diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/nixfiles/monitoring/default.nix | 80 | ||||
-rw-r--r-- | modules/nixfiles/openssh.nix | 102 | ||||
-rw-r--r-- | modules/nixfiles/profiles/headful.nix | 65 | ||||
-rw-r--r-- | modules/nixfiles/rtorrent.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/syncthing.nix | 50 | ||||
-rw-r--r-- | modules/nixfiles/wireguard.nix | 18 |
6 files changed, 231 insertions, 86 deletions
diff --git a/modules/nixfiles/monitoring/default.nix b/modules/nixfiles/monitoring/default.nix index 9758cff..c439614 100644 --- a/modules/nixfiles/monitoring/default.nix +++ b/modules/nixfiles/monitoring/default.nix @@ -64,12 +64,80 @@ in { loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}"; - prometheus.alertmanagers = [ - { - scheme = "https"; - static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}]; - } - ]; + prometheus = { + scrapeConfigs = with my.configurations; + with config.services.prometheus.exporters; [ + { + job_name = "endlessh-go"; + static_configs = [ + { + targets = with config.services.endlessh-go.prometheus; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "nginx"; + static_configs = [ + { + targets = with nginx; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "node"; + static_configs = [ + { + targets = with node; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "postgres"; + static_configs = [ + { + targets = with postgres; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + { + job_name = "unbound"; + static_configs = [ + { + targets = with unbound; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + { + job_name = "wireguard"; + static_configs = [ + { + targets = with wireguard; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + ]; + + alertmanagers = [ + { + scheme = "https"; + static_configs = [ + {targets = [config.nixfiles.modules.alertmanager.domain];} + ]; + } + ]; + }; }; }; } diff --git a/modules/nixfiles/openssh.nix b/modules/nixfiles/openssh.nix index 3a526d7..2bae2da 100644 --- a/modules/nixfiles/openssh.nix +++ b/modules/nixfiles/openssh.nix @@ -12,41 +12,73 @@ in { server.enable = mkEnableOption "OpenSSH server"; }; - config = mkMerge [ - (mkIf cfg.client.enable { - hm = { - home.packages = with pkgs; [mosh sshfs]; - - programs.ssh = { - enable = true; - controlMaster = "auto"; - controlPersist = "24H"; - hashKnownHosts = true; - serverAliveCountMax = 30; - serverAliveInterval = 60; - }; - }; - }) - (mkIf cfg.server.enable { - programs.mosh.enable = true; - - services = let - port = 22022; - in { - openssh = { - enable = true; - ports = [port]; - logLevel = "VERBOSE"; - permitRootLogin = "no"; - passwordAuthentication = false; + config = let + port = 22022; # Port 22 should be occupied by endlessh. + in + mkMerge [ + (mkIf cfg.client.enable { + hm = { + home.packages = with pkgs; [mosh sshfs]; + + programs.ssh = { + enable = true; + + hashKnownHosts = true; + + controlMaster = "auto"; + controlPersist = "24H"; + + serverAliveCountMax = 30; + serverAliveInterval = 60; + + matchBlocks = let + mkBlock = name: { + hostname ? name, + port ? 22, + user ? my.username, + identityFile ? "${config.my.home}/.ssh/id_ed25519", + extraAttrs ? {}, + }: + nameValuePair name ({inherit hostname port user identityFile;} + // extraAttrs); + + internalServers = + mapAttrs' mkBlock + (mapAttrs (name: _: { + hostname = "${name}.${my.domain.shire}"; + inherit port; + }) (filterAttrs (_: attr: + hasAttr "wireguard" attr + && attr.isHeadless) + my.configurations)); + in + internalServers + // (mapAttrs' mkBlock { + # Custom blocks go here. + # + # example.hostname = "129.168.70.80"; + }); + }; }; + }) + (mkIf cfg.server.enable { + programs.mosh.enable = true; - fail2ban.jails.sshd = '' - enabled = true - mode = aggressive - port = ${toString port} - ''; - }; - }) - ]; + services = { + openssh = { + enable = true; + ports = [port]; + logLevel = "VERBOSE"; # Required by fail2ban. + permitRootLogin = "no"; + passwordAuthentication = false; + }; + + fail2ban.jails.sshd = '' + enabled = true + mode = aggressive + port = ${toString port} + ''; + }; + }) + ]; } diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix index 9fd7386..d8fc208 100644 --- a/modules/nixfiles/profiles/headful.nix +++ b/modules/nixfiles/profiles/headful.nix @@ -40,7 +40,70 @@ in { xmonad.enable = mkDefault false; }; - hm.home.packages = with pkgs; [convmv dos2unix]; + hm = { + home.packages = with pkgs; [ + calibre + convmv + dos2unix + kotatogram-desktop + nheko + tor-browser + ]; + + accounts.email = { + maildirBasePath = "${config.my.home}/mail"; + + accounts = let + mkAccount = attrs: + mkMerge [ + { + mbsync = { + enable = true; + create = "both"; + expunge = "both"; + patterns = ["*"]; + }; + msmtp.enable = true; + mu.enable = true; + } + attrs + ]; + + pass = path: "${pkgs.pass}/bin/pass show ${path}"; + in { + shire = mkAccount { + address = my.email; + gpg = { + inherit (my.pgp) key; + signByDefault = true; + encryptByDefault = false; + }; + + primary = true; + + imap.host = "shire.me"; + smtp.host = "shire.me"; + userName = "azahi@shire.me"; + passwordCommand = pass "email/shire.me/azahi"; + }; + + yahoo = mkAccount { + address = "a.gondor@yahoo.com"; + + imap.host = "imap.yahoo.com"; + smtp.host = "smtp.yahoo.com"; + userName = "a.gondor@yahoo.com"; + passwordCommand = pass "email/yahoo.com/a.gondor"; + }; + }; + }; + + programs = { + mbsync.enable = true; + msmtp.enable = true; + mu.enable = true; + }; + }; # There are (arguably) not a lot of reasons to keep mitigations enabled for # on machine that is not web-facing. First of all, to completely mitigate diff --git a/modules/nixfiles/rtorrent.nix b/modules/nixfiles/rtorrent.nix index a91e83d..121f1ca 100644 --- a/modules/nixfiles/rtorrent.nix +++ b/modules/nixfiles/rtorrent.nix @@ -11,7 +11,7 @@ in { enable = mkEnableOption "rTorrent"; flood = { - enable = mkEnableOption "Flood"; + enable = mkEnableOption "Flood" // {default = cfg.enable;}; domain = mkOption { description = "Domain name sans protocol scheme."; diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix index 6e6e629..31286fa 100644 --- a/modules/nixfiles/syncthing.nix +++ b/modules/nixfiles/syncthing.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, this, @@ -16,34 +17,23 @@ in { type = with types; str; default = "syncthing.${config.networking.fqdn}"; }; - - # TODO Set this automatically shire on the hostname. - cert = mkOption { - description = "Path to the cert file."; - type = with types; nullOr string; - default = null; - }; - - # TODO Set this automatically shire on the hostname. - key = mkOption { - description = "Path to the key file."; - type = with types; nullOr string; - default = null; - }; }; config = mkIf cfg.enable (mkMerge [ { - assertions = [ - { - assertion = cfg.cert != null; - message = "Cert file needs to be specified."; - } - { - assertion = cfg.key != null; - message = "Key file needs to be specified."; - } - ]; + secrets = { + "syncthing-cert-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-cert-${this.hostname}"; + owner = user; + inherit group; + }; + + "syncthing-key-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-key-${this.hostname}"; + owner = user; + inherit group; + }; + }; services.syncthing = { enable = true; @@ -55,7 +45,8 @@ in { guiAddress = "127.0.0.1:8384"; - inherit (cfg) key cert; + cert = config.secrets."syncthing-cert-${this.hostname}".path; + key = config.secrets."syncthing-key-${this.hostname}".path; overrideDevices = true; devices = mapAttrs (name: attr: @@ -94,9 +85,8 @@ in { versioning = trashcan; }; pass = { - path = - config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; - devices = all; + path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; + devices = notOther; versioning = trashcan; }; org = { @@ -114,8 +104,8 @@ in { devices = notOther; versioning = trashcan; }; - vidya = { - path = "${documents}/vidya"; + books = { + path = "${documents}/books"; devices = notOther; versioning = trashcan; }; diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix index c4fca1e..f98b4e3 100644 --- a/modules/nixfiles/wireguard.nix +++ b/modules/nixfiles/wireguard.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, this, @@ -9,13 +10,6 @@ with lib; let cfg = config.nixfiles.modules.wireguard; in { options.nixfiles.modules.wireguard = { - # TODO Set this automatically shire on the hostname. - privateKeyFile = mkOption { - description = "Path to the private key file."; - type = with types; nullOr string; - default = null; - }; - client = { enable = mkEnableOption "WireGuard client"; @@ -98,10 +92,6 @@ in { { assertions = [ { - assertion = cfg.privateKeyFile != null; - message = "Key file must be specified."; - } - { assertion = config.security.sudo.enable; message = "Sudo is not enabled."; } @@ -113,12 +103,14 @@ in { } // mkMerge [ (mkIf (cfg.client.enable || cfg.server.enable) { + secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; + networking.firewall.trustedInterfaces = [cfg.interface]; }) (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ (with this.wireguard; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; address = ["${ipv4.address}/16" "${ipv6.address}/16"]; }) (with cfg.server; { @@ -173,7 +165,7 @@ in { wireguard = { enable = true; interfaces.${cfg.interface} = with cfg.server; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; ips = ["${ipv4.address}/16" "${ipv6.address}/16"]; listenPort = port; inherit peers; |