Add manuela to Wireguard peers

This reverts commit 6d9a883361.

README.org

@@ -1,3 +1,17 @@
 * Unit
 
 Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
+
+** Modules
+
+ The configuration is sliced into different files, per category:
+
+ - ZFS pool configuration: hardware-configuration.nix
+ - Network configuration: networking.nix
+ - Synchronization and backup services: datasync.nix
+ - Web services and reverse proxy: webstack.nix
+ - Smartd: monitoring.nix
+ - Systemd services and timers: periodic.nix
+ - Virtual machines: virtualization.nix
+
+ All the modules are imported in *configuration.nix*

modules/datasync.nix

@@ -7,7 +7,6 @@
   services.samba = {
     enable = true;
     nsswins = true;
-    syncPasswordsByPam = true;
     extraConfig = ''
       workgroup = WORKGROUP
       server string = unit

modules/hardware-configuration.nix

@@ -43,18 +43,13 @@
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups" =
-    { device = "vault/backups";
-      fsType = "zfs";
-    };
-
   fileSystems."/vault/VMs" =
     { device = "vault/VMs";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/code" =
-    { device = "vault/code";
+  fileSystems."/vault/backups" =
+    { device = "vault/backups";
       fsType = "zfs";
     };
 
@@ -63,8 +58,8 @@
       fsType = "zfs";
     };
 
-  fileSystems."/vault/config" =
-    { device = "vault/config";
+  fileSystems."/vault/code" =
+    { device = "vault/code";
       fsType = "zfs";
     };
 
@@ -78,13 +73,8 @@
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/documents" =
-    { device = "vault/backups/documents";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/VMs/legacy" =
-    { device = "vault/VMs/legacy";
+  fileSystems."/vault/backups/wordpress" =
+    { device = "vault/backups/wordpress";
       fsType = "zfs";
     };
 
@@ -93,8 +83,23 @@
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/wordpress" =
-    { device = "vault/backups/wordpress";
+  fileSystems."/vault/backups/documents" =
+    { device = "vault/backups/documents";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/config" =
+    { device = "vault/config";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/VMs/legacy" =
+    { device = "vault/VMs/legacy";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/frontend" =
+    { device = "vault/frontend";
       fsType = "zfs";
     };
 

modules/networking.nix

@@ -51,11 +51,13 @@ in {
       5000 # Sybase
       80 # HTTP
       443 # HTTPS
+      53 # DNS
     ];
     allowedUDPPorts = [
       137 # Samba
       138 # Samba
       1194 # Wireguard
+      53 # DNS
     ];
     allowPing = true;
   };
@@ -101,6 +103,11 @@ in {
           publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
           allowedIPs = [ "10.9.0.4/32" ];
         }
+        # manuela
+        {
+          publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
+          allowedIPs = [ "10.9.0.5/32" ];
+        }
       ];
     };
   };
@@ -130,4 +137,25 @@ in {
     '';
   };
 
+  # DNS server with adblock
+  services.dnsmasq = {
+    enable = true;
+    servers = [ "1.1.1.1" "8.8.8.8" ];
+    extraConfig = ''
+      domain-needed
+      bogus-priv
+      no-resolv
+
+      listen-address=127.0.0.1,10.0.1.3
+      bind-interfaces
+
+      cache-size=10000
+      local-ttl=300
+
+      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+
+      address=/coace.duckdns.org/10.0.1.3
+    '';
+  };
+
 }

modules/periodic.nix

@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
-{
+let
+  stateDir = "/var/lib/dnsmasq";
+  blocklist = "${stateDir}/dnsmasq.blacklist.txt";
+
+in {
   # Pull changes from git repos
   systemd.user.services.git-pull = {
     description = "Pull git repositories";
@@ -11,16 +15,8 @@
       cd "$base_folder" || exit
       ls | xargs -P10 -I{} git -C {} pull --rebase
     '';
-    serviceConfig = { Type = "oneshot"; };
-  };
-
-  systemd.user.timers.doom-upgrade = {
-    description = "Daily code update";
-    wantedBy = [ "default.target" ];
-    timerConfig = {
-      OnCalendar = "22:00:00";
-      Unit = "git-pull.service";
-    };
+    serviceConfig.Type = "oneshot";
+    startAt = "22:00:00";
   };
 
   # PostgreSQL daily backups
@@ -30,4 +26,20 @@
     location = "/vault/backups/databases/nextcloud";
     startAt = "*-*-* 05:15:00";
   };
+
+  # Fetch hosts-blocklists daily
+  systemd.services.download-dns-blocklist = {
+    description = "Download hosts-blocklists";
+    wantedBy = [ "default.target" ];
+    path = with pkgs; [ curl ];
+    script =
+      "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
+    serviceConfig.Type = "oneshot";
+    postStop = ''
+      chown -R dnsmasq ${stateDir}
+      systemctl restart dnsmasq
+    '';
+    startAt = "02:00:00";
+  };
+
 }

modules/webstack.nix

@@ -68,7 +68,4 @@
       host    all             all             ::1/128                 trust
     '';
   };
-
-  # Restart reverse proxy after services startup
-  systemd.services.nginx.after = [ "nextcloud.service" ];
 }

scripts/sybase-backup.sh

@@ -6,7 +6,7 @@ sybase_service() {
 
 perform_backup() {
 	zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
-	scp BBDD_"$(date +"%d%m%Y")".zip -i /root/.ssh/unit coace@192.168.122.1:/vault/backups/databases/sica
+	scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
 }
 
 cleanup() {