some things (tiny commit ik)

2024-10-21 21:56:47 +02:00 · 2024-10-21 21:56:47 +02:00 · 2c282d8bf7
commit 2c282d8bf7
parent 6b76450816
38 changed files with 771 additions and 102 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -138,7 +138,7 @@ in {
          #"services/pipewire.nix"
          "services/syncthing.nix"
          #"services/containers/server"
-          "services/containers/experimental"
+          # "services/containers/experimental" # TODO maybe reenable this?? or just abandon it and move fully to systemd network namespace
        ])

        #{
--- a/hosts/hopper/brawlstats.nix
+++ b/hosts/hopper/brawlstats.nix
@ -5,7 +5,7 @@
  ...
 }: {
  networking.firewall.allowedTCPPorts = [
-    4444
+    # 4444
  ];

  systemd.services."static-web-server".after = ["brawlstats.timer"];
@ -45,6 +45,8 @@
        ''}
        }

+        rm /tmp/brawlstatslog
+
        case ''${parameters:1} in
          total*)
            id=$(echo $parameters | ${lib.getExe pkgs.gawk} '{print $2}')
--- a/hosts/hopper/default.nix
+++ b/hosts/hopper/default.nix
@ -2,8 +2,12 @@
  imports = with inputs.hardware.nixosModules; [
    common-cpu-intel

+    inputs.vpn-confinement.nixosModules.default
+
    ./hardware.nix
    ./brawlstats.nix
+    ./lab.nix
+    ./hardening.nix
  ];

  networking.hostName = "hopper";
--- a/hosts/hopper/hardening.nix
+++ b/hosts/hopper/hardening.nix
@ -0,0 +1,5 @@
+{
+  fileSystems."/".options = ["noexec"];
+  fileSystems."/home".options = ["noexec"];
+  fileSystems."/boot".options = ["noexec"];
+}
--- a/hosts/hopper/hardware.nix
+++ b/hosts/hopper/hardware.nix
@ -11,7 +11,7 @@

  boot = {
    blacklistedKernelModules = [
-      "xhci_pci" # was causing issues (100% udevd cpu usage)
+      # "xhci_pci" # was causing issues (100% udevd cpu usage)
    ];
    initrd = {
      availableKernelModules = [
@ -23,7 +23,7 @@
      ];
      kernelModules = [];
    };
-    kernelModules = ["kvm-intel"];
+    kernelModules = ["kvm-intel" "wireguard"];
    extraModulePackages = [];
    loader = {
      systemd-boot = {
--- a/hosts/hopper/lab.nix
+++ b/hosts/hopper/lab.nix
@ -0,0 +1,305 @@
+## TODO look into sops-nix placeholders
+## reference: https://github.com/javigomezo/nixos/blob/b3ebe8d570ea9b37aea8bb3a343f6e16e054e322/services/network/authelia/user_database.nix
+{
+  pkgs,
+  inputs,
+  config,
+  lib,
+  ...
+}: let
+  domain = "xunuwu.xyz";
+  caddyPort = 8336;
+  autheliaPort = 24637;
+in {
+  ## TODO use impermanence
+  ## TODO setup fail2ban mayb
+
+  imports = [inputs.vpn-confinement.nixosModules.default];
+
+  security.acme = {
+    acceptTerms = true;
+    certs.${domain} = {
+      domain = "*.${domain}";
+      dnsProvider = "cloudflare";
+      email = "xunuwu@gmail.com";
+      reloadServices = ["caddy.service"];
+      credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
+      extraDomainNames = [domain];
+    };
+  };
+
+  vpnNamespaces."wg" = {
+    enable = true;
+    wireguardConfigFile = config.sops.secrets.wireguard-config.path;
+    accessibleFrom = [
+      "192.168.0.0/24"
+    ];
+
+    # Forwarded to my vpn, for making things accessible from outside
+    openVPNPorts = [
+      {
+        port = caddyPort;
+        protocol = "tcp";
+      }
+    ];
+
+    # From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
+    portMappings = [
+      {
+        to = caddyPort;
+        from = caddyPort;
+      }
+      {
+        to = 7359; # Jellyfin auto-discovery
+        from = 7359;
+      }
+      {
+        to = 1900; # Jellyfin auto-discovery, TODO check if this actually works and dont forward these if it doesnt
+        from = 1900;
+      }
+    ];
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [config.services.navidrome.settings.Port];
+    allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
+  };
+
+  systemd.services.caddy.vpnConfinement = {
+    enable = true;
+    vpnNamespace = "wg";
+  };
+
+  services.caddy = {
+    enable = true;
+    # extraConfig = let
+    #   gensub = x: "${x}.${domain}:${toString caddyPort}";
+    #   tls = "tls /var/lib/acme/${domain}/cert.pem /var/lib/acme/${domain}/key.pem";
+    #   rpPort = port: "reverse_proxy localhost:${toString port}";
+    # in ''
+    #   ${gensub "navidrome"} {
+    #     ${tls}
+    #     ${rpPort config.services.navidrome.settings.Port}
+    #   }
+    # '';
+    virtualHosts = let
+      authelia = "localhost:${toString autheliaPort}";
+    in
+      builtins.mapAttrs (n: v:
+        {
+          useACMEHost = domain;
+          hostName = "${n}.${domain}:${toString caddyPort}";
+        }
+        // v) {
+        navidrome.extraConfig = ''
+          reverse_proxy localhost:${toString config.services.navidrome.settings.Port}
+        '';
+        auth.extraConfig = "reverse_proxy ${authelia}";
+        #jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO tmp off since i dont have proper auth yet
+        other = {
+          hostName = ":${toString caddyPort}";
+          extraConfig = ''
+            respond 404 {
+              body "no such route you dummy"
+            }
+          '';
+        };
+      };
+  };
+
+  systemd.services.navidrome = {
+    vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+    serviceConfig = {
+      PrivateTmp = true;
+      NoNewPrivileges = true;
+      RestrictSUIDSGID = true;
+      ProtectProc = "invisible";
+    };
+  };
+
+  ## TODO might be unnecessary with authelia but specifying a custom PasswordEncryptionKey is recommended
+  services.navidrome = {
+    enable = true;
+    settings = {
+      Address = "localhost";
+      MusicFolder = "/media/library/music";
+
+      ReverseProxyWhitelist = "0.0.0.0/0"; # cant be accessed from outside since the navidrome port isnt mapped to outside of the wireguard namespace
+    };
+  };
+
+  systemd.services.authelia-main = {
+    vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+    # serviceConfig.LoadCredential = [
+    #   "users.yaml:${}"
+    # ];
+  };
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia_encryption_key.path;
+      sessionSecretFile = config.sops.secrets.authelia_session_secret.path;
+    };
+    settings = {
+      # might change this to info in the future, for now its nice seeing debug messages if something goes wrong
+      log.level = "debug";
+
+      access_control = {
+        default_policy = "deny";
+        rules = [
+          {
+            domain = "*.${domain}";
+            policy = "one_factor"; # using totp requires me to set up smtp support :(
+          }
+        ];
+      };
+
+      theme = "auto";
+      default_2fa_method = "totp";
+      ## use ldap backend, not yaml file
+      ## https://www.authelia.com/configuration/first-factor/ldap/
+      # default_redirection_url = "https://auth.${domain}/";
+
+      notifier.filesystem.filename = "/tmp/authelia-notifier.txt"; ## TODO change this to something reasonable
+
+      authentication_backend = {
+        password_reset.disable = true;
+        file.path = pkgs.writers.writeYAML "users.yaml" {
+          users.xun = {
+            disabled = false;
+            displayname = "xun";
+            password = "$argon2id$v=19$m=65536,t=3,p=4$cwYrForToKZn7+urMrSXuQ$PStkqPlo/7/GZ+hMsJXfOyZ0WijNtuZpaHWyZUuBWBY";
+            email = "xunuwu@gmail.com";
+            groups = ["admin"];
+          };
+        };
+      };
+
+      storage.postgres = {
+        address = "unix:///run/postgresql";
+        database = "authelia-main";
+        # this isnt used, ensureDBOwnership allows us to auth to postgres using unix users
+        username = "authelia-main";
+        password = "unused";
+      };
+
+      session.cookies = [
+        {
+          domain = domain;
+          authelia_url = "https://auth.${domain}";
+          default_redirection_url = "https://invalid.${domain}"; # TODO replace with overview thing mayb
+        }
+      ];
+
+      ## TODO: https://www.authelia.com/integration/proxies/forwarded-headers/#cloudflare
+
+      server = {
+        address = "127.0.0.1:${toString autheliaPort}";
+        endpoints.authz.forward-auth.implementation = "ForwardAuth";
+      };
+    };
+  };
+
+  services.postgresql = let
+    databases = ["authelia-main"];
+  in {
+    enable = true;
+    ensureDatabases = databases;
+    ensureUsers = lib.singleton {
+      name = "authelia-main";
+      ensureDBOwnership = true;
+    };
+  };
+
+  systemd.services.jellyfin.vpnConfinement = {
+    enable = true;
+    vpnNamespace = "wg";
+  };
+
+  services.jellyfin = {
+    enable = true;
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    extraFlags = ["--storage.tsdb.retention.time=30d"];
+    scrapeConfigs = [
+      {
+        job_name = config.networking.hostName;
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
+          }
+        ];
+      }
+    ];
+  };
+
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+      enabledCollectors = ["systemd"];
+    };
+  };
+
+  # services.grafana = {
+  #   enable = true;
+  #   domain = "grafana.hopper";
+  #   addr = "127.0.0.1";
+  #   security = {
+  #     adminUser = "admin";
+  #     adminPasswordFile = config.sops.secrets.grafana-pass.path;
+  #   };
+  # };
+
+  ## TODO: add forgejo
+
+  ## ignore this its cringe and ill prob remove it later idk, its also pasted from someone else, idk who tho ##
+  systemd.services.vpn-test-service = {
+    enable = true;
+
+    vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+
+    script = "${pkgs.writeShellApplication {
+      name = "vpn-test";
+
+      runtimeInputs = with pkgs; [util-linux unixtools.ping coreutils curl bash libressl netcat-gnu openresolv dig];
+
+      text = ''
+        cd "$(mktemp -d)"
+
+        # DNS information
+        dig google.com
+
+        # Print resolv.conf
+        echo "/etc/resolv.conf contains:"
+        cat /etc/resolv.conf
+
+        # Query resolvconf
+        # echo "resolvconf output:"
+        # resolvconf -l
+        # echo ""
+
+        # Get ip
+        echo "Getting IP:"
+        curl -s ipinfo.io
+
+        echo -ne "DNS leak test:"
+        curl -s https://raw.githubusercontent.com/macvk/dnsleaktest/b03ab54d574adbe322ca48cbcb0523be720ad38d/dnsleaktest.sh -o dnsleaktest.sh
+        chmod +x dnsleaktest.sh
+        ./dnsleaktest.sh
+      '';
+    }}/bin/vpn-test";
+  };
+}
--- a/hosts/nixdesk/default.nix
+++ b/hosts/nixdesk/default.nix
@ -3,6 +3,7 @@
    ./hardware.nix
    ./hibernate-boot.nix
    ./testing.nix
+    ./samba-mount.nix
  ];

  networking.hostName = "nixdesk";
--- a/hosts/nixdesk/samba-mount.nix
+++ b/hosts/nixdesk/samba-mount.nix
@ -0,0 +1,21 @@
+{config, ...}: {
+  systemd.mounts = [
+    {
+      description = "smb hopper transmission download directory";
+      what = "//192.168.50.97/transmission"; # hopper local ip
+      where = "/server/transmission";
+      type = "cifs";
+      options = builtins.readFile ./smbcreds;
+    }
+  ];
+  systemd.automounts = [
+    {
+      requires = ["network-online.target"];
+      where = "/server/transmission";
+      wantedBy = ["multi-user.target"];
+      automountConfig = {
+        TimeoutIdleSec = "10min";
+      };
+    }
+  ];
+}
--- a/hosts/nixdesk/smbcreds
+++ b/hosts/nixdesk/smbcreds
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 Uot/1Q zOPmK3Ael5Ss1gclWT0Q/YLbtus/1Ef5QgSYP96MdjQ
+Ut0OfpCHqMlWrkU298WDWXLseerYiwv8hAAf70nSgfo
+-> mQ1Ds-grease V=M 7*
+ZsOetI30y2vLGlwWP84sVSQzbrtA4m+yRrCc316MzHWPyuEJYnVzw7Eygayg8c26
+t+1VDhMHLhFpImAIXni2GsZNAxGnUw5VaRybmpHRt1Bri8k7ZENosX/7T6/kViO8
+BW8
+--- 0MsxoH3ENvyga/ICHX3448MZ9q7GJecTg5eOLPe2D2A
+ÍfÈh_±¿ÌïÉ¿m>rc¢
ˆ®§Ó¡JxûÕ×ƒ÷E^-ø‰‘˜¹`·!+Ñëu¡Tu{¢õsoh"‚ð¤EŒ<45>%ÍÏ¼ÿ §Ð—!	_>)ûšÒ¤†¡.™ÅÁ'Â¼]U}íèšƒeB·éÈ7³L£¢¹;ñ£9h`
+˜+8›<38>6Š‰#ÄÀ}4âR»”/Oåî‘S¶“ð—÷€ÌÝüœ„ZÅ(<28>‰åBË®Z<16>·Ð9
‡