From 7583c0f48229277803d5fffcce0d1f2c7d2cb8fa Mon Sep 17 00:00:00 2001 From: chaos Date: Mon, 2 Oct 2023 03:08:24 +0100 Subject: [PATCH] move all postgres to one daemon, redo wireguard some, roundcube is haunted and network interface is broken somehow --- data/wireguard/chaosInternalWireGuard.nix | 37 +++++++++---- .../chaosInternalWireGuardPubKeys.json | 11 ++-- .../containers/forgejo/default.nix | 1 + .../containers/forgejo/profiles/forgejo.nix | 4 +- hosts/hetzner-arm/containers/mail/default.nix | 4 -- .../mail/modules/mailserver/default.nix | 31 +---------- .../mail/modules/mailserver/webmail.nix | 34 ------------ .../containers/mail/profiles/mailserver.nix | 49 +---------------- .../containers/mail/profiles/restic.nix | 18 ------ .../containers/piped-db/profiles/postgres.nix | 21 ------- .../containers/piped-fi/default.nix | 13 +++-- .../{piped-db => postgresql}/default.nix | 13 +++-- .../postgresql/profiles/postgres.nix | 49 +++++++++++++++++ .../profiles/restic.nix | 17 ++++-- .../{piped-db => postgresql}/secrets.nix | 14 ++--- .../containers/quassel/profiles/quassel.nix | 13 ----- .../containers/quassel/profiles/restic.nix | 8 --- .../containers/roundcube/default.nix | 55 +++++++++++++++++++ .../roundcube/profiles/roundcube.nix | 55 +++++++++++++++++++ .../containers/social/profiles/gotosocial.nix | 9 ++- .../containers/social/profiles/restic.nix | 18 ------ .../containers/storage/data/ports.nix | 2 +- .../containers/storage/default.nix | 2 +- .../storage/profiles/rcloneServe.nix | 10 ++-- .../storage/profiles/rcloneSync.nix | 2 +- .../containers/storage/secrets.nix | 8 +-- hosts/hetzner-arm/data/containerAddresses.nix | 15 +++-- hosts/hetzner-arm/hetzner-arm.nix | 3 +- modules/nixos/rcloneSync.nix | 2 +- outputs.nix | 2 +- presets/nixos/pipedNode.nix | 8 +-- profiles/chaosInternalWireGuard/wireguard.nix | 17 ++++-- profiles/firewallAllow/ssh.nix | 1 + 33 files changed, 278 insertions(+), 268 deletions(-) delete mode 100644 hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix delete mode 100644 hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix rename hosts/hetzner-arm/containers/{piped-db => postgresql}/default.nix (61%) create mode 100644 hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix rename hosts/hetzner-arm/containers/{piped-db => postgresql}/profiles/restic.nix (71%) rename hosts/hetzner-arm/containers/{piped-db => postgresql}/secrets.nix (62%) create mode 100644 hosts/hetzner-arm/containers/roundcube/default.nix create mode 100644 hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix diff --git a/data/wireguard/chaosInternalWireGuard.nix b/data/wireguard/chaosInternalWireGuard.nix index e0d7caf..9a6b1ea 100644 --- a/data/wireguard/chaosInternalWireGuard.nix +++ b/data/wireguard/chaosInternalWireGuard.nix @@ -1,29 +1,44 @@ let pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json); + listenPort = 51820; in rec { + # 10.0.0.0/24 - machines + # 10.0.1.0/24 - containers for hetzner-arm + hosts = { "hetzner-arm" = { - ip = "10.69.42.1"; + ip = "10.0.0.1"; + allowedIPs = [ + "10.0.0.1/32" # Allow itself + "10.0.1.1/24" # Containers + ]; public = pubkeys."hetzner-arm"; - endpoint = "hetzner-arm.servers.genderfucked.monster:51820"; + inherit listenPort; + endpoint = "hetzner-arm.servers.genderfucked.monster:${toString listenPort}"; }; "vault" = { - ip = "10.69.42.2"; + ip = "10.0.0.2"; public = pubkeys."vault"; - endpoint = "vault.servers.genderfucked.monster:51820"; - }; - "iphone8" = { - ip = "10.69.42.3"; - public = pubkeys."iphone8"; + inherit listenPort; + endpoint = "vault.servers.genderfucked.monster:${toString listenPort}"; }; "lappy-t495" = { - ip = "10.69.42.4"; + ip = "10.0.0.3"; public = pubkeys."lappy-t495"; }; "raspberry" = { - ip = "10.69.42.5"; + ip = "10.0.0.4"; public = pubkeys."raspberry"; - endpoint = "raspberry.servers.genderfucked.monster:51820"; + inherit listenPort; + endpoint = "raspberry.servers.genderfucked.monster:${toString listenPort}"; + }; + "iphone15" = { + ip = "10.0.0.5"; + public = pubkeys."iphone15"; + }; + "iphone8" = { + ip = "10.0.0.6"; + public = pubkeys."iphone8"; }; }; } diff --git a/data/wireguard/chaosInternalWireGuardPubKeys.json b/data/wireguard/chaosInternalWireGuardPubKeys.json index 026c43b..0106878 100644 --- a/data/wireguard/chaosInternalWireGuardPubKeys.json +++ b/data/wireguard/chaosInternalWireGuardPubKeys.json @@ -1,7 +1,8 @@ { - "vault": "0jGdR0yBnjY5CUCQpqWIaWAfgT36QdGdhZXtaAV+MkE=", - "raspberry": "DXXUfkR4qlytdsf37NGzgzVhDxPuhz8oxRcSxOX2fQk=", - "lappy-t495": "kyykcuDMWy1WRxX97PImEYgwWw8HUbhM53kW6bEyryA=", - "iphone8": "1u/G60EWg2bo1iyViWAGXs8HXES2zenZCVdD5X+yJi4=", - "hetzner-arm": "rCkptlaz5IFSZ+4OPaylbyKVoUwYNWBNkaT63QApymA=" + "vault": "IfYCpiUXmsGVj8OR32W1ind0TWf2hmT+Axz3SaTsUQE=", + "raspberry": "ZWnPJZ5Bw/EyoLo5o3xjhkn3aTDC+ivPnnizGL0JfEo=", + "lappy-t495": "ogQmpEb3pXgn8NhQUlIwj/6CwAxXeB1ayqfXaieKs3g=", + "iphone8": "OptrVbP0q9q3DkEUGYu8aa6kj3S7h7cpotz5yuKs7Qw=", + "hetzner-arm": "UJ1WgFOy5AtvMvvU9Y3F8CuDOXz8JeJGZtDa83s7D3s=", + "iphone15": "i4vGjEqQyuoRqOJucXVrW0aIbwSUaB2dVVtEUjvHx3A=" } diff --git a/hosts/hetzner-arm/containers/forgejo/default.nix b/hosts/hetzner-arm/containers/forgejo/default.nix index 7a4ead9..c102600 100644 --- a/hosts/hetzner-arm/containers/forgejo/default.nix +++ b/hosts/hetzner-arm/containers/forgejo/default.nix @@ -37,6 +37,7 @@ in { presets.nixos.containerBase profiles.sshd profiles.firewallAllow.ssh + ./secrets.nix ] ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [ diff --git a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix index 52ab6d6..48b59b5 100644 --- a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix +++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix @@ -1,7 +1,9 @@ {pkgs, ...}: { services.forgejo = { enable = true; - database.type = "sqlite3"; + database = { + type = "sqlite3"; + }; lfs.enable = true; settings = { DEFAULT.APP_NAME = "chaos's Forgejo"; diff --git a/hosts/hetzner-arm/containers/mail/default.nix b/hosts/hetzner-arm/containers/mail/default.nix index 389b0a2..b251e90 100644 --- a/hosts/hetzner-arm/containers/mail/default.nix +++ b/hosts/hetzner-arm/containers/mail/default.nix @@ -87,10 +87,6 @@ in { forceSSL = true; enableACME = true; acmeRoot = "/var/lib/acme/acme-challenge"; - # also being used for webmail - locations."/" = { - proxyPass = "http://unix:/var/lib/nixos-containers/mail/var/sockets/roundcube.sock"; - }; }; }; diff --git a/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix index 34a7326..b259efa 100644 --- a/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix +++ b/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix @@ -1,11 +1,10 @@ { config, - pkgs, lib, ... }: let inherit (lib) types; - inherit (lib.options) mkEnableOption mkOption mkPackageOption; + inherit (lib.options) mkEnableOption mkOption; cfg = config.services.mailserver; in { @@ -43,34 +42,6 @@ in { }; }; - roundcube = { - enable = mkOption { - type = types.bool; - default = true; - }; - package = mkPackageOption pkgs "roundcube" {}; - domain = mkOption { - type = types.str; - default = "${cfg.fqdn}"; - }; - plugins = mkOption { - type = types.listOf types.str; - default = []; - }; - extraConfig = mkOption { - type = types.lines; - default = ""; - }; - forceSSL = mkOption { - type = types.bool; - default = true; - }; - enableACME = mkOption { - type = types.bool; - default = true; - }; - }; - spf = { enable = mkOption { type = types.bool; diff --git a/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix deleted file mode 100644 index 77fa9a3..0000000 --- a/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib.modules) mkIf mkForce; - - mailConfig = config.services.mailserver; -in { - config = mkIf (mailConfig.enable && mailConfig.roundcube.enable) { - services.roundcube = { - enable = true; - package = mailConfig.roundcube.package; - plugins = - mailConfig.roundcube.plugins - ++ [ - "managesieve" - ]; - hostName = "${mailConfig.roundcube.domain}"; - extraConfig = '' - $config['smtp_server'] = "tls://${mailConfig.fqdn}"; - $config['smtp_user'] = "%u"; - $config['smtp_pass'] = "%p"; - $config['managesieve_host'] = 'tls://${mailConfig.fqdn}'; - ${mailConfig.roundcube.extraConfig} - ''; - }; - - services.nginx.virtualHosts."${mailConfig.roundcube.domain}" = { - forceSSL = mkForce mailConfig.roundcube.forceSSL; - enableACME = mkForce mailConfig.roundcube.enableACME; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix b/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix index d806ce5..6bdf33a 100644 --- a/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix @@ -1,8 +1,4 @@ -{ - pkgs, - config, - ... -}: let +{config, ...}: let secrets = config.services.secrets.secrets; in { services.mailserver = { @@ -39,48 +35,5 @@ in { }; extraAliasesFile = "${secrets.private_mail_aliases.path}"; - - roundcube = { - enable = true; - - package = pkgs.roundcube.withPlugins (_plugins: - with pkgs.roundcubePlugins; [ - persistent_login - ]); - plugins = ["persistent_login"]; - - # running in container, passing socket to host - forceSSL = false; - enableACME = false; - - extraConfig = '' - $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks - $config['product_name'] = 'Chaos Mail'; - $config['username_domain'] = "owo.monster"; - $config['username_domain_forced'] = true; - $config['log_driver'] = 'syslog'; - $config['smtp_debug'] = true; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d /var/sockets - nginx nginx" - ]; - - systemd.services.nginx.serviceConfig.ReadWritePaths = [ - "/var/sockets" - ]; - - services.nginx.virtualHosts."mail.owo.monster" = { - # running in privateNetwork - # required so nginx doesn't try listening on port 80 - listen = [ - { - addr = "127.0.0.1"; - port = 8089; - } - ]; - extraConfig = "listen unix:/var/sockets/roundcube.sock;"; }; } diff --git a/hosts/hetzner-arm/containers/mail/profiles/restic.nix b/hosts/hetzner-arm/containers/mail/profiles/restic.nix index 131aed4..10d2ef6 100644 --- a/hosts/hetzner-arm/containers/mail/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/restic.nix @@ -6,12 +6,6 @@ secrets = config.services.secrets.secrets; mailConfig = config.services.mailserver; - - backupPrepareCommand = "${ - (pkgs.writeShellScriptBin "backupPrepareCommand" '' - systemctl start postgresqlBackup-roundcube --wait - '') - }/bin/backupPrepareCommand"; in { environment.systemPackages = with pkgs; [ restic @@ -26,8 +20,6 @@ in { services.restic.backups.mail = { user = "root"; paths = [ - "/var/backup/postgresql" - mailConfig.vmail.directory mailConfig.sieveDirectory mailConfig.dkim.directory @@ -48,15 +40,5 @@ in { OnBootSec = "1m"; OnCalendar = "8h"; }; - - inherit backupPrepareCommand; - }; - - services.postgresql.enable = true; - services.postgresqlBackup = { - enable = true; - backupAll = false; - databases = ["roundcube"]; - compression = "zstd"; }; } diff --git a/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix b/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix deleted file mode 100644 index 9928665..0000000 --- a/hosts/hetzner-arm/containers/piped-db/profiles/postgres.nix +++ /dev/null @@ -1,21 +0,0 @@ -{self, ...}: let - wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; - wireguardHosts = wireguardData.hosts; -in { - services.postgresql = { - enable = true; - port = 5434; - enableTCPIP = true; - ensureUsers = [ - { - name = "piped"; - ensurePermissions."DATABASE piped" = "ALL PRIVILEGES"; - } - ]; - ensureDatabases = ["piped"]; - authentication = '' - host piped piped ${wireguardHosts."raspberry".ip}/32 trust - host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust - ''; - }; -} diff --git a/hosts/hetzner-arm/containers/piped-fi/default.nix b/hosts/hetzner-arm/containers/piped-fi/default.nix index de15690..3f5cd7b 100644 --- a/hosts/hetzner-arm/containers/piped-fi/default.nix +++ b/hosts/hetzner-arm/containers/piped-fi/default.nix @@ -5,21 +5,24 @@ inputs, config, pkgs, - lib, ... }: let - inherit (lib.modules) mkForce; - pipedName = "piped-fi"; containerName = pipedName; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.${containerName}; + pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" ); in { containers.${containerName} = { autoStart = true; - privateNetwork = false; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; specialArgs = { inherit inputs; @@ -36,8 +39,6 @@ in { presets.nixos.pipedNode ]; - networking.firewall.enable = mkForce false; - home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; diff --git a/hosts/hetzner-arm/containers/piped-db/default.nix b/hosts/hetzner-arm/containers/postgresql/default.nix similarity index 61% rename from hosts/hetzner-arm/containers/piped-db/default.nix rename to hosts/hetzner-arm/containers/postgresql/default.nix index aba2bf2..6226b7d 100644 --- a/hosts/hetzner-arm/containers/piped-db/default.nix +++ b/hosts/hetzner-arm/containers/postgresql/default.nix @@ -5,14 +5,17 @@ inputs, config, pkgs, - lib, ... }: let - inherit (lib.modules) mkForce; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.postgresql; in { - containers.piped-db = { + containers.postgresql = { autoStart = true; - privateNetwork = false; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; specialArgs = { inherit inputs; @@ -32,7 +35,7 @@ in { ./profiles/restic.nix ]; - networking.firewall.enable = mkForce false; + networking.firewall.allowedTCPPorts = [5432]; home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix new file mode 100644 index 0000000..76c459d --- /dev/null +++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix @@ -0,0 +1,49 @@ +{ + self, + hostPath, + ... +}: let + wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; + wireguardHosts = wireguardData.hosts; + + localContainersAddresses = import "${hostPath}/data/containerAddresses.nix"; +in { + services.postgresql = { + enable = true; + enableTCPIP = true; + ensureDatabases = [ + "piped" + "gotosocial" + "quassel" + "roundcube" + ]; + ensureUsers = [ + { + name = "piped"; + ensurePermissions."DATABASE piped" = "ALL PRIVILEGES"; + } + { + name = "gotosocial"; + ensurePermissions."DATABASE gotosocial" = "ALL PRIVILEGES"; + } + { + name = "quassel"; + ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES"; + } + { + name = "roundcube"; + ensurePermissions."DATABASE roundcube" = "ALL PRIVILEGES"; + } + ]; + # If the host is a local container then use the container's IP + # otherwise use the host's IP + authentication = '' + host piped piped ${localContainersAddresses.containers."piped-fi"}/32 trust + host piped piped ${wireguardHosts."raspberry".ip}/32 trust + + host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust + host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust + host roundcube roundcube ${localContainersAddresses.containers."roundcube"}/32 trust + ''; + }; +} diff --git a/hosts/hetzner-arm/containers/piped-db/profiles/restic.nix b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix similarity index 71% rename from hosts/hetzner-arm/containers/piped-db/profiles/restic.nix rename to hosts/hetzner-arm/containers/postgresql/profiles/restic.nix index 75e1a14..3ced848 100644 --- a/hosts/hetzner-arm/containers/piped-db/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix @@ -8,12 +8,15 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start postgresqlBackup-piped --wait + systemctl start postgresqlBackup-gotosocial --wait + systemctl start postgresqlBackup-quassel --wait + systemctl start postgresqlBackup-roundcube --wait '') }/bin/backupPrepareCommand"; in { environment.systemPackages = with pkgs; [ restic - (pkgs.writeShellScriptBin "restic-piped" '' + (pkgs.writeShellScriptBin "restic-postgresql" '' env \ RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ $(cat ${secrets.restic_env.path}) \ @@ -21,7 +24,7 @@ in { '') ]; - services.restic.backups.piped = { + services.restic.backups.postgresql = { user = "root"; paths = [ "/var/backup/postgresql" @@ -29,7 +32,7 @@ in { # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Piped"; + repository = "rest:https://storage-restic.owo.monster/PostgreSQL"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; @@ -48,8 +51,12 @@ in { services.postgresqlBackup = { enable = true; backupAll = false; - pgdumpOptions = "-p ${toString config.services.postgresql.port}"; - databases = ["piped"]; + databases = [ + "piped" + "gotosocial" + "quassel" + "roundcube" + ]; compression = "zstd"; }; } diff --git a/hosts/hetzner-arm/containers/piped-db/secrets.nix b/hosts/hetzner-arm/containers/postgresql/secrets.nix similarity index 62% rename from hosts/hetzner-arm/containers/piped-db/secrets.nix rename to hosts/hetzner-arm/containers/postgresql/secrets.nix index f82baf5..4798bf6 100644 --- a/hosts/hetzner-arm/containers/piped-db/secrets.nix +++ b/hosts/hetzner-arm/containers/postgresql/secrets.nix @@ -4,7 +4,7 @@ vaultLogin = { enable = true; - loginUsername = "hetzner-arm-container-piped-db"; + loginUsername = "hetzner-arm-container-postgresql"; }; autoSecrets = { @@ -12,8 +12,8 @@ }; requiredVaultPaths = [ - "api-keys/data/storage/restic/Piped" - "private-public-keys/data/restic/Piped" + "api-keys/data/storage/restic/PostgreSQL" + "private-public-keys/data/restic/PostgreSQL" ]; secrets = { @@ -23,14 +23,14 @@ restic_password = { fetchScript = '' - simple_get "/private-public-keys/restic/Piped" .password > "$secretFile" + simple_get "/private-public-keys/restic/PostgreSQL" .password > "$secretFile" ''; }; restic_env = { fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/PostgreSQL" > "$secretFile" ''; }; }; diff --git a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix index 22a7bba..6bd6c38 100644 --- a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix +++ b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix @@ -3,17 +3,4 @@ enable = true; interfaces = ["0.0.0.0"]; }; - - services.postgresql = { - enable = true; - ensureDatabases = ["quassel"]; - ensureUsers = [ - { - name = "quassel"; - ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES"; - } - ]; - - authentication = "host quassel quassel localhost trust"; - }; } diff --git a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix index 7cb7b2e..20642d6 100644 --- a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix @@ -24,7 +24,6 @@ in { services.restic.backups.quassel = { user = "root"; paths = [ - "/var/backup/postgresql" "/home/quassel/.config/quassel-irc.org" ]; @@ -45,11 +44,4 @@ in { inherit backupPrepareCommand; }; - - services.postgresqlBackup = { - enable = true; - backupAll = false; - databases = ["quassel"]; - compression = "zstd"; - }; } diff --git a/hosts/hetzner-arm/containers/roundcube/default.nix b/hosts/hetzner-arm/containers/roundcube/default.nix new file mode 100644 index 0000000..333af68 --- /dev/null +++ b/hosts/hetzner-arm/containers/roundcube/default.nix @@ -0,0 +1,55 @@ +{ + self, + tree, + inputs, + config, + pkgs, + hostPath, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.roundcube; +in { + containers.roundcube = { + autoStart = true; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; [ + presets.nixos.containerBase + + profiles.nginx + profiles.sshd + profiles.firewallAllow.ssh + + ./profiles/roundcube.nix + ]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."mail.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:/var/lib/nixos-containers/roundcube/var/sockets/roundcube.sock"; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix b/hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix new file mode 100644 index 0000000..2ccd373 --- /dev/null +++ b/hosts/hetzner-arm/containers/roundcube/profiles/roundcube.nix @@ -0,0 +1,55 @@ +{ + pkgs, + lib, + hostPath, + ... +}: let + inherit (lib.modules) mkForce; + + localContainersAddresses = import "${hostPath}/data/containerAddresses.nix"; +in { + services.roundcube = { + enable = true; + hostName = "mail.owo.monster"; + package = pkgs.roundcube.withPlugins (_plugins: + with pkgs.roundcubePlugins; [ + persistent_login + ]); + plugins = [ + "persistent_login" + "managesieve" + ]; + + database = { + host = localContainersAddresses.containers.postgresql; + passwordFile = builtins.toFile "pw" ""; + }; + + extraConfig = '' + $config['smtp_server'] = "tls://mail.owo.monster"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + $config['managesieve_host'] = 'tls://mail.owo.monster'; + $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks + $config['product_name'] = 'Chaos Mail'; + $config['username_domain'] = "owo.monster"; + $config['username_domain_forced'] = true; + $config['log_driver'] = 'syslog'; + $config['smtp_debug'] = true; + ''; + }; + + systemd.tmpfiles.rules = [ + "d /var/sockets - nginx nginx" + ]; + + systemd.services.nginx.serviceConfig.ReadWritePaths = [ + "/var/sockets" + ]; + + services.nginx.virtualHosts."mail.owo.monster" = { + forceSSL = mkForce false; + enableACME = mkForce false; + extraConfig = "listen unix:/var/sockets/roundcube.sock;"; + }; +} diff --git a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix index 147f242..042a8ca 100644 --- a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix +++ b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix @@ -11,7 +11,7 @@ in { services.gotosocial = { enable = true; - setupPostgresqlDB = true; + setupPostgresqlDB = false; environmentFile = secrets.env_secrets.path; settings = { @@ -20,7 +20,12 @@ in { bind-address = "0.0.0.0"; log-level = "info"; - log-client-ip = false; + log-client-ip = true; + + db-type = "postgres"; + db-address = "${containerAddresses.containers.postgresql}"; + db-database = "gotosocial"; + db-user = "gotosocial"; trusted-proxies = [ "127.0.0.1/32" diff --git a/hosts/hetzner-arm/containers/social/profiles/restic.nix b/hosts/hetzner-arm/containers/social/profiles/restic.nix index 9890b8e..55821f0 100644 --- a/hosts/hetzner-arm/containers/social/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix @@ -1,12 +1,8 @@ { pkgs, config, - lib, ... }: let - inherit (lib.strings) concatStringsSep; - inherit (lib.lists) forEach; - secrets = config.services.secrets.secrets; # Because gotosocial-admin isn't a seporate package we need to generate a seperate config @@ -23,12 +19,6 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' - systemctl start ${ - concatStringsSep " " - (forEach config.services.postgresqlBackup.databases - (db: "postgresqlBackup-${db}")) - } --wait - systemctl stop gotosocial ${goToSocialAdmin} export --path /var/lib/gotosocial/gts-export.json @@ -56,7 +46,6 @@ in { services.restic.backups.social = { user = "root"; paths = [ - "/var/backup/postgresql" "/var/lib/gotosocial" ]; @@ -78,11 +67,4 @@ in { inherit backupPrepareCommand; inherit backupCleanupCommand; }; - - services.postgresqlBackup = { - enable = true; - backupAll = false; - databases = ["gotosocial"]; - compression = "zstd"; - }; } diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix index 30bab1d..2d5c75d 100644 --- a/hosts/hetzner-arm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -7,7 +7,7 @@ rclone_serve_restic_vault = 4211; rclone_serve_restic_social = 4212; rclone_serve_restic_quassel = 4213; - rclone_serve_restic_piped = 4214; + rclone_serve_restic_postgresql = 4214; rclone_serve_restic_mail = 4215; rclone_serve_restic_forgejo = 4216; diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix index 761bf16..cd24c7e 100644 --- a/hosts/hetzner-arm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -95,7 +95,7 @@ in { "/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}"; "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; - "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}"; + "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_postgresql}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}"; }; diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index 43c953c..145d0af 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -117,13 +117,13 @@ in { ]; } { - id = "restic-piped"; - remote = "StorageBox:Backups/Restic/Piped"; + id = "restic-postgresql"; + remote = "StorageBox:Backups/Restic/PostgreSQL"; type = "restic"; extraArgs = [ - "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped}" - "--htpasswd=${secrets.restic_piped_htpasswd.path}" - "--baseurl=/Piped/" + "--addr=0.0.0.0:${toString ports.rclone_serve_restic_postgresql}" + "--htpasswd=${secrets.restic_postgresql_htpasswd.path}" + "--baseurl=/PostgreSQL/" ]; } { diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix index 582cd8e..afe06ab 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix @@ -15,7 +15,7 @@ }; extraArgs = [ "--fast-list" - "--check-first" + "--check-first" "--delete-before" "--b2-upload-concurrency=4" "--transfers=4" diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix index 4675e92..288eabf 100644 --- a/hosts/hetzner-arm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -28,7 +28,7 @@ "api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Quassel" - "api-keys/data/storage/restic/Piped" + "api-keys/data/storage/restic/PostgreSQL" "api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Forgejo" @@ -118,12 +118,12 @@ ''; }; - restic_piped_htpasswd = { + restic_postgresql_htpasswd = { user = "storage"; group = "storage"; fetchScript = '' - username=$(simple_get "/api-keys/storage/restic/Piped" .username) - password=$(simple_get "/api-keys/storage/restic/Piped" .password) + username=$(simple_get "/api-keys/storage/restic/PostgreSQL" .username) + password=$(simple_get "/api-keys/storage/restic/PostgreSQL" .password) htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null ''; }; diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index 80264cc..5082b46 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -1,10 +1,13 @@ { - host = "192.168.100.10"; + host = "10.0.1.1"; containers = { - storage = "192.168.100.11"; - social = "192.168.100.12"; - music = "192.168.100.13"; - quassel = "192.168.100.14"; - forgejo = "192.168.100.15"; + storage = "10.0.1.2"; + social = "10.0.1.3"; + music = "10.0.1.4"; + quassel = "10.0.1.5"; + forgejo = "10.0.1.6"; + postgresql = "10.0.1.7"; + piped-fi = "10.0.1.8"; + roundcube = "10.0.1.9"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index fb2c11e..d8d407b 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -24,10 +24,11 @@ in { "storage" "music" "quassel" - "piped-db" + "postgresql" "piped-fi" "mail" "forgejo" + #"roundcube" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-arm.profiles; [ staticSites diff --git a/modules/nixos/rcloneSync.nix b/modules/nixos/rcloneSync.nix index f95d1cf..81dbcdd 100644 --- a/modules/nixos/rcloneSync.nix +++ b/modules/nixos/rcloneSync.nix @@ -86,7 +86,7 @@ in { [ (pkgs.writeShellScriptBin "rclone-sync-stop-all" (concatStringsSep "\n" (map ( job: '' - systemctl stop rclone-sync-${job.id}.service + systemctl stop rclone-sync-${job.id}.service '' ) cfg.syncJobs))) diff --git a/outputs.nix b/outputs.nix index 850ebc8..1093eec 100644 --- a/outputs.nix +++ b/outputs.nix @@ -140,7 +140,7 @@ in # All machines/containers with secrets.nix machines = rec { "hetzner-arm" = { - containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"]; + containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo"]; sshAddress = "hetzner-arm.servers.genderfucked.monster"; }; "vault" = { diff --git a/presets/nixos/pipedNode.nix b/presets/nixos/pipedNode.nix index bd56913..04d918f 100644 --- a/presets/nixos/pipedNode.nix +++ b/presets/nixos/pipedNode.nix @@ -7,11 +7,10 @@ }: let inherit (builtins) attrNames elem; - wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; - wireguardHosts = wireguardData.hosts; - hostName = config.networking.hostName; + hetznerARMContainerAddresses = import "${self}/hosts/hetzner-arm/data/containerAddresses.nix"; + defaultPorts = { internalPipedBackend = 3012; internalPipedProxy = 3013; @@ -71,8 +70,7 @@ in { name = "piped"; username = "piped"; usePassword = false; - host = "${wireguardHosts."hetzner-arm".ip}"; - port = 5434; + host = hetznerARMContainerAddresses.containers.postgresql; }; }; diff --git a/profiles/chaosInternalWireGuard/wireguard.nix b/profiles/chaosInternalWireGuard/wireguard.nix index 55ab414..88c0012 100644 --- a/profiles/chaosInternalWireGuard/wireguard.nix +++ b/profiles/chaosInternalWireGuard/wireguard.nix @@ -17,13 +17,18 @@ currentHostName = config.networking.hostName; currentHostConfig = wireguardHosts.${currentHostName}; in { - networking.firewall.trustedInterfaces = ["wg0"]; - networking.firewall.allowPing = true; - networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820]; + networking.firewall = { + trustedInterfaces = [ + "wg0" + ]; + allowPing = true; + allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [ + currentHostConfig.listenPort + ]; + }; systemd.services.wireguard-debug = { wantedBy = ["multi-user.target"]; - partOf = ["wg-quick-wg0.service"]; script = '' echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control ''; @@ -33,14 +38,14 @@ in { wg0 = { address = ["${currentHostConfig.ip}/24"]; privateKeyFile = "${secrets.wg_private.path}"; - listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820; + listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort; peers = map ( hostName: let host = wireguardHosts.${hostName}; in { - allowedIPs = ["${host.ip}/32"]; + allowedIPs = host.allowedIPs or ["${host.ip}/32"]; publicKey = host.public; endpoint = host.endpoint or null; } diff --git a/profiles/firewallAllow/ssh.nix b/profiles/firewallAllow/ssh.nix index ea8f50d..3403c3e 100644 --- a/profiles/firewallAllow/ssh.nix +++ b/profiles/firewallAllow/ssh.nix @@ -1,2 +1,3 @@ {...}: { + networking.firewall.allowedTCPPorts = [22]; }