initial public commit

2024-08-23 13:01:33 -06:00 · 2024-08-23 13:01:33 -06:00 · 7a2e3fd0a8
commit 7a2e3fd0a8
24 changed files with 1743 additions and 0 deletions
--- a/sys/srv/default.nix
+++ b/sys/srv/default.nix
@ -0,0 +1,7 @@
+{ config, pkgs, lib, flakes, ... }:
+with lib;
+{
+  imports = [
+    ./lib
+  ];
+}
--- a/sys/srv/gatekeeper_ca.pem
+++ b/sys/srv/gatekeeper_ca.pem
@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew
+HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np
+eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ
+7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR
+e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky
+u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE
+DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3
+1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME
+BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd
+gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv
+cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26
+tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt
+KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI
+7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre
+F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t
+exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA==
+-----END CERTIFICATE-----
--- a/sys/srv/lib/bepasty.nix
+++ b/sys/srv/lib/bepasty.nix
@ -0,0 +1,39 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+  services = {
+
+    nginx = {
+      virtualHosts."send.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8989";
+        };
+
+      };
+    };
+
+    bepasty = {
+      enable = true;
+      servers = {
+        "send" = {
+          bind = "127.0.0.1:8989";
+          secretKeyFile = "/var/trust/bepasty/secretKeyFile";
+          dataDir = "/mnt/export2011/data";
+          defaultPermissions = "read,create,delete";
+          extraConfig = ''
+            SITENAME = 'send.posixlycorrect.com'
+            MAX_ALLOWED_FILE_SIZE = 4 * 1000 * 1000 * 1000
+            SESSION_COOKIE_SECURE = True
+            ASCIINEMA_THEME = 'asciinema'
+          '';
+        };
+      };
+    };
+  };
+}
--- a/sys/srv/lib/default.nix
+++ b/sys/srv/lib/default.nix
@ -0,0 +1,15 @@
+{
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    ./jitsi.nix
+    ./matrix.nix
+    ./forgejo.nix
+    ./vaultwarden.nix
+    ./bepasty.nix
+    ./jellyfin.nix
+    ./msmtp.nix
+    ./tiddlywiki.nix
+    ./kuma.nix
+  ];
+}
--- a/sys/srv/lib/forgejo.nix
+++ b/sys/srv/lib/forgejo.nix
@ -0,0 +1,60 @@
+{ config, lib, ... }:
+with lib;
+{
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+            	    '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          # You can temporarily allow registration to create an admin user.
+          service.DISABLE_REGISTRATION = true;
+
+          # ver https://github.com/nektos/act
+          actions = {
+            ENABLED = false;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}
--- a/sys/srv/lib/jellyfin.nix
+++ b/sys/srv/lib/jellyfin.nix
@ -0,0 +1,29 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+
+  services = {
+
+    nginx = {
+      virtualHosts."stream.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+        locations."/" = {
+          proxyPass = "http://localhost:8096";
+        };
+      };
+    };
+
+    jellyfin = {
+      enable = true;
+      user = "jellyfin";
+      group = "jellyfin";
+      dataDir = "/mnt/export2008/jellyfin/dataDir";
+      cacheDir = "/mnt/export2008/jellyfin/cacheDir";
+    };
+  };
+}
--- a/sys/srv/lib/jitsi.nix
+++ b/sys/srv/lib/jitsi.nix
@ -0,0 +1,43 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+
+  services = {
+
+    nginx = {
+      virtualHosts."meet.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        
+            ssl_verify_depth 1;
+            ssl_verify_client on;
+            ssl_client_certificate ${../gatekeeper_ca.pem};
+
+            if ($ssl_client_verify != "SUCCESS") {
+              return 403;
+            }
+        '';
+      };
+    };
+
+
+    jitsi-meet = {
+      enable = true;
+      hostName = "meet.posixlycorrect.com";
+      nginx.enable = true;
+      config = {
+        enableWelcomePage = true;
+        prejoinPageEnabled = true;
+        defaultLang = "en";
+      };
+      interfaceConfig = {
+        SHOW_JITSI_WATERMARK = false;
+        SHOW_WATERMARK_FOR_GUESTS = false;
+      };
+    };
+    jitsi-videobridge.openFirewall = true;
+  };
+}
--- a/sys/srv/lib/kuma.nix
+++ b/sys/srv/lib/kuma.nix
@ -0,0 +1,26 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+  services = {
+    nginx = {
+      virtualHosts."status.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:4456";
+        };
+      };
+    };
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        HOST = "127.0.0.1";
+        PORT = "4456";
+      };
+    };
+  };
+}
--- a/sys/srv/lib/matrix.nix
+++ b/sys/srv/lib/matrix.nix
@ -0,0 +1,59 @@
+{ lib, pkgs, config, flakes, ... }:
+with lib;
+let
+  subdomain = "matrix.posixlycorrect.com";
+  baseUrl = "https://${subdomain}";
+in
+{
+  # ver https://nixos.org/manual/nixos/stable/#module-services-matrix
+  services = {
+    matrix-conduit = {
+      enable = true;
+      package = flakes.conduwuit.packages.${pkgs.system}.default;
+      settings.global = {
+        address = "::1";
+        port = 6167;
+        allow_encryption = true;
+        allow_federation = true;
+        allow_registration = false;
+        database_backend = "rocksdb";
+        server_name = "posixlycorrect.com";
+        allow_check_for_updates = true;
+        new_user_displayname_suffix = "";
+      };
+    };
+
+    nginx.virtualHosts =
+      let
+        clientConfig."m.homeserver".base_url = baseUrl;
+        serverConfig."m.server" = "${subdomain}:443";
+        mkWellKnown = data: ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON data}';
+        '';
+      in
+      {
+        "posixlycorrect.com" = {
+          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+        };
+        "${subdomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+            	    '';
+          locations."/".extraConfig = ''
+            return 403;
+          '';
+          locations."/_matrix".proxyPass = "http://[::1]:6167";
+          locations."/_synapse/client".proxyPass = "http://[::1]:6167";
+
+        };
+      };
+
+
+  };
+}
--- a/sys/srv/lib/mediawiki.nix
+++ b/sys/srv/lib/mediawiki.nix
@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+      };
+    };
+  };
+}
--- a/sys/srv/lib/msmtp.nix
+++ b/sys/srv/lib/msmtp.nix
@ -0,0 +1,32 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+  users.groups = {
+    mailsenders = {
+      members = [ "fabian" "mediawiki" ];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}
--- a/sys/srv/lib/net.nix
+++ b/sys/srv/lib/net.nix
@ -0,0 +1,65 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+    domain = "posixlycorrect.com";
+  };
+
+  # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "fabian@posixlycorrect.com";
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      logError = "/var/log/nginx/error.log";
+      clientMaxBodySize = "99M";
+      virtualHosts = {
+        "posixlycorrect.com" = {
+          forceSSL = true;
+          enableACME = true;
+          root = "${pkgs.local.homepage}";
+        };
+      };
+    };
+    fail2ban = {
+      enable = true;
+      bantime = "10m";
+      ignoreIP = [ "37.205.12.34" ]; # Never ban the server's own IP
+      bantime-increment = {
+        enable = true;
+        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        maxtime = "48h"; # Do not ban for more than 48h
+        rndtime = "10m";
+        overalljails = true; # Calculate the bantime based on all the violations
+      };
+      jails = {
+        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+        nginx-botsearch.settings = {
+          # Usar log en vez de journalctl
+          # TODO: Pasar todo a systemd?
+          backend = "pyinotify";
+          logpath = "/var/log/nginx/*.log";
+          journalmatch = "";
+        };
+        nginx-bad-request.settings = {
+          backend = "pyinotify";
+          logpath = "/var/log/nginx/*.log";
+          journalmatch = "";
+          maxretry = 10;
+        };
+      };
+    };
+  };
+}
--- a/sys/srv/lib/tiddlywiki.nix
+++ b/sys/srv/lib/tiddlywiki.nix
@ -0,0 +1,33 @@
+{ lib, pkgs, ... }:
+with lib;
+{
+
+  systemd.services.tiddlywiki.serviceConfig.LoadCredential = [ "credentials.csv:/var/trust/tiddlywiki/credentials.csv" ];
+
+  services = {
+    nginx = {
+      virtualHosts."testing.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:7456";
+        };
+      };
+    };
+    tiddlywiki = {
+      enable = true;
+      listenOptions = {
+        readers = "(anon)";
+        writers = "(authenticated)";
+        admin = "fabian";
+        credentials = "/run/credentials/tiddlywiki.service/credentials.csv";
+        host = "127.0.0.1";
+        port = 7456;
+      };
+    };
+  };
+}
--- a/sys/srv/lib/vaultwarden.nix
+++ b/sys/srv/lib/vaultwarden.nix
@ -0,0 +1,58 @@
+{ config, lib, ... }:
+with lib;
+{
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+          	    '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = [ "vaultwarden" ];
+      ensureUsers = [{
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}