Add manuela to Wireguard peers

This reverts commit 6d9a883361.

README.org

@@ -1,3 +1,17 @@
 * Unit
 
 Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
+
+** Modules
+
+ The configuration is sliced into different files, per category:
+
+ - ZFS pool configuration: hardware-configuration.nix
+ - Network configuration: networking.nix
+ - Synchronization and backup services: datasync.nix
+ - Web services and reverse proxy: webstack.nix
+ - Smartd: monitoring.nix
+ - Systemd services and timers: periodic.nix
+ - Virtual machines: virtualization.nix
+
+ All the modules are imported in *configuration.nix*

configuration.nix

@@ -107,6 +107,7 @@
     ./modules/virtualization.nix
     ./modules/monitoring.nix
     ./modules/periodic.nix
+    ./modules/webstack.nix
   ];
 
 }

modules/datasync.nix

@@ -7,7 +7,6 @@
   services.samba = {
     enable = true;
     nsswins = true;
-    syncPasswordsByPam = true;
     extraConfig = ''
       workgroup = WORKGROUP
       server string = unit
@@ -46,4 +45,28 @@
       };
     };
   };
+
+  # Nextcloud configuration
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud21;
+    home = "/vault/nextcloud";
+    hostName = "coace.duckdns.org";
+    https = true;
+    autoUpdateApps = {
+      enable = true;
+      startAt = "Sun 05:00:00";
+    };
+    config = {
+      overwriteProtocol = "https";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbpassFile = "/var/keys/nextcloud";
+      adminpassFile = "/var/keys/nextcloud-admin";
+      adminuser = "admin";
+      defaultPhoneRegion = "ES";
+    };
+  };
+
 }

modules/hardware-configuration.nix

@@ -4,95 +4,107 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules =
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-    [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "system/stateful/root";
+    { device = "system/stateful/root";
       fsType = "zfs";
     };
 
-  fileSystems."/nix" = {
+  fileSystems."/nix" =
-    device = "system/ephemeral/nix";
+    { device = "system/ephemeral/nix";
       fsType = "zfs";
     };
 
-  fileSystems."/tmp" = {
+  fileSystems."/tmp" =
-    device = "system/ephemeral/tmp";
+    { device = "system/ephemeral/tmp";
       fsType = "zfs";
     };
 
-  fileSystems."/home" = {
+  fileSystems."/home" =
-    device = "system/stateful/home";
+    { device = "system/stateful/home";
       fsType = "zfs";
     };
 
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/B314-22E9";
+    { device = "/dev/disk/by-uuid/B314-22E9";
       fsType = "vfat";
     };
 
-  fileSystems."/vault" = {
+  fileSystems."/vault" =
-    device = "vault";
+    { device = "vault";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups" = {
+  fileSystems."/vault/VMs" =
-    device = "vault/backups";
+    { device = "vault/VMs";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/VMs" = {
+  fileSystems."/vault/backups" =
-    device = "vault/VMs";
+    { device = "vault/backups";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/config" = {
+  fileSystems."/vault/nextcloud" =
-    device = "vault/config";
+    { device = "vault/nextcloud";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/samba" = {
+  fileSystems."/vault/code" =
-    device = "vault/samba";
+    { device = "vault/code";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/code" = {
+  fileSystems."/vault/backups/databases" =
-    device = "vault/code";
+    { device = "vault/backups/databases";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/VMs/legacy" = {
+  fileSystems."/vault/samba" =
-    device = "vault/VMs/legacy";
+    { device = "vault/samba";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/databases" = {
+  fileSystems."/vault/backups/wordpress" =
-    device = "vault/backups/databases";
+    { device = "vault/backups/wordpress";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/nextcloud" = {
+  fileSystems."/vault/backups/frontend" =
-    device = "vault/nextcloud";
+    { device = "vault/backups/frontend";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/documents" = {
+  fileSystems."/vault/backups/documents" =
-    device = "vault/backups/documents";
+    { device = "vault/backups/documents";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/frontend" = {
+  fileSystems."/vault/config" =
-    device = "vault/backups/frontend";
+    { device = "vault/config";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/VMs/legacy" =
+    { device = "vault/VMs/legacy";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/frontend" =
+    { device = "vault/frontend";
       fsType = "zfs";
     };
 
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }];
+    [ { device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }
+    ];
 
 }

modules/networking.nix

@@ -49,11 +49,15 @@ in {
       139 # Samba
       2222 # VM SSH
       5000 # Sybase
+      80 # HTTP
+      443 # HTTPS
+      53 # DNS
     ];
     allowedUDPPorts = [
       137 # Samba
       138 # Samba
       1194 # Wireguard
+      53 # DNS
     ];
     allowPing = true;
   };
@@ -99,6 +103,11 @@ in {
           publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
           allowedIPs = [ "10.9.0.4/32" ];
         }
+        # manuela
+        {
+          publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
+          allowedIPs = [ "10.9.0.5/32" ];
+        }
       ];
     };
   };
@@ -128,4 +137,25 @@ in {
     '';
   };
 
+  # DNS server with adblock
+  services.dnsmasq = {
+    enable = true;
+    servers = [ "1.1.1.1" "8.8.8.8" ];
+    extraConfig = ''
+      domain-needed
+      bogus-priv
+      no-resolv
+
+      listen-address=127.0.0.1,10.0.1.3
+      bind-interfaces
+
+      cache-size=10000
+      local-ttl=300
+
+      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+
+      address=/coace.duckdns.org/10.0.1.3
+    '';
+  };
+
 }

modules/periodic.nix

@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
-{
+let
+  stateDir = "/var/lib/dnsmasq";
+  blocklist = "${stateDir}/dnsmasq.blacklist.txt";
+
+in {
   # Pull changes from git repos
   systemd.user.services.git-pull = {
     description = "Pull git repositories";
@@ -11,15 +15,31 @@
       cd "$base_folder" || exit
       ls | xargs -P10 -I{} git -C {} pull --rebase
     '';
-    serviceConfig = { Type = "oneshot"; };
+    serviceConfig.Type = "oneshot";
+    startAt = "22:00:00";
   };
 
-  systemd.user.timers.doom-upgrade = {
+  # PostgreSQL daily backups
-    description = "Daily code update";
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    location = "/vault/backups/databases/nextcloud";
+    startAt = "*-*-* 05:15:00";
+  };
+
+  # Fetch hosts-blocklists daily
+  systemd.services.download-dns-blocklist = {
+    description = "Download hosts-blocklists";
     wantedBy = [ "default.target" ];
-    timerConfig = {
+    path = with pkgs; [ curl ];
-      OnCalendar = "22:00:00";
+    script =
-      Unit = "git-pull.service";
+      "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
-    };
+    serviceConfig.Type = "oneshot";
+    postStop = ''
+      chown -R dnsmasq ${stateDir}
+      systemctl restart dnsmasq
+    '';
+    startAt = "02:00:00";
   };
+
 }

modules/webstack.nix

@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Reverse proxy configuration
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers =
+      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "coace.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme = {
+    acceptTerms = true;
+    email = "secretario@arquitectosdeceuta.com";
+    certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";
+  };
+
+  # Generate dhparams
+  security.dhparams = {
+    enable = true;
+    params.nginx.bits = 2048;
+  };
+
+  # PostgreSQL databases configuration
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkForce ''
+      # Generated file; do not edit!
+      # TYPE  DATABASE        USER            ADDRESS                 METHOD
+      local   all             all                                     trust
+      host    all             all             127.0.0.1/32            trust
+      host    all             all             ::1/128                 trust
+    '';
+  };
+}

scripts/sybase-backup.sh

@@ -6,7 +6,7 @@ sybase_service() {
 
 perform_backup() {
 	zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
-	scp BBDD_"$(date +"%d%m%Y")".zip unit:/vault/backups/databases
+	scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
 }
 
 cleanup() {