coace/unit
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: coace:master
Branches Tags
coace:master
..
compare: coace:c8348b49d81e874148d5d89cc10d0e5edb381f5e
Branches Tags
coace:master

1 Commits
master ... c8348b49d8

Author SHA1 Message Date
coolneng
c8348b49d8 Add Wireguard configuration 2021-03-12 12:08:28 +01:00
10 changed files with 32 additions and 500 deletions
Expand all files Collapse all files

17
README.org
View File

@@ -1,17 +0,0 @@
* Unit
Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
** Modules
The configuration is sliced into different files, per category:
- ZFS pool configuration: hardware-configuration.nix
- Network configuration: networking.nix
- Synchronization and backup services: datasync.nix
- Web services and reverse proxy: webstack.nix
- Smartd: monitoring.nix
- Systemd services and timers: periodic.nix
- Virtual machines: virtualization.nix
All the modules are imported in *configuration.nix*

37
configuration.nix
View File

@@ -17,15 +17,12 @@
timeout = 3;
};
# Packages
environment.systemPackages = with pkgs; [ htop vim zip unzip ];
# Run Nix garbage collector, while avoiding compiling
nix = {
autoOptimiseStore = true;
gc = {
automatic = true;
options = "--delete-older-than 14d";
options = "--delete-older-than 7d";
};
extraOptions = ''
keep-outputs = true
@@ -40,6 +37,9 @@
# Rotate logs after 14 days
services.journald.extraConfig = "SystemMaxFiles=14";
# Allow propietary software and build packages with Pulseaudio support
nixpkgs.config.allowUnfree = true;
# Scrub zpool monthly
services.zfs.autoScrub = {
enable = true;
@@ -48,32 +48,12 @@
# Set timezone and synchronize NTP
time.timeZone = "Europe/Brussels";
services.timesyncd.enable = true;
services.chrony.enable = true;
# NixOS version
system.stateVersion = "20.09";
# Configure basic SSH access
services.openssh = {
enable = true;
permitRootLogin = "yes";
macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
"hmac-sha1"
];
kexAlgorithms = [
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
"diffie-hellman-group1-sha1"
];
};
# Create coace user
# Create coolneng user
users.users.coace = {
isNormalUser = true;
home = "/home/coace";
@@ -81,7 +61,6 @@
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbHBpW1JgArO7XFr3mqMD8nCf3RjkHzso+mpNjR8iZi coolneng@panacea"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstGGn6Ri+LtR6ffPrRgFcLF1fJFRIyz2WrbYMjQRNGdYyr/01TSmh0N2DLapDPhHAiKk7M5qHc9ltSZxWS4zQIkKAVWhyeGbvc/Yya/T8Yy04ltm2XZQEKx92dFhQMBUhDKc/Sp/JQy+jmvzWDL/bt7tmAOzXvVElEaeapvlhaihlwrH1EqTgV44x08MVlOcDJLSEJqCwj1OsD6zT1D58TCc/VawNh9DXJm7MK/1OhesziRFXKR9Wzr0zYcTjYe78ISpILZeilxFA08TQrua51kHIEL/BznXN+IRRIXrhDqQIWkdJTEMIC83//jbOoePvJ7sjrrS2VZwEOg0N+zt+Q== root@sica"
];
};
@@ -104,10 +83,6 @@
./modules/hardware-configuration.nix
./modules/networking.nix
./modules/datasync.nix
./modules/virtualization.nix
./modules/monitoring.nix
./modules/periodic.nix
./modules/webstack.nix
];
}

62
modules/datasync.nix
View File

@@ -1,72 +1,30 @@
{ config, lib, pkgs, ... }:
{
# Samba configuration
environment.systemPackages = with pkgs; [ samba ];
services.samba = {
enable = true;
securityType = "share";
nsswins = true;
extraConfig = ''
workgroup = WORKGROUP
server string = unit
netbios name = unit
server string = samba
netbios name = samba
security = ${config.services.samba.securityType}
hosts allow = 192.168.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
load printers=no
smb encrypt = required
server min protocol = SMB2_10
client min protocol = SMB2
client max protocol = SMB3
ntlm auth = yes
'';
shares.public = {
path = "/vault/samba/CSD";
# FIXME Change path accordingly
sharepath = "/mnt/Shares/Public";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "coace";
"force user" = "nobody";
"force group" = "nobody";
};
};
# ZFS automatic backup solution
services.znapzend = {
enable = true;
pure = true;
zetup."vault" = {
plan = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
recursive = true;
destinations.backup = {
host = "10.0.1.4";
dataset = "shield/unit";
plan = "1w=>1d,1m=>1w,1y=>1m";
};
};
};
# Nextcloud configuration
services.nextcloud = {
enable = true;
package = pkgs.nextcloud21;
home = "/vault/nextcloud";
hostName = "coace.duckdns.org";
https = true;
autoUpdateApps = {
enable = true;
startAt = "Sun 05:00:00";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = "/var/keys/nextcloud";
adminpassFile = "/var/keys/nextcloud-admin";
adminuser = "admin";
defaultPhoneRegion = "ES";
};
};
}

110
modules/hardware-configuration.nix
View File

@@ -1,110 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "system/stateful/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "system/ephemeral/nix";
fsType = "zfs";
};
fileSystems."/tmp" =
{ device = "system/ephemeral/tmp";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "system/stateful/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B314-22E9";
fsType = "vfat";
};
fileSystems."/vault" =
{ device = "vault";
fsType = "zfs";
};
fileSystems."/vault/VMs" =
{ device = "vault/VMs";
fsType = "zfs";
};
fileSystems."/vault/backups" =
{ device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/nextcloud" =
{ device = "vault/nextcloud";
fsType = "zfs";
};
fileSystems."/vault/code" =
{ device = "vault/code";
fsType = "zfs";
};
fileSystems."/vault/backups/databases" =
{ device = "vault/backups/databases";
fsType = "zfs";
};
fileSystems."/vault/samba" =
{ device = "vault/samba";
fsType = "zfs";
};
fileSystems."/vault/backups/wordpress" =
{ device = "vault/backups/wordpress";
fsType = "zfs";
};
fileSystems."/vault/backups/frontend" =
{ device = "vault/backups/frontend";
fsType = "zfs";
};
fileSystems."/vault/backups/documents" =
{ device = "vault/backups/documents";
fsType = "zfs";
};
fileSystems."/vault/config" =
{ device = "vault/config";
fsType = "zfs";
};
fileSystems."/vault/VMs/legacy" =
{ device = "vault/VMs/legacy";
fsType = "zfs";
};
fileSystems."/vault/frontend" =
{ device = "vault/frontend";
fsType = "zfs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/8262a243-b6aa-49e8-bf72-d2b85864d1c0"; }
];
}

25
modules/monitoring.nix
View File

@@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Notify when a disk starts going haywire
services.smartd = {
enable = true;
autodetect = false;
devices = [ { device = "/dev/sda"; } { device = "/dev/sdb"; } ];
notifications.mail = {
enable = true;
recipient = "akasroua@gmail.com";
};
};
# Enable trivial MTA for smartd notifications
services.ssmtp = {
enable = true;
useTLS = true;
useSTARTTLS = true;
domain = "gmail.com";
hostName = "smtp.gmail.com:587";
authUser = "akasroua@gmail.com";
authPassFile = "/var/keys/ssmtp";
};
}

119
modules/networking.nix
View File

@@ -1,18 +1,14 @@
{ config, lib, pkgs, ... }:
let password = builtins.readFile /var/keys/ddclient;
in {
{
# Assign a static IP
networking = {
hostName = "unit";
hostId = "737d82f4";
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
addresses = {
address = "10.0.1.3";
prefixLength = 24;
}];
};
};
defaultGateway = {
address = "10.0.1.1";
@@ -28,18 +24,11 @@ in {
nssmdns = true;
publish = {
enable = true;
addresses = true;
userServices = true;
domain = true;
workstation = true;
};
};
# Dynamic DNS configuration
services.ddclient = {
enable = true;
quiet = true;
protocol = "duckdns";
domains = [ "coace.duckdns.org" ];
inherit password;
reflector = true;
};
# Firewall configuration
@@ -47,115 +36,39 @@ in {
allowedTCPPorts = [
445 # Samba
139 # Samba
2222 # VM SSH
5000 # Sybase
80 # HTTP
443 # HTTPS
53 # DNS
];
allowedUDPPorts = [
137 # Samba
138 # Samba
1194 # Wireguard
53 # DNS
];
allowPing = true;
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
'';
};
# Enable NAT for wireguard and forward ports to sica VM
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" "br0" ];
forwardPorts = [
{
destination = "192.168.122.100:22";
sourcePort = 2222;
loopbackIPs = [ "10.0.1.3" ];
}
{
destination = "192.168.122.100:5000";
sourcePort = 5000;
loopbackIPs = [ "10.0.1.3" ];
}
];
internalInterfaces = [ "wg0" ];
};
# Wireguard setup
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.9.0.1/24" ];
ips = [ "10.8.0.1/24" ];
listenPort = 1194;
privateKeyFile = "/home/coace/.wg/server/privatekey";
privateKeyFile = "/home/coace/.wg/keys/privatekey";
peers = [
# panacea
# Fernando
{
# Placeholder public key
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
allowedIPs = [ "10.9.0.2/32" ];
}
# caravanserai
{
publicKey = "4jiEKaPjNPU3JghfwLyArRhCKZmT8VYN07iw0SL/eHc=";
allowedIPs = [ "10.9.0.3/32" ];
}
# fernando
{
publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
allowedIPs = [ "10.9.0.4/32" ];
}
# manuela
{
publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
allowedIPs = [ "10.9.0.5/32" ];
allowedIPs = [ "10.8.0.2/32" ];
}
];
};
};
# QEMU virtual bridge
networking.interfaces.br0 = {
ipv4.addresses = [{
address = "192.168.122.1";
prefixLength = 24;
}];
};
networking.bridges.br0.interfaces = [ ];
services.dhcpd4 = {
enable = true;
interfaces = [ "br0" ];
extraConfig = ''
option routers 192.168.122.1;
option broadcast-address 192.168.122.255;
option subnet-mask 255.255.255.0;
option domain-name-servers 1.1.1.1, 8.8.8.8;
default-lease-time -1;
max-lease-time -1;
subnet 192.168.122.0 netmask 255.255.255.0 {
range 192.168.122.100 192.168.122.200;
}
'';
};
# DNS server with adblock
services.dnsmasq = {
enable = true;
servers = [ "1.1.1.1" "8.8.8.8" ];
extraConfig = ''
domain-needed
bogus-priv
no-resolv
listen-address=127.0.0.1,10.0.1.3
bind-interfaces
cache-size=10000
local-ttl=300
conf-file=/var/lib/dnsmasq/dnsmasq.blacklist.txt
address=/coace.duckdns.org/10.0.1.3
'';
};
}

45
modules/periodic.nix
View File

@@ -1,45 +0,0 @@
{ config, lib, pkgs, ... }:
let
stateDir = "/var/lib/dnsmasq";
blocklist = "${stateDir}/dnsmasq.blacklist.txt";
in {
# Pull changes from git repos
systemd.user.services.git-pull = {
description = "Pull git repositories";
wantedBy = [ "default.target" ];
path = with pkgs; [ git ];
script = ''
base_folder=/vault/code
cd "$base_folder" || exit
ls | xargs -P10 -I{} git -C {} pull --rebase
'';
serviceConfig.Type = "oneshot";
startAt = "22:00:00";
};
# PostgreSQL daily backups
services.postgresqlBackup = {
enable = true;
backupAll = true;
location = "/vault/backups/databases/nextcloud";
startAt = "*-*-* 05:15:00";
};
# Fetch hosts-blocklists daily
systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists";
wantedBy = [ "default.target" ];
path = with pkgs; [ curl ];
script =
"curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}";
serviceConfig.Type = "oneshot";
postStop = ''
chown -R dnsmasq ${stateDir}
systemctl restart dnsmasq
'';
startAt = "02:00:00";
};
}

27
modules/virtualization.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Enable virtualisation
virtualisation.libvirtd = {
enable = true;
qemuRunAsRoot = false;
onBoot = "ignore";
onShutdown = "shutdown";
allowedBridges = [ "br0" ];
};
# Declarative configuration of the VMs
systemd.services.sica = {
description = "SICA database";
wantedBy = [ "default.target" ];
script = ''
disk=/vault/VMs/sica.qcow2
sock=/run/qemu-sica.mon.sock
${pkgs.qemu}/bin/qemu-kvm -m 1G -nic bridge,br=br0,model=virtio --hda $disk -monitor unix:$sock,server,nowait -nographic
'';
preStop = ''
echo 'system_powerdown' | ${pkgs.socat}/bin/socat - UNIX-CONNECT:/run/qemu-sica.mon.sock
sleep 10
'';
};
}

71
modules/webstack.nix
View File

@@ -1,71 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Reverse proxy configuration
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"coace.duckdns.org" = {
enableACME = true;
forceSSL = true;
};
};
};
# ACME certs configuration
security.acme = {
acceptTerms = true;
email = "secretario@arquitectosdeceuta.com";
certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";
};
# Generate dhparams
security.dhparams = {
enable = true;
params.nginx.bits = 2048;
};
# PostgreSQL databases configuration
services.postgresql = {
enable = true;
authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
}

19
scripts/sybase-backup.sh
View File

@@ -1,19 +0,0 @@
#!/bin/sh
sybase_service() {
/etc/init.d/sybase "$1"
}
perform_backup() {
zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
}
cleanup() {
rm BBDD_"$(date +"%d%m%Y")".zip
}
sybase_service stop
perform_backup
sybase_service start
cleanup