about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/nixos/bluetooth.nix11
-rw-r--r--modules/nixos/grafana.nix6
-rw-r--r--modules/nixos/kde.nix1
-rw-r--r--modules/nixos/matrix/dendrite.nix193
-rw-r--r--modules/nixos/monitoring/default.nix7
-rw-r--r--modules/nixos/openssh.nix21
-rw-r--r--modules/nixos/profiles/headless.nix5
7 files changed, 146 insertions, 98 deletions
diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix
index cf92179..76131bf 100644
--- a/modules/nixos/bluetooth.nix
+++ b/modules/nixos/bluetooth.nix
@@ -16,14 +16,9 @@ in {
     hardware.bluetooth = {
       enable = true;
       settings.General.FastConnectable = true;
-    };
-
-    environment = {
-      etc."bluetooth/input.conf".text = generators.toINI {} {
-        General = {
-          IdleTimeout = 15;
-          UserspaceHID = true;
-        };
+      input.General = {
+        IdleTimeout = 15;
+        UserspaceHID = true;
       };
     };
   };
diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
index a614502..0b2e210 100644
--- a/modules/nixos/grafana.nix
+++ b/modules/nixos/grafana.nix
@@ -39,7 +39,7 @@ in {
           group = "grafana";
         };
         grafana-smtp-password = {
-          file = "${inputs.self}/secrets/grafana-smtp-password";
+          file = "${inputs.self}/secrets/smtp-password";
           owner = "grafana";
           group = "grafana";
         };
@@ -98,8 +98,8 @@ in {
               auto_assign_org_role = "Viewer";
             };
             security = with config.secrets; {
-              secret_key = grafana-key.path;
-              admin_password = grafana-admin-password.path;
+              secret_key = "$__file{${grafana-key.path}}";
+              admin_password = "$__file{${grafana-admin-password.path}}";
             };
             analytics.reporting_enable = false;
           };
diff --git a/modules/nixos/kde.nix b/modules/nixos/kde.nix
index a430294..66fabbd 100644
--- a/modules/nixos/kde.nix
+++ b/modules/nixos/kde.nix
@@ -30,7 +30,6 @@ in {
         enable = true;
         excludePackages = with pkgs.plasma5Packages; [
           elisa
-          gwenview
           khelpcenter
           okular
           print-manager
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index 0fad5f2..6b662b2 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -11,6 +11,12 @@ in {
   options.nixfiles.modules.matrix.dendrite = {
     enable = mkEnableOption "Dendrite Matrix server";
 
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 8008;
+    };
+
     domain = mkOption {
       type = types.str;
       default = config.networking.domain;
@@ -68,90 +74,129 @@ in {
         };
       };
 
-      services = {
-        dendrite = {
-          enable = true;
-          httpPort = 8008;
-          environmentFile = config.secrets.dendrite-environment-file.path;
-          settings = {
-            version = 2;
-            global = {
-              server_name = cfg.domain;
-              private_key = config.secrets.dendrite-private-key.path;
-              database = {
-                connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
-                max_open_conns = 64;
-                max_idle_connections = 8;
+      services.postgresql = {
+        ensureDatabases = [db];
+        ensureUsers = [
+          {
+            name = db;
+            ensurePermissions."DATABASE \"${db}\"" = "ALL";
+          }
+        ];
+      };
+
+      systemd.services.dendrite = {
+        description = "Dendrite Matrix homeserver";
+        requires = ["network.target"];
+        wantedBy = ["multi-user.target"];
+        serviceConfig = let
+          needsPrivileges = cfg.port < 1024;
+          capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"];
+        in {
+          Restart = "on-failure";
+          ExecStartPre = let
+            settings = {
+              version = 2;
+              global = {
+                server_name = cfg.domain;
+                private_key = config.secrets.dendrite-private-key.path;
+                database = {
+                  connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
+                  max_open_conns = 64;
+                  max_idle_connections = 8;
+                };
+                cache = {
+                  max_size_estimated = "1gb";
+                  max_age = "1h";
+                };
+                trusted_third_party_id_servers = [
+                  "matrix.org"
+                  "nixos.org"
+                  "vector.im"
+                ];
+                presence = {
+                  enable_inbound = false;
+                  enable_outbound = false;
+                };
               };
-              cache = {
-                max_size_estimated = "1gb";
-                max_age = "1h";
+              client_api = {
+                registration_disabled = true;
+                guests_disabled = true;
+                registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
               };
-              trusted_third_party_id_servers = [
-                "matrix.org"
-                "nixos.org"
-                "vector.im"
-              ];
-              presence = {
-                enable_inbound = false;
-                enable_outbound = false;
+              media_api = {
+                base_path = "/var/lib/dendrite/media_store";
+                max_file_size_bytes = 0;
+                dynamic_thumbnails = true;
+                max_thumbnail_generators = 8;
+                thumbnail_sizes = [
+                  {
+                    width = 32;
+                    height = 32;
+                    method = "crop";
+                  }
+                  {
+                    width = 96;
+                    height = 96;
+                    method = "crop";
+                  }
+                  {
+                    width = 640;
+                    height = 480;
+                    method = "scale";
+                  }
+                ];
               };
-            };
-            client_api = {
-              registration_disabled = true;
-              guests_disabled = true;
-              registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
-            };
-            media_api = {
-              max_file_size_bytes = 0;
-              dynamic_thumbnails = true;
-              max_thumbnail_generators = 8;
-              thumbnail_sizes = [
+              logging = [
                 {
-                  width = 32;
-                  height = 32;
-                  method = "crop";
-                }
-                {
-                  width = 96;
-                  height = 96;
-                  method = "crop";
-                }
-                {
-                  width = 640;
-                  height = 480;
-                  method = "scale";
+                  type = "std";
+                  level = "warn";
                 }
               ];
             };
-            logging = [
-              {
-                type = "std";
-                level = "warn";
-              }
+          in
+            concatStringsSep " " [
+              "${pkgs.envsubst}/bin/envsubst"
+              "-i ${(pkgs.formats.yaml {}).generate "dendrite.yaml" settings}"
+              "-o /run/dendrite/dendrite.yaml"
             ];
-          };
-        };
-
-        postgresql = {
-          ensureDatabases = [db];
-          ensureUsers = [
-            {
-              name = db;
-              ensurePermissions."DATABASE \"${db}\"" = "ALL";
-            }
+          ExecStart = concatStringsSep " " [
+            "${pkgs.dendrite}/bin/dendrite-monolith-server"
+            "--config /run/dendrite/dendrite.yaml"
+            "--http-bind-address 127.0.0.1:${toString cfg.port}"
           ];
+          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          EnvironmentFile = config.secrets.dendrite-environment-file.path;
+          DynamicUser = true;
+          StateDirectory = "dendrite";
+          RuntimeDirectory = "dendrite";
+          RuntimeDirectoryMode = "0700";
+          AmbientCapabilities = capabilities;
+          CapabilityBoundingSet = capabilities;
+          UMask = "0077";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = !needsPrivileges;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          ProtectProc = "noaccess";
+          ProcSubset = "pid";
+          RemoveIPC = true;
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["@system-service" "~@privileged"];
         };
       };
-
-      systemd.services.dendrite.serviceConfig.ExecStart =
-        mkForce
-        (concatStringsSep " " [
-          "${pkgs.dendrite}/bin/dendrite-monolith-server"
-          "--config /run/dendrite/dendrite.yaml"
-          "--http-bind-address 127.0.0.1:${
-            toString config.services.dendrite.httpPort
-          }"
-        ]);
     };
 }
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 4ff4c50..57a0d09 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -38,6 +38,13 @@ in {
             access = "proxy";
             url = "https://${loki.domain}";
           }
+          {
+            name = "Alertmanager";
+            type = "alertmanager";
+            access = "proxy";
+            jsonData.implementation = "prometheus";
+            url = "https://${alertmanager.domain}";
+          }
         ];
 
         # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 9a131d7..c7a144e 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -18,16 +18,16 @@ in {
   };
 
   config = mkIf cfg.server.enable {
-    # TODO Enable on a fresh system.
-    # ark = {
-    #   files = [
-    #     "/etc/ssh/ssh_host_ed25519_key"
-    #     "/etc/ssh/ssh_host_ed25519_key.pub"
-    #     "/etc/ssh/ssh_host_rsa_key"
-    #     "/etc/ssh/ssh_host_rsa_key.pub"
-    #   ];
-    #   directories = ["/etc/ssh/authorized_keys.d"];
-    # };
+    # FIXME This is mounted after the activation script is launched.
+    ark = {
+      files = [
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ];
+      # directories = ["/etc/ssh/authorized_keys.d"];
+    };
 
     programs.mosh.enable = true;
 
@@ -36,7 +36,6 @@ in {
         enable = true;
         ports = [cfg.server.port];
         settings = {
-          AllowUsers = my.username;
           ClientAliveCountMax = 3;
           ClientAliveInterval = 60;
           KbdInteractiveAuthentication = false;
diff --git a/modules/nixos/profiles/headless.nix b/modules/nixos/profiles/headless.nix
index 9faf531..efe4d03 100644
--- a/modules/nixos/profiles/headless.nix
+++ b/modules/nixos/profiles/headless.nix
@@ -19,7 +19,10 @@ in {
       promtail.enable = true;
     };
 
-    # Pin version to prevent any surprises.
+    # Pin version to prevent any surprises. Try keeping this up-to-date[1] with
+    # the latest LTS release + hardened patches (just in case).
+    #
+    # [1]: https://kernel.org
     boot.kernelPackages = pkgs.linuxPackages_5_15_hardened;
 
     nix = {

Consider giving Nix/NixOS a try! <3