nixos-config/hosts/plover/default.nix

{ config, options, lib, pkgs, modulesPath, ... }:

let
  inherit (builtins) toString;
  inherit (import ./modules/hardware/networks.nix) interfaces;

  # The head of the Borgbase hostname.
  hetzner-boxes-user = "u332477";
  hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";
in
{
  imports = [
    # Since this will be rarely configured, make sure to import the appropriate
    # hardware modules depending on the hosting provider (and even just the
    # server).
    ./modules/hardware/hetzner-cloud-cx21.nix

    # The users for this host.
    (lib.getUser "nixos" "admin")
    (lib.getUser "nixos" "plover")

    # Hardened profile from nixpkgs.
    "${modulesPath}/profiles/hardened.nix"

    # The primary DNS server that is completely hidden.
    ./modules/services/bind.nix

    # The reverse proxy of choice.
    ./modules/services/nginx.nix

    # The database of choice which is used by most self-managed services on
    # this server.
    ./modules/services/postgresql.nix

    # The application services for this server. They are modularized since
    # configuring it here will make it too big.
    ./modules/services/atuin.nix
    ./modules/services/gitea.nix
    ./modules/services/kanidm.nix
    ./modules/services/vaultwarden.nix
    ./modules/services/wireguard.nix
    ./modules/services/wezterm-mux-server.nix
  ];

  # Automatic format and partitioning.
  disko.devices = import ./disko.nix {
    disks = [ "/dev/sda" ];
  };

  networking = {
    nftables.enable = true;
    domain = "foodogsquared.one";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # Secure Shells.
      ];
    };
  };

  services.fail2ban = {
    ignoreIP = [
      # VPN clients.
      "${interfaces.wireguard0.IPv4.address}/13"
      "${interfaces.wireguard0.IPv6.address}/64"
    ];

    # We're going to be unforgiving with this one since we only have key
    # authentication and password authentication is disabled anyways.
    jails.sshd.settings = {
      enabled = true;
      maxretry = 1;
    };
  };

  sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
    "lego/env" = { };

    "borg/repos/host/patterns/keys" = { };
    "borg/repos/host/password" = { };
    "borg/repos/services/password" = { };
    "borg/ssh-key" = { };
  };

  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  profiles.server = {
    enable = true;
    headless.enable = true;
    hardened-config.enable = true;
    cleanup.enable = true;
  };

  # DNS-related settings. We're settling by configuring the ACME setup with a
  # self-hosted DNS server.
  security.acme.defaults = {
    email = "admin+acme@foodogsquared.one";
    dnsProvider = "rfc2136";
    dnsResolver = "1.1.1.1";
    credentialsFile = config.sops.secrets."lego/env".path;
  };

  # Enable generating new DH params.
  security.dhparams.enable = true;

  # !!! The keys should be rotated at an interval here.
  services.openssh.hostKeys = [{
    path = config.sops.secrets."ssh-key".path;
    type = "ed25519";
  }];

  # Of course, what is a server without a backup? A professionally-handled
  # production system. However, we're not professionals so we do have backups.
  services.borgbackup.jobs =
    let
      jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo, passCommand }: {
        inherit paths repo;
        compression = "zstd,11";
        dateFormat = "+%F-%H-%M-%S-%z";
        doInit = true;
        encryption = {
          inherit passCommand;
          mode = "repokey-blake2";
        };
        extraCreateArgs =
          let
            args = lib.flatten [
              (builtins.map
                (patternFile: "--patterns-from ${lib.escapeShellArg patternFile}")
                patternFiles)
              (builtins.map
                (pattern: "--pattern ${lib.escapeShellArg pattern}")
                patterns)
            ];
          in
          lib.concatStringsSep " " args;
        extraInitArgs = "--make-parent-dirs";
        persistentTimer = true;
        preHook = ''
          extraCreateArgs="$extraCreateArgs --stats"
        '';
        prune.keep = {
          weekly = 4;
          monthly = 12;
          yearly = 6;
        };
        startAt = "monthly";
        environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}";
      };

      borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";
    in
    {
      # Backup for host-specific files. They don't change much so it is
      # acceptable for it to be backed up monthly.
      host-backup = jobCommonSettings {
        patternFiles = [
          config.sops.secrets."borg/repos/host/patterns/keys".path
        ];
        repo = borgRepo "host";
        passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}";
      };

      # Backups for various services.
      services-backup = jobCommonSettings
        {
          paths = [
            # ACME accounts and TLS certificates
            "/var/lib/acme"
          ];
          repo = borgRepo "services";
          passCommand = "cat ${config.sops.secrets."borg/repos/services/password".path}";
        } // { startAt = "weekly"; };
    };

  programs.ssh.extraConfig = ''
    Host ${hetzner-boxes-server}
     IdentityFile ${config.sops.secrets."borg/ssh-key".path}
  '';

  system.stateVersion = "23.11";
}
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00			`{ config, options, lib, pkgs, modulesPath, ... }:`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`let`
hosts/ni: update config 2022-11-25 13:27:23 +00:00			`inherit (builtins) toString;`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00			`inherit (import ./modules/hardware/networks.nix) interfaces;`
hosts/plover: reformat code 2022-12-12 12:34:23 +00:00
config: refactor BorgBackup service 2022-12-16 14:25:50 +00:00			`# The head of the Borgbase hostname.`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`hetzner-boxes-user = "u332477";`
			`hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`in`
			`{`
			`imports = [`
hosts/plover: move hardware config to be hosting provider-specific 2023-01-14 07:55:30 +00:00			`# Since this will be rarely configured, make sure to import the appropriate`
			`# hardware modules depending on the hosting provider (and even just the`
			`# server).`
			`./modules/hardware/hetzner-cloud-cx21.nix`
hosts/plover: update config 2022-11-26 06:13:17 +00:00
users/plover: add home-manager user to config 2022-12-03 05:46:46 +00:00			`# The users for this host.`
			`(lib.getUser "nixos" "admin")`
hosts/plover: update config 2022-11-26 06:13:17 +00:00			`(lib.getUser "nixos" "plover")`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00
Revert "hosts/plover: add headless profile from nixpkgs" This reverts commit 6300aa72754fd922cbd7e1a3c0f3990eb1441a7f. 2022-12-03 07:46:22 +00:00			`# Hardened profile from nixpkgs.`
hosts/plover: add hardened profile from nixpkgs 2022-12-03 03:11:48 +00:00			`"${modulesPath}/profiles/hardened.nix"`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00
hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00			`# The primary DNS server that is completely hidden.`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`./modules/services/bind.nix`
hosts/plover: replace dnsmasq with CoreDNS as DNS server 2023-02-08 10:00:35 +00:00
hosts/plover: add comments to various parts 2023-02-08 10:03:20 +00:00			`# The reverse proxy of choice.`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`./modules/services/nginx.nix`

hosts/plover: modularize PostgreSQL service 2023-01-13 07:26:32 +00:00			`# The database of choice which is used by most self-managed services on`
			`# this server.`
			`./modules/services/postgresql.nix`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# The application services for this server. They are modularized since`
			`# configuring it here will make it too big.`
			`./modules/services/atuin.nix`
			`./modules/services/gitea.nix`
hosts/plover: replace Keycloak with Kanidm as SSO application 2023-09-28 10:29:09 +00:00			`./modules/services/kanidm.nix`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`./modules/services/vaultwarden.nix`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00			`./modules/services/wireguard.nix`
hosts/plover: add and configure Wezterm mux server Not yet fully configured though so we'll have to update the Wezterm server configuration. 2023-07-20 02:40:45 +00:00			`./modules/services/wezterm-mux-server.nix`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`];`

hosts/plover: add disko device config 2023-06-30 05:38:38 +00:00			`# Automatic format and partitioning.`
			`disko.devices = import ./disko.nix {`
			`disks = [ "/dev/sda" ];`
			`};`

hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`networking = {`
hosts/plover: use nftables as firewall 2023-01-06 12:26:57 +00:00			`nftables.enable = true;`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`domain = "foodogsquared.one";`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`firewall = {`
hosts/plover: enable firewall (again) 2023-02-06 08:09:09 +00:00			`enable = true;`
hosts/plover: enable firewall for Hetzner Cloud config 2023-01-05 11:48:54 +00:00			`allowedTCPPorts = [`
			`22 # Secure Shells.`
			`];`
			`};`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`};`
hosts/plover: update config It now uses PostgreSQL for the services and also fixed some of the misconfigurations in the services. 2022-11-27 16:41:44 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`services.fail2ban = {`
			`ignoreIP = [`
			`# VPN clients.`
			`"${interfaces.wireguard0.IPv4.address}/13"`
			`"${interfaces.wireguard0.IPv6.address}/64"`
			`];`
hosts: revise networking-related variables set 2023-01-25 03:38:45 +00:00
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`# We're going to be unforgiving with this one since we only have key`
			`# authentication and password authentication is disabled anyways.`
hosts/plover: use fail2ban jails settings It is nicer compared to the traditional setting with strings. 2023-07-14 06:41:58 +00:00			`jails.sshd.settings = {`
			`enabled = true;`
			`maxretry = 1;`
			`};`
hosts/plover: update networking setup 2023-02-09 06:17:59 +00:00			`};`
hosts: add Wireguard services to related peers Among other things, Plover now ignores certain IP for fail2ban. This is for the VPN users that are placed in that range. 2023-01-17 08:05:11 +00:00
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`sops.secrets = lib.getSecrets ./secrets/secrets.yaml {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"ssh-key" = { };`
			`"lego/env" = { };`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"borg/repos/host/patterns/keys" = { };`
			`"borg/repos/host/password" = { };`
			`"borg/repos/services/password" = { };`
			`"borg/ssh-key" = { };`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`};`
hosts/plover: init 2022-11-23 05:27:01 +00:00
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# All of the keys required to deploy the secrets.`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`sops.age.keyFile = "/var/lib/sops-nix/key.txt";`

hosts/plover: update config 2022-12-02 04:33:51 +00:00			`profiles.server = {`
			`enable = true;`
			`headless.enable = true;`
			`hardened-config.enable = true;`
			`cleanup.enable = true;`
			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# DNS-related settings. We're settling by configuring the ACME setup with a`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`# self-hosted DNS server.`
hosts/plover: add LDAP server to reverse proxy 2022-12-29 02:26:15 +00:00			`security.acme.defaults = {`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`email = "admin+acme@foodogsquared.one";`
hosts/plover: change DNS server to Bind9 CoreDNS doesn't have dynamic updates available yet (though there are PRs and discussions for it) so we'll have to go with something that has it. Also, it provides an opportunity for me to use the de-facto software for this. 2023-06-22 09:56:47 +00:00			`dnsProvider = "rfc2136";`
hosts/plover: update Bind config for dynamic updates 2023-06-27 14:56:18 +00:00			`dnsResolver = "1.1.1.1";`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`credentialsFile = config.sops.secrets."lego/env".path;`
hosts/plover: add DNS-related config 2022-12-03 00:09:26 +00:00			`};`

hosts/plover: enable DH params generation This is for certain applications as we'll see. 2023-06-30 02:46:43 +00:00			`# Enable generating new DH params.`
			`security.dhparams.enable = true;`

			`# !!! The keys should be rotated at an interval here.`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`services.openssh.hostKeys = [{`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`path = config.sops.secrets."ssh-key".path;`
hosts/plover: update config 2022-12-02 04:33:51 +00:00			`type = "ed25519";`
			`}];`

hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`# Of course, what is a server without a backup? A professionally-handled`
config: refactor BorgBackup service 2022-12-16 14:25:50 +00:00			`# production system. However, we're not professionals so we do have backups.`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`services.borgbackup.jobs =`
			`let`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`jobCommonSettings = { patternFiles ? [ ], patterns ? [ ], paths ? [ ], repo, passCommand }: {`
hosts/plover: fix the borg jobs function 2023-01-07 08:58:47 +00:00			`inherit paths repo;`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`compression = "zstd,11";`
			`dateFormat = "+%F-%H-%M-%S-%z";`
			`doInit = true;`
			`encryption = {`
hosts/plover: create separate passwords for different repos 2023-01-07 09:15:45 +00:00			`inherit passCommand;`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`mode = "repokey-blake2";`
			`};`
			`extraCreateArgs =`
			`let`
hosts/plover: refactor Borgbackup job function 2022-12-12 06:19:55 +00:00			`args = lib.flatten [`
			`(builtins.map`
			`(patternFile: "--patterns-from ${lib.escapeShellArg patternFile}")`
			`patternFiles)`
			`(builtins.map`
			`(pattern: "--pattern ${lib.escapeShellArg pattern}")`
			`patterns)`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
			`in`
			`lib.concatStringsSep " " args;`
			`extraInitArgs = "--make-parent-dirs";`
			`persistentTimer = true;`
			`preHook = ''`
			`extraCreateArgs="$extraCreateArgs --stats"`
			`'';`
			`prune.keep = {`
			`weekly = 4;`
			`monthly = 12;`
			`yearly = 6;`
			`};`
			`startAt = "monthly";`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}";`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`};`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00
			`borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`in`
			`{`
			`# Backup for host-specific files. They don't change much so it is`
			`# acceptable for it to be backed up monthly.`
			`host-backup = jobCommonSettings {`
			`patternFiles = [`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`config.sops.secrets."borg/repos/host/patterns/keys".path`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00			`repo = borgRepo "host";`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`};`

			`# Backups for various services.`
			`services-backup = jobCommonSettings`
			`{`
			`paths = [`
hosts/plover: modularize Borg backup paths 2023-07-02 04:23:50 +00:00			`# ACME accounts and TLS certificates`
			`"/var/lib/acme"`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`];`
hosts/plover: separate borg repos for different jobs Makes it easier to manage them repos. 2023-01-07 03:39:17 +00:00			`repo = borgRepo "services";`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`passCommand = "cat ${config.sops.secrets."borg/repos/services/password".path}";`
hosts/plover: add application data for backup 2022-12-11 10:10:57 +00:00			`} // { startAt = "weekly"; };`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`};`

			`programs.ssh.extraConfig = ''`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`Host ${hetzner-boxes-server}`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`IdentityFile ${config.sops.secrets."borg/ssh-key".path}`
hosts/plover: add backup service 2022-12-02 23:40:21 +00:00			`'';`

hosts: update system state version to 23.11 2023-08-03 05:29:00 +00:00			`system.stateVersion = "23.11";`
hosts/plover: init 2022-11-23 05:27:01 +00:00			`}`