From 5b01fa945b2122b82da4be33203e4cf753951b7c Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 12 Sep 2022 14:03:31 +0300 Subject: 2022-09-12 --- configurations/manwe/default.nix | 75 +-------------------- configurations/melian/default.nix | 116 +------------------------------- configurations/varda/default.nix | 9 +-- configurations/yavanna/default.nix | 34 +--------- modules/nixfiles/monitoring/default.nix | 80 ++++++++++++++++++++-- modules/nixfiles/openssh.nix | 102 ++++++++++++++++++---------- modules/nixfiles/profiles/headful.nix | 65 +++++++++++++++++- modules/nixfiles/rtorrent.nix | 2 +- modules/nixfiles/syncthing.nix | 50 ++++++-------- modules/nixfiles/wireguard.nix | 18 ++--- 10 files changed, 238 insertions(+), 313 deletions(-) diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix index 656667e..2599d78 100644 --- a/configurations/manwe/default.nix +++ b/configurations/manwe/default.nix @@ -1,6 +1,5 @@ { config, - inputs, lib, this, ... @@ -11,8 +10,6 @@ with lib; { ./webserver.nix ]; - secrets.wireguard-private-key-manwe.file = "${inputs.self}/secrets/wireguard-private-key-manwe"; - nixfiles.modules = { nsd = { enable = true; @@ -20,10 +17,7 @@ with lib; { }; unbound.enable = true; - wireguard = { - privateKeyFile = config.secrets.wireguard-private-key-manwe.path; - server.enable = true; - }; + wireguard.server.enable = true; acme.enable = true; @@ -44,73 +38,6 @@ with lib; { vaultwarden.enable = true; }; - services.prometheus = { - # TODO Make this generic. - scrapeConfigs = with my.configurations; - with config.services.prometheus.exporters; [ - { - job_name = "endlessh-go"; - static_configs = [ - { - targets = with config.services.endlessh-go.prometheus; [ - "${manwe.hostname}:${toString port}" - "${varda.hostname}:${toString port}" - "${yavanna.hostname}:${toString port}" - ]; - } - ]; - } - { - job_name = "nginx"; - static_configs = [ - { - targets = with nginx; [ - "${manwe.hostname}:${toString port}" - "${varda.hostname}:${toString port}" - "${yavanna.hostname}:${toString port}" - ]; - } - ]; - } - { - job_name = "node"; - static_configs = [ - { - targets = with node; [ - "${manwe.hostname}:${toString port}" - "${varda.hostname}:${toString port}" - "${yavanna.hostname}:${toString port}" - ]; - } - ]; - } - { - job_name = "postgres"; - static_configs = [ - { - targets = with postgres; ["${manwe.hostname}:${toString port}"]; - } - ]; - } - { - job_name = "unbound"; - static_configs = [ - { - targets = with unbound; ["${manwe.hostname}:${toString port}"]; - } - ]; - } - { - job_name = "wireguard"; - static_configs = [ - { - targets = with wireguard; ["${manwe.hostname}:${toString port}"]; - } - ]; - } - ]; - }; - networking = let interface = "eth0"; in { diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix index 8540c24..a3dbe35 100644 --- a/configurations/melian/default.nix +++ b/configurations/melian/default.nix @@ -1,27 +1,9 @@ { - config, - inputs, lib, pkgs, ... }: with lib; { - secrets = { - wireguard-private-key-melian.file = "${inputs.self}/secrets/wireguard-private-key-melian"; - - syncthing-cert-melian = with config.services.syncthing; { - file = "${inputs.self}/secrets/syncthing-cert-melian"; - owner = user; - inherit group; - }; - - syncthing-key-melian = with config.services.syncthing; { - file = "${inputs.self}/secrets/syncthing-key-melian"; - owner = user; - inherit group; - }; - }; - nixfiles.modules = { profiles.dev = { containers.enable = true; @@ -34,16 +16,9 @@ with lib; { steam.enable = true; }; - wireguard = { - privateKeyFile = config.secrets.wireguard-private-key-melian.path; - client.enable = true; - }; + wireguard.client.enable = true; - syncthing = with config.secrets; { - enable = true; - key = syncthing-key-melian.path; - cert = syncthing-cert-melian.path; - }; + syncthing.enable = true; beets.enable = true; bluetooth.enable = true; @@ -54,93 +29,6 @@ with lib; { throttled.enable = true; }; - # TODO Move to a separate module so that it could be reused on other desktops - # in the future. - hm = { - home.packages = with pkgs; [ - (aspellWithDicts (p: with p; [en ru])) - calibre - kotatogram-desktop - nheko - tor-browser - ]; - - accounts.email = { - maildirBasePath = "${config.my.home}/mail"; - - accounts = let - mkAccount = attrs: - mkMerge [ - { - mbsync = { - enable = true; - create = "both"; - expunge = "both"; - patterns = ["*"]; - }; - msmtp.enable = true; - mu.enable = true; - } - attrs - ]; - - pass = path: "${pkgs.pass}/bin/pass show ${path}"; - in { - shire = mkAccount { - address = my.email; - gpg = { - inherit (my.pgp) key; - signByDefault = true; - encryptByDefault = false; - }; - - primary = true; - - imap.host = "shire.me"; - smtp.host = "shire.me"; - userName = "azahi@shire.me"; - passwordCommand = pass "email/shire.me/azahi"; - }; - - yahoo = mkAccount { - address = "a.gondor@yahoo.com"; - - imap.host = "imap.yahoo.com"; - smtp.host = "smtp.yahoo.com"; - userName = "a.gondor@yahoo.com"; - passwordCommand = pass "email/yahoo.com/a.gondor"; - }; - }; - }; - - programs = { - mbsync.enable = true; - msmtp.enable = true; - mu.enable = true; - - ssh.matchBlocks = let - mkBlock = { - hostname, - port ? 22022, - user ? "azahi", - }: { - inherit hostname port user; - identityFile = "${config.my.home}/.ssh/id_ed25519"; - }; - mkInternalHostname = hostname: "${hostname}.${my.domain.shire}"; - in - with my.configurations; { - # TODO Wrap this. - manwe = mkBlock {hostname = mkInternalHostname "manwe";}; - manwe-init = mkBlock {hostname = manwe.ipv4.address;}; - varda = mkBlock {hostname = mkInternalHostname "varda";}; - varda-init = mkBlock {hostname = varda.ipv4.address;}; - yavanna = mkBlock {hostname = mkInternalHostname "yavanna";}; - yavanna-init = mkBlock {hostname = yavanna.ipv4.address;}; - }; - }; - }; - networking = { interfaces = { eth0.useDHCP = true; diff --git a/configurations/varda/default.nix b/configurations/varda/default.nix index 313d2fb..7efeb61 100644 --- a/configurations/varda/default.nix +++ b/configurations/varda/default.nix @@ -1,18 +1,11 @@ { - config, - inputs, lib, this, ... }: with lib; { - secrets.wireguard-private-key-varda.file = "${inputs.self}/secrets/wireguard-private-key-varda"; - nixfiles.modules = { - wireguard = { - privateKeyFile = config.secrets.wireguard-private-key-varda.path; - client.enable = true; - }; + wireguard.client.enable = true; games.minecraft.server = { enable = true; diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix index 3ed114e..d390e40 100644 --- a/configurations/yavanna/default.nix +++ b/configurations/yavanna/default.nix @@ -1,45 +1,17 @@ { - config, - inputs, lib, this, ... }: with lib; { - secrets = { - wireguard-private-key-yavanna.file = "${inputs.self}/secrets/wireguard-private-key-yavanna"; - - syncthing-cert-yavanna = with config.services.syncthing; { - file = "${inputs.self}/secrets/syncthing-cert-yavanna"; - owner = user; - inherit group; - }; - - syncthing-key-yavanna = with config.services.syncthing; { - file = "${inputs.self}/secrets/syncthing-key-yavanna"; - owner = user; - inherit group; - }; - }; - nixfiles.modules = { - wireguard = { - privateKeyFile = config.secrets.wireguard-private-key-yavanna.path; - client.enable = true; - }; + wireguard.client.enable = true; - syncthing = with config.secrets; { - enable = true; - key = syncthing-key-yavanna.path; - cert = syncthing-cert-yavanna.path; - }; + syncthing.enable = true; acme.enable = true; - rtorrent = { - enable = true; - flood.enable = true; - }; + rtorrent.enable = true; }; networking = let diff --git a/modules/nixfiles/monitoring/default.nix b/modules/nixfiles/monitoring/default.nix index 9758cff..c439614 100644 --- a/modules/nixfiles/monitoring/default.nix +++ b/modules/nixfiles/monitoring/default.nix @@ -64,12 +64,80 @@ in { loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}"; - prometheus.alertmanagers = [ - { - scheme = "https"; - static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}]; - } - ]; + prometheus = { + scrapeConfigs = with my.configurations; + with config.services.prometheus.exporters; [ + { + job_name = "endlessh-go"; + static_configs = [ + { + targets = with config.services.endlessh-go.prometheus; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "nginx"; + static_configs = [ + { + targets = with nginx; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "node"; + static_configs = [ + { + targets = with node; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "postgres"; + static_configs = [ + { + targets = with postgres; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + { + job_name = "unbound"; + static_configs = [ + { + targets = with unbound; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + { + job_name = "wireguard"; + static_configs = [ + { + targets = with wireguard; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + ]; + + alertmanagers = [ + { + scheme = "https"; + static_configs = [ + {targets = [config.nixfiles.modules.alertmanager.domain];} + ]; + } + ]; + }; }; }; } diff --git a/modules/nixfiles/openssh.nix b/modules/nixfiles/openssh.nix index 3a526d7..2bae2da 100644 --- a/modules/nixfiles/openssh.nix +++ b/modules/nixfiles/openssh.nix @@ -12,41 +12,73 @@ in { server.enable = mkEnableOption "OpenSSH server"; }; - config = mkMerge [ - (mkIf cfg.client.enable { - hm = { - home.packages = with pkgs; [mosh sshfs]; - - programs.ssh = { - enable = true; - controlMaster = "auto"; - controlPersist = "24H"; - hashKnownHosts = true; - serverAliveCountMax = 30; - serverAliveInterval = 60; - }; - }; - }) - (mkIf cfg.server.enable { - programs.mosh.enable = true; - - services = let - port = 22022; - in { - openssh = { - enable = true; - ports = [port]; - logLevel = "VERBOSE"; - permitRootLogin = "no"; - passwordAuthentication = false; + config = let + port = 22022; # Port 22 should be occupied by endlessh. + in + mkMerge [ + (mkIf cfg.client.enable { + hm = { + home.packages = with pkgs; [mosh sshfs]; + + programs.ssh = { + enable = true; + + hashKnownHosts = true; + + controlMaster = "auto"; + controlPersist = "24H"; + + serverAliveCountMax = 30; + serverAliveInterval = 60; + + matchBlocks = let + mkBlock = name: { + hostname ? name, + port ? 22, + user ? my.username, + identityFile ? "${config.my.home}/.ssh/id_ed25519", + extraAttrs ? {}, + }: + nameValuePair name ({inherit hostname port user identityFile;} + // extraAttrs); + + internalServers = + mapAttrs' mkBlock + (mapAttrs (name: _: { + hostname = "${name}.${my.domain.shire}"; + inherit port; + }) (filterAttrs (_: attr: + hasAttr "wireguard" attr + && attr.isHeadless) + my.configurations)); + in + internalServers + // (mapAttrs' mkBlock { + # Custom blocks go here. + # + # example.hostname = "129.168.70.80"; + }); + }; }; + }) + (mkIf cfg.server.enable { + programs.mosh.enable = true; - fail2ban.jails.sshd = '' - enabled = true - mode = aggressive - port = ${toString port} - ''; - }; - }) - ]; + services = { + openssh = { + enable = true; + ports = [port]; + logLevel = "VERBOSE"; # Required by fail2ban. + permitRootLogin = "no"; + passwordAuthentication = false; + }; + + fail2ban.jails.sshd = '' + enabled = true + mode = aggressive + port = ${toString port} + ''; + }; + }) + ]; } diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix index 9fd7386..d8fc208 100644 --- a/modules/nixfiles/profiles/headful.nix +++ b/modules/nixfiles/profiles/headful.nix @@ -40,7 +40,70 @@ in { xmonad.enable = mkDefault false; }; - hm.home.packages = with pkgs; [convmv dos2unix]; + hm = { + home.packages = with pkgs; [ + calibre + convmv + dos2unix + kotatogram-desktop + nheko + tor-browser + ]; + + accounts.email = { + maildirBasePath = "${config.my.home}/mail"; + + accounts = let + mkAccount = attrs: + mkMerge [ + { + mbsync = { + enable = true; + create = "both"; + expunge = "both"; + patterns = ["*"]; + }; + msmtp.enable = true; + mu.enable = true; + } + attrs + ]; + + pass = path: "${pkgs.pass}/bin/pass show ${path}"; + in { + shire = mkAccount { + address = my.email; + gpg = { + inherit (my.pgp) key; + signByDefault = true; + encryptByDefault = false; + }; + + primary = true; + + imap.host = "shire.me"; + smtp.host = "shire.me"; + userName = "azahi@shire.me"; + passwordCommand = pass "email/shire.me/azahi"; + }; + + yahoo = mkAccount { + address = "a.gondor@yahoo.com"; + + imap.host = "imap.yahoo.com"; + smtp.host = "smtp.yahoo.com"; + userName = "a.gondor@yahoo.com"; + passwordCommand = pass "email/yahoo.com/a.gondor"; + }; + }; + }; + + programs = { + mbsync.enable = true; + msmtp.enable = true; + mu.enable = true; + }; + }; # There are (arguably) not a lot of reasons to keep mitigations enabled for # on machine that is not web-facing. First of all, to completely mitigate diff --git a/modules/nixfiles/rtorrent.nix b/modules/nixfiles/rtorrent.nix index a91e83d..121f1ca 100644 --- a/modules/nixfiles/rtorrent.nix +++ b/modules/nixfiles/rtorrent.nix @@ -11,7 +11,7 @@ in { enable = mkEnableOption "rTorrent"; flood = { - enable = mkEnableOption "Flood"; + enable = mkEnableOption "Flood" // {default = cfg.enable;}; domain = mkOption { description = "Domain name sans protocol scheme."; diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix index 6e6e629..31286fa 100644 --- a/modules/nixfiles/syncthing.nix +++ b/modules/nixfiles/syncthing.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, this, @@ -16,34 +17,23 @@ in { type = with types; str; default = "syncthing.${config.networking.fqdn}"; }; - - # TODO Set this automatically shire on the hostname. - cert = mkOption { - description = "Path to the cert file."; - type = with types; nullOr string; - default = null; - }; - - # TODO Set this automatically shire on the hostname. - key = mkOption { - description = "Path to the key file."; - type = with types; nullOr string; - default = null; - }; }; config = mkIf cfg.enable (mkMerge [ { - assertions = [ - { - assertion = cfg.cert != null; - message = "Cert file needs to be specified."; - } - { - assertion = cfg.key != null; - message = "Key file needs to be specified."; - } - ]; + secrets = { + "syncthing-cert-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-cert-${this.hostname}"; + owner = user; + inherit group; + }; + + "syncthing-key-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-key-${this.hostname}"; + owner = user; + inherit group; + }; + }; services.syncthing = { enable = true; @@ -55,7 +45,8 @@ in { guiAddress = "127.0.0.1:8384"; - inherit (cfg) key cert; + cert = config.secrets."syncthing-cert-${this.hostname}".path; + key = config.secrets."syncthing-key-${this.hostname}".path; overrideDevices = true; devices = mapAttrs (name: attr: @@ -94,9 +85,8 @@ in { versioning = trashcan; }; pass = { - path = - config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; - devices = all; + path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; + devices = notOther; versioning = trashcan; }; org = { @@ -114,8 +104,8 @@ in { devices = notOther; versioning = trashcan; }; - vidya = { - path = "${documents}/vidya"; + books = { + path = "${documents}/books"; devices = notOther; versioning = trashcan; }; diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix index c4fca1e..f98b4e3 100644 --- a/modules/nixfiles/wireguard.nix +++ b/modules/nixfiles/wireguard.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, this, @@ -9,13 +10,6 @@ with lib; let cfg = config.nixfiles.modules.wireguard; in { options.nixfiles.modules.wireguard = { - # TODO Set this automatically shire on the hostname. - privateKeyFile = mkOption { - description = "Path to the private key file."; - type = with types; nullOr string; - default = null; - }; - client = { enable = mkEnableOption "WireGuard client"; @@ -97,10 +91,6 @@ in { config = { assertions = [ - { - assertion = cfg.privateKeyFile != null; - message = "Key file must be specified."; - } { assertion = config.security.sudo.enable; message = "Sudo is not enabled."; @@ -113,12 +103,14 @@ in { } // mkMerge [ (mkIf (cfg.client.enable || cfg.server.enable) { + secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; + networking.firewall.trustedInterfaces = [cfg.interface]; }) (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ (with this.wireguard; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; address = ["${ipv4.address}/16" "${ipv6.address}/16"]; }) (with cfg.server; { @@ -173,7 +165,7 @@ in { wireguard = { enable = true; interfaces.${cfg.interface} = with cfg.server; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; ips = ["${ipv4.address}/16" "${ipv6.address}/16"]; listenPort = port; inherit peers; -- cgit 1.4.1