From 7ed022bc9a3c89834016c866e387b60ba4523eb6 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Tue, 14 Feb 2023 23:04:05 +0300 Subject: 2023-02-14 --- modules/nixos/bluetooth.nix | 11 +- modules/nixos/grafana.nix | 6 +- modules/nixos/kde.nix | 1 - modules/nixos/matrix/dendrite.nix | 193 +++++++++++++++++++++-------------- modules/nixos/monitoring/default.nix | 7 ++ modules/nixos/openssh.nix | 21 ++-- modules/nixos/profiles/headless.nix | 5 +- 7 files changed, 146 insertions(+), 98 deletions(-) (limited to 'modules/nixos') diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix index cf92179..76131bf 100644 --- a/modules/nixos/bluetooth.nix +++ b/modules/nixos/bluetooth.nix @@ -16,14 +16,9 @@ in { hardware.bluetooth = { enable = true; settings.General.FastConnectable = true; - }; - - environment = { - etc."bluetooth/input.conf".text = generators.toINI {} { - General = { - IdleTimeout = 15; - UserspaceHID = true; - }; + input.General = { + IdleTimeout = 15; + UserspaceHID = true; }; }; }; diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix index a614502..0b2e210 100644 --- a/modules/nixos/grafana.nix +++ b/modules/nixos/grafana.nix @@ -39,7 +39,7 @@ in { group = "grafana"; }; grafana-smtp-password = { - file = "${inputs.self}/secrets/grafana-smtp-password"; + file = "${inputs.self}/secrets/smtp-password"; owner = "grafana"; group = "grafana"; }; @@ -98,8 +98,8 @@ in { auto_assign_org_role = "Viewer"; }; security = with config.secrets; { - secret_key = grafana-key.path; - admin_password = grafana-admin-password.path; + secret_key = "$__file{${grafana-key.path}}"; + admin_password = "$__file{${grafana-admin-password.path}}"; }; analytics.reporting_enable = false; }; diff --git a/modules/nixos/kde.nix b/modules/nixos/kde.nix index a430294..66fabbd 100644 --- a/modules/nixos/kde.nix +++ b/modules/nixos/kde.nix @@ -30,7 +30,6 @@ in { enable = true; excludePackages = with pkgs.plasma5Packages; [ elisa - gwenview khelpcenter okular print-manager diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix index 0fad5f2..6b662b2 100644 --- a/modules/nixos/matrix/dendrite.nix +++ b/modules/nixos/matrix/dendrite.nix @@ -11,6 +11,12 @@ in { options.nixfiles.modules.matrix.dendrite = { enable = mkEnableOption "Dendrite Matrix server"; + port = mkOption { + description = "Port."; + type = with types; port; + default = 8008; + }; + domain = mkOption { type = types.str; default = config.networking.domain; @@ -68,90 +74,129 @@ in { }; }; - services = { - dendrite = { - enable = true; - httpPort = 8008; - environmentFile = config.secrets.dendrite-environment-file.path; - settings = { - version = 2; - global = { - server_name = cfg.domain; - private_key = config.secrets.dendrite-private-key.path; - database = { - connection_string = "postgresql://${db}@/${db}?host=/run/postgresql"; - max_open_conns = 64; - max_idle_connections = 8; + services.postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = db; + ensurePermissions."DATABASE \"${db}\"" = "ALL"; + } + ]; + }; + + systemd.services.dendrite = { + description = "Dendrite Matrix homeserver"; + requires = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = let + needsPrivileges = cfg.port < 1024; + capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"]; + in { + Restart = "on-failure"; + ExecStartPre = let + settings = { + version = 2; + global = { + server_name = cfg.domain; + private_key = config.secrets.dendrite-private-key.path; + database = { + connection_string = "postgresql://${db}@/${db}?host=/run/postgresql"; + max_open_conns = 64; + max_idle_connections = 8; + }; + cache = { + max_size_estimated = "1gb"; + max_age = "1h"; + }; + trusted_third_party_id_servers = [ + "matrix.org" + "nixos.org" + "vector.im" + ]; + presence = { + enable_inbound = false; + enable_outbound = false; + }; }; - cache = { - max_size_estimated = "1gb"; - max_age = "1h"; + client_api = { + registration_disabled = true; + guests_disabled = true; + registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; }; - trusted_third_party_id_servers = [ - "matrix.org" - "nixos.org" - "vector.im" - ]; - presence = { - enable_inbound = false; - enable_outbound = false; + media_api = { + base_path = "/var/lib/dendrite/media_store"; + max_file_size_bytes = 0; + dynamic_thumbnails = true; + max_thumbnail_generators = 8; + thumbnail_sizes = [ + { + width = 32; + height = 32; + method = "crop"; + } + { + width = 96; + height = 96; + method = "crop"; + } + { + width = 640; + height = 480; + method = "scale"; + } + ]; }; - }; - client_api = { - registration_disabled = true; - guests_disabled = true; - registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; - }; - media_api = { - max_file_size_bytes = 0; - dynamic_thumbnails = true; - max_thumbnail_generators = 8; - thumbnail_sizes = [ + logging = [ { - width = 32; - height = 32; - method = "crop"; - } - { - width = 96; - height = 96; - method = "crop"; - } - { - width = 640; - height = 480; - method = "scale"; + type = "std"; + level = "warn"; } ]; }; - logging = [ - { - type = "std"; - level = "warn"; - } + in + concatStringsSep " " [ + "${pkgs.envsubst}/bin/envsubst" + "-i ${(pkgs.formats.yaml {}).generate "dendrite.yaml" settings}" + "-o /run/dendrite/dendrite.yaml" ]; - }; - }; - - postgresql = { - ensureDatabases = [db]; - ensureUsers = [ - { - name = db; - ensurePermissions."DATABASE \"${db}\"" = "ALL"; - } + ExecStart = concatStringsSep " " [ + "${pkgs.dendrite}/bin/dendrite-monolith-server" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address 127.0.0.1:${toString cfg.port}" ]; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + EnvironmentFile = config.secrets.dendrite-environment-file.path; + DynamicUser = true; + StateDirectory = "dendrite"; + RuntimeDirectory = "dendrite"; + RuntimeDirectoryMode = "0700"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = !needsPrivileges; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged"]; }; }; - - systemd.services.dendrite.serviceConfig.ExecStart = - mkForce - (concatStringsSep " " [ - "${pkgs.dendrite}/bin/dendrite-monolith-server" - "--config /run/dendrite/dendrite.yaml" - "--http-bind-address 127.0.0.1:${ - toString config.services.dendrite.httpPort - }" - ]); }; } diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix index 4ff4c50..57a0d09 100644 --- a/modules/nixos/monitoring/default.nix +++ b/modules/nixos/monitoring/default.nix @@ -38,6 +38,13 @@ in { access = "proxy"; url = "https://${loki.domain}"; } + { + name = "Alertmanager"; + type = "alertmanager"; + access = "proxy"; + jsonData.implementation = "prometheus"; + url = "https://${alertmanager.domain}"; + } ]; # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 9a131d7..c7a144e 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -18,16 +18,16 @@ in { }; config = mkIf cfg.server.enable { - # TODO Enable on a fresh system. - # ark = { - # files = [ - # "/etc/ssh/ssh_host_ed25519_key" - # "/etc/ssh/ssh_host_ed25519_key.pub" - # "/etc/ssh/ssh_host_rsa_key" - # "/etc/ssh/ssh_host_rsa_key.pub" - # ]; - # directories = ["/etc/ssh/authorized_keys.d"]; - # }; + # FIXME This is mounted after the activation script is launched. + ark = { + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + # directories = ["/etc/ssh/authorized_keys.d"]; + }; programs.mosh.enable = true; @@ -36,7 +36,6 @@ in { enable = true; ports = [cfg.server.port]; settings = { - AllowUsers = my.username; ClientAliveCountMax = 3; ClientAliveInterval = 60; KbdInteractiveAuthentication = false; diff --git a/modules/nixos/profiles/headless.nix b/modules/nixos/profiles/headless.nix index 9faf531..efe4d03 100644 --- a/modules/nixos/profiles/headless.nix +++ b/modules/nixos/profiles/headless.nix @@ -19,7 +19,10 @@ in { promtail.enable = true; }; - # Pin version to prevent any surprises. + # Pin version to prevent any surprises. Try keeping this up-to-date[1] with + # the latest LTS release + hardened patches (just in case). + # + # [1]: https://kernel.org boot.kernelPackages = pkgs.linuxPackages_5_15_hardened; nix = { -- cgit 1.4.1