coace/unit
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: coace:b3d6016a9a73d959f2757cf235ba405450b35dd4
Branches Tags
coace:master
..
compare: coace:master
Branches Tags
coace:master

28 Commits
b3d6016a9a ... master

Author SHA1 Message Date
coolneng
634022d717 Add manuela to Wireguard peers 2021-07-31 21:49:57 +01:00
coolneng
b3b590dbf3 Replace deprecated OnCalendar option with startAt 2021-07-30 21:53:58 +01:00
coolneng
7083d475db Update README 2021-07-30 21:41:43 +01:00
coolneng
2cf9053ca9 Revert "Deploy a mail server" 
This reverts commit 6d9a883361.
 2021-07-24 18:01:20 +02:00
coolneng
6d9a883361 Deploy a mail server 2021-06-25 15:09:57 +02:00
coolneng
9b196037db Remove deprecated samba option 2021-06-01 23:26:53 +02:00
coolneng
94eecc7e20 Add frontend vdev 2021-05-17 10:48:37 +02:00
coolneng
7af1063f1f Replace systemd timers with startAt 2021-04-29 16:48:44 +02:00
coolneng
63a9fb80a1 Remove redundant reverse proxy restart 2021-04-15 10:00:07 +02:00
coolneng
0cef524a0c Correct ssh key specification in the backup script 2021-04-14 23:20:32 +02:00
coolneng
d90f9fb648 Deploy DNS server with ad-block and NAT loopback 2021-04-14 14:23:38 +02:00
coolneng
080e83aa5a Specify full scp command in backup script 2021-04-14 09:34:08 +02:00
coolneng
0e312ded51 Add wordpress vdev 2021-04-13 13:55:37 +02:00
coolneng
a082dda03b Move Nextcloud from subdomain to main domain name 2021-04-12 11:09:19 +02:00
coolneng
29a0a80594 Enable daily backups for the PostgreSQL databases 2021-04-07 13:18:49 +02:00
coolneng
b2b26fc58c Set up Nextcloud 2021-04-07 13:18:31 +02:00
coolneng
caf787de27 Change database backup location in sybase script 2021-04-07 11:13:15 +02:00
coolneng
1f8869b3d6 Enable automatic ZFS backups to remote server 2021-04-06 15:12:21 +02:00
coolneng
1ca6c43c3d Add document and website backup vdevs 2021-04-06 15:11:31 +02:00
coolneng
13a59c4657 Remove sica vdev and add VMS/legacy vdev 2021-03-31 12:34:01 +02:00
coolneng
1649285dc8 Add fernando to Wireguard peers 2021-03-31 12:33:51 +02:00
coolneng
3f34cc8f34 Change database backup location in the script 2021-03-31 12:03:46 +02:00
coolneng
0ec2c73ff9 Implement Sybase database backup script 2021-03-31 10:26:43 +02:00
coolneng
e231fd0516 Add CentOS VM SSH key 2021-03-31 10:26:06 +02:00
coolneng
bafbf5daba Allow legacy MACs and KexAlgorithms for CentOS VM 2021-03-31 10:08:58 +02:00
coolneng
d4bb02a494 Add caravanserai to Wireguard peers 2021-03-30 17:13:34 +02:00
coolneng
826530e5bb Configure ddclient with duckdns as a provider 2021-03-30 14:01:53 +02:00
coolneng
41ab42449a Perform a git pull daily on all repos 2021-03-30 12:07:48 +02:00
8 changed files with 325 additions and 73 deletions
Expand all files Collapse all files

14
README.org
View File

@@ -1,3 +1,17 @@
* Unit
Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
** Modules
The configuration is sliced into different files, per category:
- ZFS pool configuration: hardware-configuration.nix
- Network configuration: networking.nix
- Synchronization and backup services: datasync.nix
- Web services and reverse proxy: webstack.nix
- Smartd: monitoring.nix
- Systemd services and timers: periodic.nix
- Virtual machines: virtualization.nix
All the modules are imported in *configuration.nix*

17
configuration.nix
View File

@@ -57,6 +57,20 @@
services.openssh = {
enable = true;
permitRootLogin = "yes";
macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
"hmac-sha1"
];
kexAlgorithms = [
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
"diffie-hellman-group1-sha1"
];
};
# Create coace user
@@ -67,6 +81,7 @@
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbHBpW1JgArO7XFr3mqMD8nCf3RjkHzso+mpNjR8iZi coolneng@panacea"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstGGn6Ri+LtR6ffPrRgFcLF1fJFRIyz2WrbYMjQRNGdYyr/01TSmh0N2DLapDPhHAiKk7M5qHc9ltSZxWS4zQIkKAVWhyeGbvc/Yya/T8Yy04ltm2XZQEKx92dFhQMBUhDKc/Sp/JQy+jmvzWDL/bt7tmAOzXvVElEaeapvlhaihlwrH1EqTgV44x08MVlOcDJLSEJqCwj1OsD6zT1D58TCc/VawNh9DXJm7MK/1OhesziRFXKR9Wzr0zYcTjYe78ISpILZeilxFA08TQrua51kHIEL/BznXN+IRRIXrhDqQIWkdJTEMIC83//jbOoePvJ7sjrrS2VZwEOg0N+zt+Q== root@sica"
];
};
@@ -91,6 +106,8 @@
./modules/datasync.nix
./modules/virtualization.nix
./modules/monitoring.nix
./modules/periodic.nix
./modules/webstack.nix
];
}

40
modules/datasync.nix
View File

@@ -7,7 +7,6 @@
services.samba = {
enable = true;
nsswins = true;
syncPasswordsByPam = true;
extraConfig = ''
workgroup = WORKGROUP
server string = unit
@@ -31,4 +30,43 @@
"force user" = "coace";
};
};
# ZFS automatic backup solution
services.znapzend = {
enable = true;
pure = true;
zetup."vault" = {
plan = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
recursive = true;
destinations.backup = {
host = "10.0.1.4";
dataset = "shield/unit";
plan = "1w=>1d,1m=>1w,1y=>1m";
};
};
};
# Nextcloud configuration
services.nextcloud = {
enable = true;
package = pkgs.nextcloud21;
home = "/vault/nextcloud";
hostName = "coace.duckdns.org";
https = true;
autoUpdateApps = {
enable = true;
startAt = "Sun 05:00:00";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = "/var/keys/nextcloud";
adminpassFile = "/var/keys/nextcloud-admin";
adminuser = "admin";
defaultPhoneRegion = "ES";
};
};
}

86
modules/hardware-configuration.nix
View File

@@ -4,85 +4,107 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "system/stateful/root";
fileSystems."/" =
{ device = "system/stateful/root";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "system/ephemeral/nix";
fileSystems."/nix" =
{ device = "system/ephemeral/nix";
fsType = "zfs";
};
fileSystems."/tmp" = {
device = "system/ephemeral/tmp";
fileSystems."/tmp" =
{ device = "system/ephemeral/tmp";
fsType = "zfs";
};
fileSystems."/home" = {
device = "system/stateful/home";
fileSystems."/home" =
{ device = "system/stateful/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B314-22E9";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B314-22E9";
fsType = "vfat";
};
fileSystems."/vault" = {
device = "vault";
fileSystems."/vault" =
{ device = "vault";
fsType = "zfs";
};
fileSystems."/vault/samba" = {
device = "vault/samba";
fileSystems."/vault/VMs" =
{ device = "vault/VMs";
fsType = "zfs";
};
fileSystems."/vault/VMs" = {
device = "vault/VMs";
fileSystems."/vault/backups" =
{ device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/backups" = {
device = "vault/backups";
fileSystems."/vault/nextcloud" =
{ device = "vault/nextcloud";
fsType = "zfs";
};
fileSystems."/vault/nextcloud" = {
device = "vault/nextcloud";
fileSystems."/vault/code" =
{ device = "vault/code";
fsType = "zfs";
};
fileSystems."/vault/backups/databases" = {
device = "vault/backups/databases";
fileSystems."/vault/backups/databases" =
{ device = "vault/backups/databases";
fsType = "zfs";
};
fileSystems."/vault/sica" = {
device = "vault/sica";
fileSystems."/vault/samba" =
{ device = "vault/samba";
fsType = "zfs";
};
fileSystems."/vault/code" = {
device = "vault/code";
fileSystems."/vault/backups/wordpress" =
{ device = "vault/backups/wordpress";
fsType = "zfs";
};
fileSystems."/vault/config" = {
device = "vault/config";
fileSystems."/vault/backups/frontend" =
{ device = "vault/backups/frontend";
fsType = "zfs";
};
fileSystems."/vault/backups/documents" =
{ device = "vault/backups/documents";
fsType = "zfs";
};
fileSystems."/vault/config" =
{ device = "vault/config";
fsType = "zfs";
};
fileSystems."/vault/VMs/legacy" =
{ device = "vault/VMs/legacy";
fsType = "zfs";
};
fileSystems."/vault/frontend" =
{ device = "vault/frontend";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }];
[ { device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }
];
}

57
modules/networking.nix
View File

@@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }:
{
let password = builtins.readFile /var/keys/ddclient;
in {
# Assign a static IP
networking = {
hostName = "unit";
@@ -31,6 +33,15 @@
};
};
# Dynamic DNS configuration
services.ddclient = {
enable = true;
quiet = true;
protocol = "duckdns";
domains = [ "coace.duckdns.org" ];
inherit password;
};
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [
@@ -38,11 +49,15 @@
139 # Samba
2222 # VM SSH
5000 # Sybase
80 # HTTP
443 # HTTPS
53 # DNS
];
allowedUDPPorts = [
137 # Samba
138 # Samba
1194 # Wireguard
53 # DNS
];
allowPing = true;
};
@@ -71,13 +86,28 @@
wg0 = {
ips = [ "10.9.0.1/24" ];
listenPort = 1194;
privateKeyFile = "/home/coace/.wg/keys/privatekey";
privateKeyFile = "/home/coace/.wg/server/privatekey";
peers = [
# Amin
# panacea
{
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
allowedIPs = [ "10.9.0.2/32" ];
}
# caravanserai
{
publicKey = "4jiEKaPjNPU3JghfwLyArRhCKZmT8VYN07iw0SL/eHc=";
allowedIPs = [ "10.9.0.3/32" ];
}
# fernando
{
publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
allowedIPs = [ "10.9.0.4/32" ];
}
# manuela
{
publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
allowedIPs = [ "10.9.0.5/32" ];
}
];
};
};
@@ -107,4 +137,25 @@
'';
};
# DNS server with adblock
services.dnsmasq = {
enable = true;
servers = [ "1.1.1.1" "8.8.8.8" ];
extraConfig = ''
domain-needed
bogus-priv
no-resolv
listen-address=127.0.0.1,10.0.1.3
bind-interfaces
cache-size=10000
local-ttl=300
conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
address=/coace.duckdns.org/10.0.1.3
'';
};
}

36
modules/periodic.nix
View File

@@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
{
let
stateDir = "/var/lib/dnsmasq";
blocklist = "${stateDir}/dnsmasq.blacklist.txt";
in {
# Pull changes from git repos
systemd.user.services.git-pull = {
description = "Pull git repositories";
@@ -11,15 +15,31 @@
cd "$base_folder" || exit
ls | xargs -P10 -I{} git -C {} pull --rebase
'';
serviceConfig = { Type = "oneshot"; };
serviceConfig.Type = "oneshot";
startAt = "22:00:00";
};
systemd.user.timers.doom-upgrade = {
description = "Daily code update";
# PostgreSQL daily backups
services.postgresqlBackup = {
enable = true;
backupAll = true;
location = "/vault/backups/databases/nextcloud";
startAt = "*-*-* 05:15:00";
};
# Fetch hosts-blocklists daily
systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists";
wantedBy = [ "default.target" ];
timerConfig = {
OnCalendar = "22:00:00";
Unit = "git-pull.service";
};
path = with pkgs; [ curl ];
script =
"curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
serviceConfig.Type = "oneshot";
postStop = ''
chown -R dnsmasq ${stateDir}
systemctl restart dnsmasq
'';
startAt = "02:00:00";
};
}

71
modules/webstack.nix Normal file
View File

@@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }:
{
# Reverse proxy configuration
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"coace.duckdns.org" = {
enableACME = true;
forceSSL = true;
};
};
};
# ACME certs configuration
security.acme = {
acceptTerms = true;
email = "secretario@arquitectosdeceuta.com";
certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";
};
# Generate dhparams
security.dhparams = {
enable = true;
params.nginx.bits = 2048;
};
# PostgreSQL databases configuration
services.postgresql = {
enable = true;
authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
}

19
scripts/sybase-backup.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/sh
sybase_service() {
/etc/init.d/sybase "$1"
}
perform_backup() {
zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
}
cleanup() {
rm BBDD_"$(date +"%d%m%Y")".zip
}
sybase_service stop
perform_backup
sybase_service start
cleanup