nixos-config/hosts/plover/default.nix

{ config, options, lib, pkgs, modulesPath, ... }:

let
  inherit (builtins) toString;
  inherit (import ./modules/hardware/networks.nix) interfaces;

  # The head of the Borgbase hostname.
  hetzner-boxes-user = "u332477";
  hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";
in
{
  imports = [
    # Since this will be rarely configured, make sure to import the appropriate
    # hardware modules depending on the hosting provider (and even just the
    # server).
    ./modules/hardware/hetzner-cloud-cx21.nix

    # The users for this host.
    (lib.getUser "nixos" "admin")
    (lib.getUser "nixos" "plover")

    # Hardened profile from nixpkgs.
    "${modulesPath}/profiles/hardened.nix"

    # The primary DNS server that is completely hidden.
    ./modules/services/bind.nix

    # The reverse proxy of choice.
    ./modules/services/nginx.nix

    # The database of choice which is used by most self-managed services on
    # this server.
    ./modules/services/postgresql.nix

    # The application services for this server. They are modularized since
    # configuring it here will make it too big.
    ./modules/services/atuin.nix
    ./modules/services/gitea.nix
    ./modules/services/keycloak.nix
    ./modules/services/portunus.nix
    ./modules/services/vaultwarden.nix
    ./modules/services/wireguard.nix
  ];

  # Automatic format and partitioning.
  disko.devices = import ./disko.nix {
    disks = [ "/dev/sda" ];
  };

  networking = {
    nftables.enable = true;
    domain = "foodogsquared.one";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # Secure Shells.
      ];
    };
  };

  services.fail2ban = {
    ignoreIP = [
      # VPN clients.
      "${interfaces.wireguard0.IPv4.address}/13"
      "${interfaces.wireguard0.IPv6.address}/64"
    ];

    # We're going to be unforgiving with this one since we only have key
    # authentication and password authentication is disabled anyways.
    jails.sshd = ''
      enabled = true
      maxretry = 1
      port = 22
    '';
  };

  # TODO: Put the secrets to the respective service module.
  sops.secrets =
    let
      getKey = key: {
        inherit key;
        sopsFile = ./secrets/secrets.yaml;
      };
      getSecrets = secrets:
        lib.mapAttrs'
          (secret: config:
            lib.nameValuePair
              "plover/${secret}"
              ((getKey secret) // config))
          secrets;

      giteaUser = config.users.users."${config.services.gitea.user}".name;
      portunusUser = config.users.users."${config.services.portunus.user}".name;

      # It is hardcoded but as long as the module is stable that way.
      vaultwardenUser = config.users.groups.vaultwarden.name;
      postgresUser = config.users.groups.postgres.name;
    in
    getSecrets {
      "ssh-key" = { };
      "lego/env" = { };
      "gitea/db/password".owner = giteaUser;
      "gitea/smtp/password".owner = giteaUser;
      "vaultwarden/env".owner = vaultwardenUser;

      "borg/repos/host/patterns/keys" = { };
      "borg/repos/host/password" = { };
      "borg/repos/services/password" = { };
      "borg/ssh-key" = { };

      "keycloak/db/password".owner = postgresUser;
      "ldap/users/foodogsquared/password".owner = portunusUser;
    };

  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  profiles.server = {
    enable = true;
    headless.enable = true;
    hardened-config.enable = true;
    cleanup.enable = true;
  };

  # DNS-related settings. We're settling by configuring the ACME setup with a
  # self-hosted DNS server.
  security.acme.defaults = {
    email = "admin+acme@foodogsquared.one";
    dnsProvider = "rfc2136";
    dnsResolver = "1.1.1.1";
    credentialsFile = config.sops.secrets."plover/lego/env".path;
  };

  # Enable generating new DH params.
  security.dhparams.enable = true;

  # !!! The keys should be rotated at an interval here.
  services.openssh.hostKeys = [{
    path = config.sops.secrets."plover/ssh-key".path;
    type = "ed25519";
  }];

  # Of course, what is a server without a backup? A professionally-handled
  # production system. However, we're not professionals so we do have backups.
  services.borgbackup.jobs =
    let
      jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo, passCommand }: {
        inherit paths repo;
        compression = "zstd,11";
        dateFormat = "+%F-%H-%M-%S-%z";
        doInit = true;
        encryption = {
          inherit passCommand;
          mode = "repokey-blake2";
        };
        extraCreateArgs =
          let
            args = lib.flatten [
              (builtins.map
                (patternFile: "--patterns-from ${lib.escapeShellArg patternFile}")
                patternFiles)
              (builtins.map
                (pattern: "--pattern ${lib.escapeShellArg pattern}")
                patterns)
            ];
          in
          lib.concatStringsSep " " args;
        extraInitArgs = "--make-parent-dirs";
        persistentTimer = true;
        preHook = ''
          extraCreateArgs="$extraCreateArgs --stats"
        '';
        prune.keep = {
          weekly = 4;
          monthly = 12;
          yearly = 6;
        };
        startAt = "monthly";
        environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/borg/ssh-key".path}";
      };

      borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";
    in
    {
      # Backup for host-specific files. They don't change much so it is
      # acceptable for it to be backed up monthly.
      host-backup = jobCommonSettings {
        patternFiles = [
          config.sops.secrets."plover/borg/repos/host/patterns/keys".path
        ];
        repo = borgRepo "host";
        passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}";
      };

      # Backups for various services.
      services-backup = jobCommonSettings
        {
          paths = [
            # Vaultwarden.
            "/var/lib/bitwarden_rs"

            # Gitea.
            config.services.gitea.dump.backupDir

            # PostgreSQL database dumps.
            config.services.postgresqlBackup.location

            # ACME accounts.
            "/var/lib/acme/.lego/accounts"

            # Zone files.
            "/etc/bind/zones"
          ];
          repo = borgRepo "services";
          passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
        } // { startAt = "weekly"; };
    };

  programs.ssh.extraConfig = ''
    Host ${hetzner-boxes-server}
     IdentityFile ${config.sops.secrets."plover/borg/ssh-key".path}
  '';

  system.stateVersion = "23.05";
}
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00			`{ config, options, lib, pkgs, modulesPath, ... }:`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`let`
hosts/ni: update config 2022-11-25 13:27:23 +00:00			`inherit (builtins) toString;`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00			`inherit (import ./modules/hardware/networks.nix) interfaces;`
hosts/plover: reformat code 2022-12-12 12:34:23 +00:00
config: refactor BorgBackup service 2022-12-16 14:25:50 +00:00			`# The head of the Borgbase hostname.`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`hetzner-boxes-user = "u332477";`
			`hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`in`
			`{`
			`imports = [`
hosts/plover: move hardware config to be hosting provider-specific 2023-01-14 07:55:30 +00:00			`# Since this will be rarely configured, make sure to import the appropriate`
			`# hardware modules depending on the hosting provider (and even just the`
			`# server).`
			`./modules/hardware/hetzner-cloud-cx21.nix`
hosts/plover: update config 2022-11-26 06:13:17 +00:00
users/plover: add home-manager user to config 2022-12-03 05:46:46 +00:00			`# The users for this host.`
			`(lib.getUser "nixos" "admin")`
hosts/plover: update config 2022-11-26 06:13:17 +00:00			`(lib.getUser "nixos" "plover")`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00
Revert "hosts/plover: add headless profile from nixpkgs" This reverts commit 6300aa72754fd922cbd7e1a3c0f3990eb1441a7f. 2022-12-03 07:46:22 +00:00			`# Hardened profile from nixpkgs.`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00			`"${modulesPath}/profiles/hardened.nix"`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00
hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00			`# The primary DNS server that is completely hidden.`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`./modules/services/bind.nix`
hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00
hosts/plover: add comments to various parts 2023-02-08 10:03:20 +00:00			`# The reverse proxy of choice.`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`./modules/services/nginx.nix`

hosts/plover: modularize PostgreSQL service 2023-01-13 07:26:32 +00:00			`# The database of choice which is used by most self-managed services on`
			`# this server.`
			`./modules/services/postgresql.nix`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# The application services for this server. They are modularized since`
			`# configuring it here will make it too big.`
			`./modules/services/atuin.nix`
			`./modules/services/gitea.nix`
			`./modules/services/keycloak.nix`
			`./modules/services/portunus.nix`
			`./modules/services/vaultwarden.nix`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00			`./modules/services/wireguard.nix`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`];`

hosts/plover: add disko device config 2023-06-30 05:38:38 +00:00			`# Automatic format and partitioning.`
			`disko.devices = import ./disko.nix {`
			`disks = [ "/dev/sda" ];`
			`};`

hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`networking = {`
hosts/plover: use nftables as firewall 2023-01-06 12:26:57 +00:00			`nftables.enable = true;`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`domain = "foodogsquared.one";`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`firewall = {`
hosts/plover: enable firewall (again) 2023-02-06 08:09:09 +00:00			`enable = true;`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`allowedTCPPorts = [`
			`22 # Secure Shells.`
			`];`
			`};`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`};`
hosts/plover: update config It now uses PostgreSQL for the services and also fixed some of the misconfigurations in the services. 2022-11-27 16:41:44 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`services.fail2ban = {`
			`ignoreIP = [`
			`# VPN clients.`
			`"${interfaces.wireguard0.IPv4.address}/13"`
			`"${interfaces.wireguard0.IPv6.address}/64"`
			`];`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`# We're going to be unforgiving with this one since we only have key`
			`# authentication and password authentication is disabled anyways.`
			`jails.sshd = ''`
			`enabled = true`
			`maxretry = 1`
			`port = 22`
			`'';`
			`};`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# TODO: Put the secrets to the respective service module.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.secrets =`
			`let`
			`getKey = key: {`
			`inherit key;`
			`sopsFile = ./secrets/secrets.yaml;`
			`};`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`getSecrets = secrets:`
			`lib.mapAttrs'`
			`(secret: config:`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`lib.nameValuePair`
			`"plover/${secret}"`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`((getKey secret) // config))`
			`secrets;`
hosts/plover: refactor code 2022-12-26 09:45:54 +00:00
hosts/plover: refactor secrets owner 2023-01-17 08:55:25 +00:00			`giteaUser = config.users.users."${config.services.gitea.user}".name;`
			`portunusUser = config.users.users."${config.services.portunus.user}".name;`
hosts/plover: refactor code 2022-12-26 09:45:54 +00:00
			`# It is hardcoded but as long as the module is stable that way.`
hosts/plover: refactor secrets owner 2023-01-17 08:55:25 +00:00			`vaultwardenUser = config.users.groups.vaultwarden.name;`
			`postgresUser = config.users.groups.postgres.name;`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`in`
hosts/plover: refactor code 2022-12-26 09:45:54 +00:00			`getSecrets {`
			`"ssh-key" = { };`
			`"lego/env" = { };`
hosts/plover: refactor secrets owner 2023-01-17 08:55:25 +00:00			`"gitea/db/password".owner = giteaUser;`
			`"gitea/smtp/password".owner = giteaUser;`
			`"vaultwarden/env".owner = vaultwardenUser;`
hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`"borg/repos/host/patterns/keys" = { };`
			`"borg/repos/host/password" = { };`
			`"borg/repos/services/password" = { };`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`"borg/ssh-key" = { };`
hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00
hosts/plover: refactor secrets owner 2023-01-17 08:55:25 +00:00			`"keycloak/db/password".owner = postgresUser;`
			`"ldap/users/foodogsquared/password".owner = portunusUser;`
hosts/plover: refactor code 2022-12-26 09:45:54 +00:00			`};`
hosts/plover: init 2022-11-23 05:27:01 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# All of the keys required to deploy the secrets.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.age.keyFile = "/var/lib/sops-nix/key.txt";`

hosts/plover: update config 2022-12-02 04:33:51 +00:00			`profiles.server = {`
			`enable = true;`
			`headless.enable = true;`
			`hardened-config.enable = true;`
			`cleanup.enable = true;`
			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# DNS-related settings. We're settling by configuring the ACME setup with a`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`# self-hosted DNS server.`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`security.acme.defaults = {`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`email = "admin+acme@foodogsquared.one";`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`dnsProvider = "rfc2136";`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`dnsResolver = "1.1.1.1";`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`credentialsFile = config.sops.secrets."plover/lego/env".path;`
hosts/plover: add DNS-related config 2022-12-03 00:09:26 +00:00			`};`

hosts/plover: enable DH params generation This is for certain applications as we'll see. 2023-06-30 02:46:43 +00:00			`# Enable generating new DH params.`
			`security.dhparams.enable = true;`

			`# !!! The keys should be rotated at an interval here.`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`services.openssh.hostKeys = [{`
			`path = config.sops.secrets."plover/ssh-key".path;`
			`type = "ed25519";`
			`}];`

hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`# Of course, what is a server without a backup? A professionally-handled`
config: refactor BorgBackup service 2022-12-16 14:25:50 +00:00			`# production system. However, we're not professionals so we do have backups.`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`services.borgbackup.jobs =`
			`let`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo, passCommand }: {`
hosts/plover: fix the borg jobs function 2023-01-07 08:58:47 +00:00			`inherit paths repo;`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`compression = "zstd,11";`
			`dateFormat = "+%F-%H-%M-%S-%z";`
			`doInit = true;`
			`encryption = {`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`inherit passCommand;`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`mode = "repokey-blake2";`
			`};`
			`extraCreateArgs =`
			`let`
hosts/plover: refactor Borgbackup job function 2022-12-12 06:19:55 +00:00			`args = lib.flatten [`
			`(builtins.map`
			`(patternFile: "--patterns-from ${lib.escapeShellArg patternFile}")`
			`patternFiles)`
			`(builtins.map`
			`(pattern: "--pattern ${lib.escapeShellArg pattern}")`
			`patterns)`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
			`in`
			`lib.concatStringsSep " " args;`
			`extraInitArgs = "--make-parent-dirs";`
			`persistentTimer = true;`
			`preHook = ''`
			`extraCreateArgs="$extraCreateArgs --stats"`
			`'';`
			`prune.keep = {`
			`weekly = 4;`
			`monthly = 12;`
			`yearly = 6;`
			`};`
			`startAt = "monthly";`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/borg/ssh-key".path}";`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`};`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00
			`borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`in`
			`{`
			`# Backup for host-specific files. They don't change much so it is`
			`# acceptable for it to be backed up monthly.`
			`host-backup = jobCommonSettings {`
			`patternFiles = [`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`config.sops.secrets."plover/borg/repos/host/patterns/keys".path`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00			`repo = borgRepo "host";`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`};`

			`# Backups for various services.`
			`services-backup = jobCommonSettings`
			`{`
			`paths = [`
hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00			`# Vaultwarden.`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`"/var/lib/bitwarden_rs"`

hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00			`# Gitea.`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`config.services.gitea.dump.backupDir`

hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00			`# PostgreSQL database dumps.`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`config.services.postgresqlBackup.location`
hosts/plover: update DNS-related configuration 2023-02-10 13:09:05 +00:00
hosts/plover: update service files to backup 2023-06-27 14:49:49 +00:00			`# ACME accounts.`
			`"/var/lib/acme/.lego/accounts"`

			`# Zone files.`
			`"/etc/bind/zones"`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00			`repo = borgRepo "services";`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`} // { startAt = "weekly"; };`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`};`

			`programs.ssh.extraConfig = ''`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`Host ${hetzner-boxes-server}`
			`IdentityFile ${config.sops.secrets."plover/borg/ssh-key".path}`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`'';`

hosts/plover: update to NixOS 23.05 2023-05-15 14:13:51 +00:00			`system.stateVersion = "23.05";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`}`