diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..c7b7142 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule ".secrets"] + path = .secrets + url = git@vcs.elnafo.ru:L-Nafaryus/bonfire-secrets.git diff --git a/.secrets b/.secrets new file mode 160000 index 0000000..d4a686b --- /dev/null +++ b/.secrets @@ -0,0 +1 @@ +Subproject commit d4a686b321770dbe16130e31966e87143440469e diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1f0c9e0 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &astora age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc +creation_rules: + - path_regex: secrests/[^/]+\.(yaml|env|txt)$ + key_groups: + - age: + - *astora diff --git a/flake.lock b/flake.lock index 65b77f9..6b22480 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "cachix": { "inputs": { "flake-compat": "flake-compat", @@ -60,6 +76,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -209,6 +241,36 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -241,6 +303,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": [ @@ -275,7 +353,70 @@ "crane": "crane", "home-manager": "home-manager", "nixgl": "nixgl", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver", + "sops-nix": "sops-nix" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1703666786, + "narHash": "sha256-SLPNpM/rI8XPyVJAxMYAe+n6NiYSpuXvdwPILHP4yZI=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "b5023b36a1f6628865cb42b4353bd2ddde0ea9f4", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1705356877, + "narHash": "sha256-274jL1cH64DcXUXebVMZBRUsTs3FvFlPIPkCN/yhSnI=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "87755331580fdf23df7e39b46d63ac88236bf42c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 5bfbd27..8297634 100644 --- a/flake.nix +++ b/flake.nix @@ -12,9 +12,12 @@ cachix = { url = "github:cachix/devenv/v0.6.3"; inputs.nixpkgs.follows = "nixpkgs"; }; crane = { url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; }; nixgl = { url = "github:guibou/nixGL"; inputs.nixpkgs.follows = "nixpkgs"; }; + simple-nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = inputs @ { self, nixpkgs, home-manager, crane, nixgl, ... }: { + outputs = inputs @ { self, nixpkgs, home-manager, crane, nixgl, simple-nixos-mailserver, sops-nix, ... }: { + lib = import ./lib {}; @@ -27,7 +30,7 @@ ./nixosModules/bonfire.nix self.nixosModules.spoofdpi ]; - specialArgs = { inherit inputs; }; + specialArgs = { inherit inputs self; }; }; catarina = with nixpkgs; lib.nixosSystem { @@ -36,6 +39,8 @@ ./nixosConfigurations/catarina ./nixosModules/bonfire.nix self.nixosModules.spoofdpi + simple-nixos-mailserver.nixosModules.mailserver + sops-nix.nixosModules.sops ]; specialArgs = { inherit inputs self; }; }; diff --git a/nixosConfigurations/catarina/default.nix b/nixosConfigurations/catarina/default.nix index 821c0fe..855ba62 100644 --- a/nixosConfigurations/catarina/default.nix +++ b/nixosConfigurations/catarina/default.nix @@ -73,11 +73,11 @@ rec { services.fail2ban = { enable = true; - maxretry = 16; + maxretry = 12; ignoreIP = [ "192.168.0.0/16" ]; - bantime = "2h"; + bantime = "3h"; bantime-increment = { enable = true; multipliers = "1 2 4 8 16 32 64"; @@ -86,6 +86,12 @@ rec { }; }; + sops = { + defaultSopsFile = ../../.secrets/secrets.yaml; + age.keyFile = "/var/lib/secrets/sops-nix/catarina.txt"; + secrets = import ../../.secrets/sops-secrets.nix; + }; + security.acme = { acceptTerms = true; defaults.email = "l.nafaryus@gmail.com"; @@ -96,8 +102,7 @@ rec { domain = "elnafo.ru"; extraDomainNames = [ "*.elnafo.ru" ]; dnsProvider = "webnames"; - credentialsFile = "/var/lib/secrets/certs.secret"; - group = "nginx"; + credentialsFile = config.sops.secrets."dns".path; webroot = null; }; }; @@ -106,6 +111,8 @@ rec { services.nginx = { enable = true; + package = pkgs.nginx.override { withMail = true; }; + recommendedProxySettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; @@ -129,7 +136,16 @@ rec { useACMEHost = "elnafo.ru"; locations."/".proxyPass = "http://127.0.0.1:3001"; }; + + "media.elnafo.ru" = { + forceSSL = true; + useACMEHost = "elnafo.ru"; + http2 = true; + locations."/".proxyPass = "http://127.0.0.1:8096"; + }; }; + + }; services.postgresql = { @@ -165,6 +181,13 @@ rec { mailer = { ENABLED = true; FROM = "git@elnafo.ru"; + PROTOCOL = "smtps"; + SMTP_ADDR = "smtp.elnafo.ru"; + SMTP_PORT = 465; + USER = "git"; + USE_CLIENT_CERT = true; + CLIENT_CERT_FILE = "${config.security.acme.certs."elnafo.ru".directory}/cert.pem"; + CLIENT_KEY_FILE = "${config.security.acme.certs."elnafo.ru".directory}/key.pem"; }; service.DISABLE_REGISTRATION = true; @@ -175,9 +198,11 @@ rec { }; }; + mailerPasswordFile = config.sops.secrets."gitea/mail".path; + database = { type = "postgres"; - passwordFile = "/var/lib/secrets/gitea/gitea-dbpassword"; + passwordFile = config.sops.secrets."database/git".path; name = "git"; user = "git"; }; @@ -192,9 +217,45 @@ rec { home = services.gitea.stateDir; useDefaultShell = true; group = services.gitea.group; + extraGroups = [ "nginx" ]; isSystemUser = true; }; + mailserver = { + enable = true; + fqdn = "elnafo.ru"; + domains = [ "elnafo.ru" ]; + + certificateScheme = "acme-nginx"; + enableImapSsl = true; + openFirewall = true; + + loginAccounts = import ../../.secrets/mail-recipients.nix { inherit config; }; + }; + + services.jellyfin = { + enable = true; + openFirewall = true; + }; + + services.minecraft-server = { + enable = true; + eula = true; + declarative = true; + openFirewall = true; + serverProperties = { + server-port = 25565; + gamemode = "survival"; + motd = "NixOS Minecraft Server"; + max-players = 10; + level-seed = "66666666"; + enable-status = true; + enforce-secure-profile = false; + difficulty = "normal"; + online-mode = false; + }; + }; + services.spoofdpi.enable = true; # Packages