2Z -hb8Twi+tkgabc4+6QzrnnF8owCNi0snngcaqXBwIECoA/io/Rc9XwHYgwI8QkQjU -SwRrkWSL2nHJBOyTNr51aw6jAPwJGFgjiiiqaTPtVJmGhVvjr06W66RMK6IRejPl -AwNBBrgzBGR4WCQWCSsGAQQB2kcPAQEHQAoyEdbEjTAt540SMi4qA3YqioPuE2Y0 -omU1cNECTDpKiO8EGBYKACAWIQSPeebNZDRwBhWGdIDRGlFPUJW/qAUCZHhYJAIb -AgCBCRDRGlFPUJW/qHYgBBkWCgAdFiEEaRWBxbY0svsuEwNkS1ay/lwzFeQFAmR4 -WCQACgkQS1ay/lwzFeRL6AEAy+o1W/rY3Bwqws+NtEQmZp8ImuNL/VryMy/fvV1g -WJcA/Rr7pVW424dMWNz9MzAJBtxT8DLzwqC+lLl4uduoEIkAPcIA+wSosu1Stl03 -qaZg4TW6yawfUu9ixjKRbIv/THjQ26n8AP42LYM+BgT98KHYpCvP5TnNDJ3EX3Jy -1lnOvas0EEuhAA== -=tFtY ------END PGP PUBLIC KEY BLOCK----- diff --git a/modules/backup.nix b/modules/backup.nix deleted file mode 100644 index 78490bd..0000000 --- a/modules/backup.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ config, lib, pkgs, ... }: - -let cfg = config.services.backup; -in { - options.services.backup = { - enable = lib.mkEnableOption "backup"; - - offsite = lib.mkOption { - type = with lib.types; listOf str; - default = [ ]; - description = "Offsite backup hostnames."; - }; - - paths = lib.mkOption { - type = with lib.types; listOf str; - default = [ ]; - description = "Extra paths to include in backup."; - }; - - exclude = lib.mkOption { - type = with lib.types; listOf str; - default = [ ]; - description = "Extra paths to exclude in backup."; - }; - - backup_at = lib.mkOption { - type = lib.types.int; - default = 2; - description = "Time to run backup."; - }; - }; - - config = { - assertions = [ - { - assertion = cfg.paths != [ ] -> cfg.enable; - message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!"; - } - { - assertion = cfg.backup_at < 24; - message = "Backup time must be less than 24 hours!"; - } - ]; - - services = { - postgresqlBackup = { - inherit (config.services.postgresql) enable; - backupAll = true; - startAt = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:00:00"; - }; - - restic.backups = - let - commonOpts = { - initialize = true; - extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ]; - pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ]; - passwordFile = config.sops.secrets."restic/password".path; - paths = [ - "/etc/group" - "/etc/machine-id" - "/etc/passwd" - "/etc/shadow" - "/etc/ssh/ssh_host_ecdsa_key" - "/etc/ssh/ssh_host_ecdsa_key.pub" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - "/etc/subgid" - "/etc/subuid" - "/var/lib/nixos/" - ] ++ cfg.paths - ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" - ++ lib.optional config.services.mysql.enable "/var/lib/mysql/" - ++ lib.optional config.services.gitea.enable "/var/lib/gitea/" - ++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" - ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/" - ++ lib.optional config.mailserver.enable config.mailserver.mailDirectory; - - exclude = lib.mkIf config.services.gitea.enable [ - "/var/lib/gitea/data/indexers/" - "/var/lib/gitea/data/repo-archive" - "/var/lib/gitea/data/queues" - "/var/lib/gitea/data/tmp/" - ]; - - timerConfig = { - OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00"; - RandomizedDelaySec = "5m"; - }; - }; - in - lib.mkIf cfg.enable { - local = commonOpts // { repository = "/var/backup"; }; - offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; }; - }; - }; - - sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) { - "restic/offsite/private" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup"; - sopsFile = ./backup.yaml; - }; - - "restic/offsite/public" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup.pub"; - sopsFile = ./backup.yaml; - }; - - "restic/offsite/ssh-config" = { - owner = "root"; - path = "/root/.ssh/config"; - sopsFile = ./backup.yaml; - }; - } // lib.mkIf cfg.enable { "restic/password".owner = "root"; }; - - system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) '' - echo "Linking restic ssh config..." - mkdir -m700 -p /home/root/.ssh/ - ln -fs {,/home}/root/.ssh/id_offsite-backup - ln -fs {,/home}/root/.ssh/id_offsite-backup.pub - ln -fs {,/home}/root/.ssh/config - ''; - - systemd = lib.mkIf cfg.enable { - timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; }; - services = { - restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; - restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666"; - }; - }; - }; -} diff --git a/modules/website.nix b/modules/website.nix deleted file mode 100644 index d4a426d..0000000 --- a/modules/website.nix +++ /dev/null @@ -1,199 +0,0 @@ -{ config, pkgs, lib, ... }: -let - eachSite = config.services.staticpage.sites; - siteOpts = { lib, ... }: { - options = { - package = lib.mkPackageOption pkgs "page" { }; - - root = lib.mkOption { - type = lib.types.str; - description = "The Document-Root folder in /var/lib"; - }; - - domain = lib.mkOption { - type = lib.types.str; - example = "example.com"; - description = "The staticpage's domain."; - }; - - subdomain = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - example = "app"; - description = "The staticpage subdomain."; - }; - - usePHP = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Configure the Nginx Server to use PHP"; - }; - - configureNginx = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Configure the Nginx Server to serve the site with acne"; - }; - }; - }; -in -{ - options.services.staticpage = { - enable = lib.mkEnableOption "staticpage"; - sites = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule siteOpts); - default = { }; - description = lib.mdDoc "Specification of one or more Staticpages sites to serve"; - }; - }; - - config = lib.mkIf (eachSite != { }) (lib.mkMerge [{ - services.nginx = { - virtualHosts = lib.mkMerge [ - (lib.mapAttrs' - (name: cfg: { - name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}"; - value = { - root = "/var/lib/www/${cfg.root}"; - forceSSL = true; - enableACME = true; - serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ]; - - locations."= /favicon.ico" = { - extraConfig = '' - log_not_found off; - access_log off; - ''; - }; - - locations."= /robots.txt" = { - extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - }; - - locations."~* ^/.well-known/" = { - extraConfig = '' - allow all; - ''; - }; - - locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = { - extraConfig = '' - try_files $uri @rewrite; - expires max; - log_not_found off; - ''; - }; - - locations."~ ^/sites/.*/files/styles/" = { - extraConfig = '' - try_files $uri @rewrite; - ''; - }; - } // lib.optionalAttrs cfg.usePHP { - locations."~ '.php$|^/update.php'" = { - extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket}; - fastcgi_index index.php; - - fastcgi_split_path_info ^(.+?\.php)(|/.*)$; - # Ensure the php file exists. Mitigates CVE-2019-11043 - try_files $fastcgi_script_name =404; - - # Block httpoxy attacks. See https://httpoxy.org/. - fastcgi_param HTTP_PROXY ""; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param QUERY_STRING $query_string; - fastcgi_intercept_errors on; - ''; - }; - - locations."~ ..*/.*.php$" = { - extraConfig = '' - return 403; - ''; - }; - - locations."~ ^/sites/.*/private/" = { - extraConfig = '' - return 403; - ''; - }; - - locations."~ ^/sites/[^/]+/files/.*.php$" = { - extraConfig = '' - deny all; - ''; - }; - - locations."/" = { - extraConfig = '' - try_files $uri /index.php?$query_string; - ''; - }; - - locations."@rewrite" = { - extraConfig = '' - rewrite ^ /index.php; - ''; - }; - - locations."~ /vendor/.*.php$" = { - extraConfig = '' - deny all; - return 404; - ''; - }; - - locations."~ ^/sites/.*/files/styles/" = { - extraConfig = '' - try_files $uri @rewrite; - ''; - }; - - locations."~ ^(/[a-z-]+)?/system/files/" = { - extraConfig = '' - try_files $uri /index.php?$query_string; - ''; - }; - } // lib.optionalAttrs (!cfg.usePHP) { - locations."/" = { - extraConfig = '' - index index.html; - try_files $uri $uri/ $uri.html =404; - ''; - }; - }; - }) - (lib.filterAttrs (n: v: v.configureNginx) eachSite)) - ]; - }; - - services.phpfpm.pools = lib.mkMerge [ - (lib.mapAttrs - (name: cfg: { - user = "nginx"; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - }) - (lib.filterAttrs (n: v: v.usePHP) eachSite)) - ]; - }]); -} diff --git a/systems/jeeves-jr/default.nix b/systems/jeeves-jr/default.nix index 8bcd542..b17698e 100644 --- a/systems/jeeves-jr/default.nix +++ b/systems/jeeves-jr/default.nix @@ -1 +1 @@ -{...}: {users = ["alice" "dennis" "richie"];} +{...}: {users = ["alice" "richie"];} diff --git a/systems/palatine-hill/default.nix b/systems/palatine-hill/default.nix index 5044dd4..dc75568 100644 --- a/systems/palatine-hill/default.nix +++ b/systems/palatine-hill/default.nix @@ -1 +1 @@ -{ ... }: { users = [ "alice" "dennis" "richie" ]; } +{ ... }: { users = [ "alice" "richie" ]; }