From 647ea0667423ced895e4bcdd73a9401b1fe3ee69 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 5 Nov 2023 18:10:26 +0300 Subject: 2023-11-05 --- flake.nix | 1 - modules/common/profiles/email.nix | 2 +- modules/nixos/alertmanager.nix | 5 +- modules/nixos/firefox/userContent.css | 5 +- modules/nixos/games/minecraft.nix | 4 +- modules/nixos/shadowsocks.nix | 124 +++++++++++++---------- modules/nixos/thunderbird.nix | 64 ++++++------ nixosConfigurations/manwe/mailserver/default.nix | 8 ++ packages/nixfiles.nix | 2 +- 9 files changed, 119 insertions(+), 96 deletions(-) diff --git a/flake.nix b/flake.nix index 8df7f19..49a3527 100644 --- a/flake.nix +++ b/flake.nix @@ -111,7 +111,6 @@ }; }; - # TODO Check out https://github.com/nix-community/mineflake nix-minecraft = { type = "github"; owner = "Infinidoge"; diff --git a/modules/common/profiles/email.nix b/modules/common/profiles/email.nix index 9064f70..19eaee5 100644 --- a/modules/common/profiles/email.nix +++ b/modules/common/profiles/email.nix @@ -29,7 +29,7 @@ in { msmtp.enable = true; mu.enable = true; thunderbird = { - enable = pkgs.stdenv.isLinux; + enable = hasSuffix "linux" this.system; settings = id: { "mail.identity.id_${id}.compose_html" = false; "mail.identity.id_${id}.reply_on_top" = 0; diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix index 8f5b34b..c8f0bf2 100644 --- a/modules/nixos/alertmanager.nix +++ b/modules/nixos/alertmanager.nix @@ -45,7 +45,10 @@ in { listenAddress = "127.0.0.1"; inherit (cfg) port; - extraFlags = ["--web.external-url=https://${cfg.domain}"]; + extraFlags = [ + "--cluster.listen-address=\"\"" + "--web.external-url=https://${cfg.domain}" + ]; configuration = { global = { diff --git a/modules/nixos/firefox/userContent.css b/modules/nixos/firefox/userContent.css index bb80dbc..9d59704 100644 --- a/modules/nixos/firefox/userContent.css +++ b/modules/nixos/firefox/userContent.css @@ -49,17 +49,15 @@ @-moz-document regexp("https?://(.*\.)?github.com.*") { - .Overlay-footer, .color-fg-muted.f6.mt-4, /* GitHub profile guide. */ .flex-order-1.flex-md-order-none, /* Follow button. */ .js-user-status-item, .protip, .pt-3.mt-3.d-none.d-md-block, /* Profile achievements. */ - .text-small.color-fg-muted.mx-md-2.mt-3.mt-md-2.mb-2, /* Community guidelines. */ + .text-small.color-fg-muted, /* Useless tips. */ .user-status-circle-badge-container, .user-status-container, a[href^="/account/choose?action=upgrade"], - a[href^="/codespaces"], a[href^="/collections"], a[href^="/contact/report-content"], a[href^="/events"], @@ -71,6 +69,7 @@ a[href^="/sponsors"], a[href^="/topics"], a[href^="/trending"], + a[href^="https://github.com/codespaces"], /* No code reviews on GitHub? */ details[id^="funding-links-modal"], footer { display: none !important; diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix index 2242df4..888c479 100644 --- a/modules/nixos/games/minecraft.nix +++ b/modules/nixos/games/minecraft.nix @@ -16,9 +16,9 @@ in { enable = mkEnableOption "Minecraft server"; port = mkOption { - description = "OpenSSH server port."; + description = "Server port."; type = types.port; - default = 50505; # Keeping 25565 as the default is a big security risk. + default = 25565; }; memory = mkOption { diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index 7307933..c04799b 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -19,69 +19,84 @@ in { }; config = mkIf cfg.enable { - secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password"; + secrets.shadowsocks-json.file = "${inputs.self}/secrets/shadowsocks-json"; - services = { - shadowsocks = { - enable = true; - passwordFile = config.secrets.shadowsocks-password.path; - localAddress = ["0.0.0.0"]; - mode = "tcp_only"; - }; - - fail2ban.jails.shadowsocks-libev = { - enabled = true; - settings = { - filter = "shadowsocks-libev"; - inherit (cfg) port; - }; + services.fail2ban.jails.shadowsocks = { + enabled = true; + settings = { + filter = "shadowsocks"; + inherit (cfg) port; }; }; - systemd.services.shadowsocks-libev.path = with pkgs; - mkForce [ - (writeShellApplication { - name = "ss-server"; - runtimeInputs = [shadowsocks-libev]; - text = let - # https://github.com/shadowsocks/shadowsocks-libev/blob/master/acl/server_block_local.acl - aclFile = writeText "outbound_block_list.acl" '' - [outbound_block_list] - 0.0.0.0/8 - 10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.0/8 - 169.254.0.0/16 - 172.16.0.0/12 - 192.0.0.0/24 - 192.0.2.0/24 - 192.88.99.0/24 - 192.168.0.0/16 - 198.18.0.0/15 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 - 240.0.0.0/4 - 255.255.255.255/32 - ::1/128 - ::ffff:127.0.0.1/104 - fc00::/7 - fe80::/10 + systemd.services.shadowsocks = { + description = "Shadowsocks"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + DynamicUser = true; + RuntimeDirectory = "shadowsocks"; + LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}"; + ExecStartPre = let + mergeJson = let + configFile = pkgs.writeText "config.json" (generators.toJSON {} { + server = "::"; + server_port = cfg.port; + # Can't really use AEAD-2022[1] just yet because it's not + # supported by some[2] clients. + # + # [1]: https://shadowsocks.org/doc/sip022.html + # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480 + # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448 + # method = "2022-blake3-chacha20-poly1305"; + method = "chacha20-ietf-poly1305"; + password = null; # Must be set as a secret. + users = null; # Muse be set as a secret. + fast_open = true; + acl = pkgs.writeText "block-internal-access.acl" '' + [outbound_block_list] + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255/32 + ::1/128 + ::ffff:127.0.0.1/104 + fc00::/7 + fe80::/10 + ''; + }); + in + pkgs.writeShellScript "meregeJson" '' + ${pkgs.jq}/bin/jq \ + -s '.[0] * .[1]' \ + ${configFile} \ + $CREDENTIALS_DIRECTORY/secret.json \ + >$RUNTIME_DIRECTORY/config.json ''; - in '' - ss-server --acl ${aclFile} "$@" - ''; - }) - coreutils-full - jq - ]; + in + mergeJson; + ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json"; + }; + }; environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/shadowsocks-libev.conf".text = '' + "fail2ban/filter.d/shadowsocks.conf".text = '' [Definition] - failregex = ^.*failed to handshake with : authentication error$ + failregex = ^.*tcp handshake failed.*\[::ffff:\].*$ ignoreregex = - journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service + journalmatch = _SYSTEMD_UNIT=shadowsocks.service ''; }; @@ -94,6 +109,7 @@ in { ''; }; + # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks boot.kernel.sysctl = { "net.core.rmem_max" = mkOverride 100 (pow 2 26); "net.core.wmem_max" = mkOverride 100 (pow 2 26); diff --git a/modules/nixos/thunderbird.nix b/modules/nixos/thunderbird.nix index 5afb163..2261dcd 100644 --- a/modules/nixos/thunderbird.nix +++ b/modules/nixos/thunderbird.nix @@ -14,39 +14,37 @@ in { "x-scheme-handler/mailto" ]; - hm = { - programs.thunderbird = { - enable = true; - profiles.default = { - isDefault = true; - withExternalGnupg = true; - }; - settings = { - "app.update.auto" = false; - "browser.display.document_color_use" = 2; - "browser.display.use_system_colors" = true; - "browser.search.region" = "US"; - "browser.search.update" = false; - "datareporting.healthreport.uploadEnabled" = false; - "full-screen-api.warning.delay" = 0; - "full-screen-api.warning.timeout" = 0; - "general.autoScroll" = true; - "general.smoothScroll" = true; - "mail.default_send_format" = 0; - "mail.tabs.drawInTitlebar" = - if config.nixfiles.modules.kde.enable - then 1 - else 0; - "mailnews.start_page.url" = "about:blank"; - "media.autoplay.blocking_policy" = 2; - "media.autoplay.default" = 5; - "media.autoplay.enabled" = false; - "media.hardwaremediakeys.enabled" = false; - "network.cookie.cookieBehavior" = 2; - "places.history.enabled" = false; - "reader.parse-on-load.enabled" = false; - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - }; + hm.programs.thunderbird = { + enable = true; + profiles.default = { + isDefault = true; + withExternalGnupg = true; + }; + settings = { + "app.update.auto" = false; + "browser.display.document_color_use" = 2; + "browser.display.use_system_colors" = true; + "browser.search.region" = "US"; + "browser.search.update" = false; + "datareporting.healthreport.uploadEnabled" = false; + "full-screen-api.warning.delay" = 0; + "full-screen-api.warning.timeout" = 0; + "general.autoScroll" = true; + "general.smoothScroll" = true; + "mail.default_send_format" = 0; + "mail.tabs.drawInTitlebar" = + if config.nixfiles.modules.kde.enable + then 1 + else 0; + "mailnews.start_page.url" = "about:blank"; + "media.autoplay.blocking_policy" = 2; + "media.autoplay.default" = 5; + "media.autoplay.enabled" = false; + "media.hardwaremediakeys.enabled" = false; + "network.cookie.cookieBehavior" = 2; + "places.history.enabled" = false; + "reader.parse-on-load.enabled" = false; + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; }; }; }; diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix index 4f58df7..88edf25 100644 --- a/nixosConfigurations/manwe/mailserver/default.nix +++ b/nixosConfigurations/manwe/mailserver/default.nix @@ -54,6 +54,14 @@ with lib; { in { enable = true; + # Disable potentially insecure[1] STARTTLS connections. SSL-only connections + # are still enabled by default. + # + # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6 + enableImap = false; + enablePop3 = false; + enableSubmission = false; + fqdn = config.networking.domain; domains = with my.domain; [azahi gondor rohan shire]; diff --git a/packages/nixfiles.nix b/packages/nixfiles.nix index c342501..a114bab 100644 --- a/packages/nixfiles.nix +++ b/packages/nixfiles.nix @@ -20,7 +20,7 @@ nix openssh ] - ++ lib.optional (!stdenv.isDarwin) xdg-utils; + ++ lib.optional stdenv.isLinux xdg-utils; # Shamelessly appropriated from https://github.com/ncfavier/config. # Hopefully Naïm will not sue me for copyright infrigment. -- cgit 1.4.1