Add manuela to Wireguard peers

This reverts commit 6d9a883361.

README.org

@@ -1,3 +1,17 @@
 * Unit
 
 Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
+
+** Modules
+
+ The configuration is sliced into different files, per category:
+
+ - ZFS pool configuration: hardware-configuration.nix
+ - Network configuration: networking.nix
+ - Synchronization and backup services: datasync.nix
+ - Web services and reverse proxy: webstack.nix
+ - Smartd: monitoring.nix
+ - Systemd services and timers: periodic.nix
+ - Virtual machines: virtualization.nix
+
+ All the modules are imported in *configuration.nix*

configuration.nix

@@ -57,6 +57,20 @@
   services.openssh = {
     enable = true;
     permitRootLogin = "yes";
+    macs = [
+      "hmac-sha2-512-etm@openssh.com"
+      "hmac-sha2-256-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+      "hmac-sha2-512"
+      "hmac-sha2-256"
+      "umac-128@openssh.com"
+      "hmac-sha1"
+    ];
+    kexAlgorithms = [
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group-exchange-sha256"
+      "diffie-hellman-group1-sha1"
+    ];
   };
 
   # Create coace user
@@ -67,6 +81,7 @@
     shell = pkgs.fish;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbHBpW1JgArO7XFr3mqMD8nCf3RjkHzso+mpNjR8iZi coolneng@panacea"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstGGn6Ri+LtR6ffPrRgFcLF1fJFRIyz2WrbYMjQRNGdYyr/01TSmh0N2DLapDPhHAiKk7M5qHc9ltSZxWS4zQIkKAVWhyeGbvc/Yya/T8Yy04ltm2XZQEKx92dFhQMBUhDKc/Sp/JQy+jmvzWDL/bt7tmAOzXvVElEaeapvlhaihlwrH1EqTgV44x08MVlOcDJLSEJqCwj1OsD6zT1D58TCc/VawNh9DXJm7MK/1OhesziRFXKR9Wzr0zYcTjYe78ISpILZeilxFA08TQrua51kHIEL/BznXN+IRRIXrhDqQIWkdJTEMIC83//jbOoePvJ7sjrrS2VZwEOg0N+zt+Q== root@sica"
     ];
   };
 
@@ -92,6 +107,7 @@
     ./modules/virtualization.nix
     ./modules/monitoring.nix
     ./modules/periodic.nix
+    ./modules/webstack.nix
   ];
 
 }

modules/datasync.nix

@@ -7,7 +7,6 @@
   services.samba = {
     enable = true;
     nsswins = true;
-    syncPasswordsByPam = true;
     extraConfig = ''
       workgroup = WORKGROUP
       server string = unit
@@ -31,4 +30,43 @@
       "force user" = "coace";
     };
   };
+
+  # ZFS automatic backup solution
+  services.znapzend = {
+    enable = true;
+    pure = true;
+    zetup."vault" = {
+      plan = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
+      recursive = true;
+      destinations.backup = {
+        host = "10.0.1.4";
+        dataset = "shield/unit";
+        plan = "1w=>1d,1m=>1w,1y=>1m";
+      };
+    };
+  };
+
+  # Nextcloud configuration
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud21;
+    home = "/vault/nextcloud";
+    hostName = "coace.duckdns.org";
+    https = true;
+    autoUpdateApps = {
+      enable = true;
+      startAt = "Sun 05:00:00";
+    };
+    config = {
+      overwriteProtocol = "https";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbpassFile = "/var/keys/nextcloud";
+      adminpassFile = "/var/keys/nextcloud-admin";
+      adminuser = "admin";
+      defaultPhoneRegion = "ES";
+    };
+  };
+
 }

modules/hardware-configuration.nix

@@ -4,85 +4,107 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules =
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-    [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "system/stateful/root";
+    { device = "system/stateful/root";
       fsType = "zfs";
     };
 
-  fileSystems."/nix" = {
+  fileSystems."/nix" =
-    device = "system/ephemeral/nix";
+    { device = "system/ephemeral/nix";
       fsType = "zfs";
     };
 
-  fileSystems."/tmp" = {
+  fileSystems."/tmp" =
-    device = "system/ephemeral/tmp";
+    { device = "system/ephemeral/tmp";
       fsType = "zfs";
     };
 
-  fileSystems."/home" = {
+  fileSystems."/home" =
-    device = "system/stateful/home";
+    { device = "system/stateful/home";
       fsType = "zfs";
     };
 
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/B314-22E9";
+    { device = "/dev/disk/by-uuid/B314-22E9";
       fsType = "vfat";
     };
 
-  fileSystems."/vault" = {
+  fileSystems."/vault" =
-    device = "vault";
+    { device = "vault";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/samba" = {
+  fileSystems."/vault/VMs" =
-    device = "vault/samba";
+    { device = "vault/VMs";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/VMs" = {
+  fileSystems."/vault/backups" =
-    device = "vault/VMs";
+    { device = "vault/backups";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups" = {
+  fileSystems."/vault/nextcloud" =
-    device = "vault/backups";
+    { device = "vault/nextcloud";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/nextcloud" = {
+  fileSystems."/vault/code" =
-    device = "vault/nextcloud";
+    { device = "vault/code";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/backups/databases" = {
+  fileSystems."/vault/backups/databases" =
-    device = "vault/backups/databases";
+    { device = "vault/backups/databases";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/sica" = {
+  fileSystems."/vault/samba" =
-    device = "vault/sica";
+    { device = "vault/samba";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/code" = {
+  fileSystems."/vault/backups/wordpress" =
-    device = "vault/code";
+    { device = "vault/backups/wordpress";
       fsType = "zfs";
     };
 
-  fileSystems."/vault/config" = {
+  fileSystems."/vault/backups/frontend" =
-    device = "vault/config";
+    { device = "vault/backups/frontend";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/backups/documents" =
+    { device = "vault/backups/documents";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/config" =
+    { device = "vault/config";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/VMs/legacy" =
+    { device = "vault/VMs/legacy";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/frontend" =
+    { device = "vault/frontend";
       fsType = "zfs";
     };
 
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }];
+    [ { device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }
+    ];
 
 }

modules/networking.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:
 
-{
+let password = builtins.readFile /var/keys/ddclient;
+
+in {
   # Assign a static IP
   networking = {
     hostName = "unit";
@@ -31,6 +33,15 @@
     };
   };
 
+  # Dynamic DNS configuration
+  services.ddclient = {
+    enable = true;
+    quiet = true;
+    protocol = "duckdns";
+    domains = [ "coace.duckdns.org" ];
+    inherit password;
+  };
+
   # Firewall configuration
   networking.firewall = {
     allowedTCPPorts = [
@@ -38,11 +49,15 @@
       139 # Samba
       2222 # VM SSH
       5000 # Sybase
+      80 # HTTP
+      443 # HTTPS
+      53 # DNS
     ];
     allowedUDPPorts = [
       137 # Samba
       138 # Samba
       1194 # Wireguard
+      53 # DNS
     ];
     allowPing = true;
   };
@@ -71,13 +86,28 @@
     wg0 = {
       ips = [ "10.9.0.1/24" ];
       listenPort = 1194;
-      privateKeyFile = "/home/coace/.wg/keys/privatekey";
+      privateKeyFile = "/home/coace/.wg/server/privatekey";
       peers = [
-        # Amin
+        # panacea
         {
           publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
           allowedIPs = [ "10.9.0.2/32" ];
         }
+        # caravanserai
+        {
+          publicKey = "4jiEKaPjNPU3JghfwLyArRhCKZmT8VYN07iw0SL/eHc=";
+          allowedIPs = [ "10.9.0.3/32" ];
+        }
+        # fernando
+        {
+          publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
+          allowedIPs = [ "10.9.0.4/32" ];
+        }
+        # manuela
+        {
+          publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
+          allowedIPs = [ "10.9.0.5/32" ];
+        }
       ];
     };
   };
@@ -107,4 +137,25 @@
     '';
   };
 
+  # DNS server with adblock
+  services.dnsmasq = {
+    enable = true;
+    servers = [ "1.1.1.1" "8.8.8.8" ];
+    extraConfig = ''
+      domain-needed
+      bogus-priv
+      no-resolv
+
+      listen-address=127.0.0.1,10.0.1.3
+      bind-interfaces
+
+      cache-size=10000
+      local-ttl=300
+
+      conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
+
+      address=/coace.duckdns.org/10.0.1.3
+    '';
+  };
+
 }

modules/periodic.nix

@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
-{
+let
+  stateDir = "/var/lib/dnsmasq";
+  blocklist = "${stateDir}/dnsmasq.blacklist.txt";
+
+in {
   # Pull changes from git repos
   systemd.user.services.git-pull = {
     description = "Pull git repositories";
@@ -11,15 +15,31 @@
       cd "$base_folder" || exit
       ls | xargs -P10 -I{} git -C {} pull --rebase
     '';
-    serviceConfig = { Type = "oneshot"; };
+    serviceConfig.Type = "oneshot";
+    startAt = "22:00:00";
   };
 
-  systemd.user.timers.doom-upgrade = {
+  # PostgreSQL daily backups
-    description = "Daily code update";
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    location = "/vault/backups/databases/nextcloud";
+    startAt = "*-*-* 05:15:00";
+  };
+
+  # Fetch hosts-blocklists daily
+  systemd.services.download-dns-blocklist = {
+    description = "Download hosts-blocklists";
     wantedBy = [ "default.target" ];
-    timerConfig = {
+    path = with pkgs; [ curl ];
-      OnCalendar = "22:00:00";
+    script =
-      Unit = "git-pull.service";
+      "curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
-    };
+    serviceConfig.Type = "oneshot";
+    postStop = ''
+      chown -R dnsmasq ${stateDir}
+      systemctl restart dnsmasq
+    '';
+    startAt = "02:00:00";
   };
+
 }

modules/webstack.nix

@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Reverse proxy configuration
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers =
+      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "coace.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme = {
+    acceptTerms = true;
+    email = "secretario@arquitectosdeceuta.com";
+    certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";
+  };
+
+  # Generate dhparams
+  security.dhparams = {
+    enable = true;
+    params.nginx.bits = 2048;
+  };
+
+  # PostgreSQL databases configuration
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkForce ''
+      # Generated file; do not edit!
+      # TYPE  DATABASE        USER            ADDRESS                 METHOD
+      local   all             all                                     trust
+      host    all             all             127.0.0.1/32            trust
+      host    all             all             ::1/128                 trust
+    '';
+  };
+}

scripts/sybase-backup.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+sybase_service() {
+	/etc/init.d/sybase "$1"
+}
+
+perform_backup() {
+	zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
+	scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
+}
+
+cleanup() {
+	rm BBDD_"$(date +"%d%m%Y")".zip
+}
+
+sybase_service stop
+perform_backup
+sybase_service start
+cleanup