diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 551c317..d4a1ca2 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -14,7 +14,6 @@ hosts.hetzner-vm.services.invidious hosts.hetzner-vm.services.quassel hosts.hetzner-vm.services.mpd - hosts.hetzner-vm.services.storage-sftp hosts.hetzner-vm.services.mail hosts.hetzner-vm.services.gitlab-static-sites hosts.hetzner-vm.services.lappy-dev @@ -22,6 +21,7 @@ ./networking.nix ./hardware.nix + ./secrets.nix ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/hetzner-vm/ports.nix b/hosts/hetzner-vm/ports.nix new file mode 100644 index 0000000..8f9f73a --- /dev/null +++ b/hosts/hetzner-vm/ports.nix @@ -0,0 +1,21 @@ +{ }: { + mpd = 6600; # default + mpd-opus = 8012; + mpd-flac = 8013; + + quassel = 4242; # default + + misskey = 3020; + misskey-redis = 3021; + + invidious = 3000; + + smtp = 25; + submission = 587; + submission_ssl = 465; + imap = 143; + imap_ssl = 993; + sieve = 4190; + + rspamd-redis = 6380; +} diff --git a/hosts/hetzner-vm/secrets-db.nix b/hosts/hetzner-vm/secrets-db.nix new file mode 100644 index 0000000..be02f02 --- /dev/null +++ b/hosts/hetzner-vm/secrets-db.nix @@ -0,0 +1,38 @@ +{ }: { + mpd_control_password = { + user = "mpd"; + group = "mpd"; + permissions = "660"; + path = "/secrets/mpd_control_password"; + }; + music_stream_passwd = { + user = "nginx"; + group = "nginx"; + permissions = "660"; + path = "/secrets/music_stream_passwd"; + }; + chaos_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + permissions = "660"; + path = "/secrets/chaos_mail_passwd"; + }; + gitlab_env = { + user = "gitlab_artifacts_sync"; + group = "gitlab_artifacts_sync"; + permissions = "660"; + path = "/secrets/gitlab_env"; + }; + restic_password = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/restic_password"; + }; + restic_env = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/restic_env"; + }; +} diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix new file mode 100644 index 0000000..105053e --- /dev/null +++ b/hosts/hetzner-vm/secrets.nix @@ -0,0 +1,67 @@ +{ pkgs, ... }: +let secrets-db = (import ./secrets-db.nix { }); +in { + systemd.tmpfiles.rules = [ "d /secrets - root root" ]; + environment.systemPackages = [ + (pkgs.writeShellScriptBin "init-secrets" '' + set -e -o pipefail + + VAULT_ADDR_DEFAULT="https://vault.owo.monster" + [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" + + export PATH=$PATH:${pkgs.vault}/bin + export PATH=$PATH:${pkgs.jq}/bin + export PATH=$PATH:${pkgs.apacheHttpd}/bin + + kv_get() { + vault kv get -format json $1 + } + + simple_get() { + kv_get $1 | jq .data.data$2 -r + } + + file=${secrets-db.mpd_control_password.path} + echo $file + simple_get "/api-keys/mpd" .password > $file + chown ${secrets-db.mpd_control_password.user}:${secrets-db.mpd_control_password.group} $file + chmod ${secrets-db.mpd_control_password.permissions} $file + + file=${secrets-db.music_stream_passwd.path} + echo $file + username=$(simple_get "/api-keys/music-stream" .username) + password=$(simple_get "/api-keys/music-stream" .password) + htpasswd -bc $file "$username" "$password" + chown ${secrets-db.music_stream_passwd.user}:${secrets-db.music_stream_passwd.group} $file + chmod ${secrets-db.music_stream_passwd.permissions} $file + + file=${secrets-db.chaos_mail_passwd.path} + echo $file + password=$(simple_get "/passwords/mail" .password) + htpasswd -nbB "" "$password" | cut -d: -f2 > $file + chown ${secrets-db.chaos_mail_passwd.user}:${secrets-db.chaos_mail_passwd.group} $file + chmod ${secrets-db.chaos_mail_passwd.permissions} $file + + file=${secrets-db.gitlab_env.path} + echo $file + token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) + echo "GITLAB_TOKEN=$token" > $file + chown ${secrets-db.gitlab_env.user}:${secrets-db.gitlab_env.group} $file + chmod ${secrets-db.gitlab_env.permissions} $file + + file=${secrets-db.restic_password.path} + echo $file + simple_get "/private-public-keys/restic/HetznerVM" .password > $file + chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} $file + chmod ${secrets-db.restic_password.permissions} $file + + file=${secrets-db.restic_env.path} + echo $file + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/HetznerVM" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/HetznerVM" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file + chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file + chmod ${secrets-db.restic_env.permissions} $file + '') + ]; +} diff --git a/hosts/hetzner-vm/services/gitlab-static-sites.nix b/hosts/hetzner-vm/services/gitlab-static-sites.nix index 7dd3f0e..a11c121 100644 --- a/hosts/hetzner-vm/services/gitlab-static-sites.nix +++ b/hosts/hetzner-vm/services/gitlab-static-sites.nix @@ -1,7 +1,9 @@ -{ ... }: { +{ ... }: +let secrets-db = (import ../secrets-db.nix { }); +in { services.gitlab_artifacts_sync = { enable = true; - credentialsEnvironmentFile = "/secrets/gitlab-env"; + credentialsEnvironmentFile = "${secrets-db.gitlab_env.path}"; repos = [ { repoName = "ChaotiCryptidz/VaultUI"; diff --git a/hosts/hetzner-vm/services/invidious.nix b/hosts/hetzner-vm/services/invidious.nix index 3044f78..1ab9747 100644 --- a/hosts/hetzner-vm/services/invidious.nix +++ b/hosts/hetzner-vm/services/invidious.nix @@ -1,9 +1,11 @@ -{ inputs, pkgs, ... }: { +{ inputs, pkgs, ... }: +let ports = (import ../ports.nix { }); +in { services.invidious = { enable = true; #package = # inputs.nixpkgs-stable.outputs.legacyPackages.${pkgs.system}.invidious; - port = 3000; + port = ports.invidious; settings = { full_refresh = true; https_only = true; @@ -42,17 +44,17 @@ services.nginx.virtualHosts."invidious.owo.monster" = { forceSSL = true; enableACME = true; - locations = { "/".proxyPass = "http://127.0.0.1:3000"; }; + locations = { + "/".proxyPass = "http://127.0.0.1:${toString ports.invidious}"; + }; }; services.nginx.virtualHosts."invidious-nojs.owo.monster" = { forceSSL = true; enableACME = true; locations = { - "/".proxyPass = "http://127.0.0.1:3000"; + "/".proxyPass = "http://127.0.0.1:${toString ports.invidious}"; "/js/".extraConfig = "deny all;"; }; }; - - #networking.firewall.allowedTCPPorts = [ 3000 ]; } diff --git a/hosts/hetzner-vm/services/mailserver/config.nix b/hosts/hetzner-vm/services/mailserver/config.nix index c1ad7d5..5ffcfe9 100644 --- a/hosts/hetzner-vm/services/mailserver/config.nix +++ b/hosts/hetzner-vm/services/mailserver/config.nix @@ -1,4 +1,6 @@ -{ }: rec { +{ }: let + secrets-db = (import ../../secrets-db.nix { }); +in rec { fqdn = "mail.owo.monster"; domains = [ "owo.monster" @@ -19,18 +21,13 @@ accounts = { "chaoticryptidz@owo.monster" = { name = "chaoticryptidz@owo.monster"; - passwordFile = "/secrets/chaos-mail-password"; + passwordFile = "${secrets-db.chaos_mail_passwd.path}"; aliases = [ "all@owo.monster" # for sending from "chaos@owo.monster" - # for websites not liking .monster - #"all@mailchaos.net" - #"chaoticryptidz@mailchaos.net" - #"chaos@mailchaos.net" - - # legacy - to be deprecated by 2023-01-01 + # TODO: legacy - to be deprecated by 2023-01-01 "kitteh@owo.monster" "kitteh@kitteh.pw" ]; diff --git a/hosts/hetzner-vm/services/mailserver/rspamd.nix b/hosts/hetzner-vm/services/mailserver/rspamd.nix index d396a7a..1505e17 100644 --- a/hosts/hetzner-vm/services/mailserver/rspamd.nix +++ b/hosts/hetzner-vm/services/mailserver/rspamd.nix @@ -3,6 +3,9 @@ let mail_config = (import ./config.nix { }); + ports = (import ../../ports.nix { }); + + postfixCfg = config.services.postfix; rspamdCfg = config.services.rspamd; rspamdSocket = "rspamd.service"; @@ -19,7 +22,7 @@ in { }; "redis.conf" = { text = '' - servers = "127.0.0.1:6380"; + servers = "127.0.0.1:${toString ports.rspamd-redis}"; ''; }; "classifier-bayes.conf" = { @@ -77,7 +80,7 @@ in { services.redis.servers.rspamd = { enable = true; - port = 6380; + port = ports.rspamd-redis; }; systemd.services.rspamd = { diff --git a/hosts/hetzner-vm/services/misskey.nix b/hosts/hetzner-vm/services/misskey.nix index e2760fb..66e9afc 100644 --- a/hosts/hetzner-vm/services/misskey.nix +++ b/hosts/hetzner-vm/services/misskey.nix @@ -1,8 +1,10 @@ { pkgs, tree, ... }: let + ports = (import ../ports.nix { }); + misskeyDomain = "social.owo.monster"; - misskeyPort = 3020; - redisPort = 3019; + misskeyPort = ports.misskey; + redisPort = ports.misskey-redis; misskeyPackages = with pkgs; [ nodejs diff --git a/hosts/hetzner-vm/services/mpd.nix b/hosts/hetzner-vm/services/mpd.nix index e4e67e2..23f6ea9 100644 --- a/hosts/hetzner-vm/services/mpd.nix +++ b/hosts/hetzner-vm/services/mpd.nix @@ -1,16 +1,16 @@ -{ pkgs, lib, tree, ... }: { - #imports = [ ./mpd-broadcast/broadcast.nix ]; - +{ pkgs, lib, tree, ... }: +let + ports = (import ../ports.nix { }); + secrets-db = (import ../secrets-db.nix { }); +in { environment.systemPackages = with pkgs; [ mpc_cli ]; services.mpd = { enable = true; network.listenAddress = "0.0.0.0"; - dataDir = "/mpd"; musicDirectory = "/storage/music"; - playlistDirectory = "/mpd/playlists"; credentials = [{ - passwordFile = "/secrets/mpd-password"; + passwordFile = "${secrets-db.mpd_control_password.path}"; permissions = [ "read" "add" "control" "admin" ]; }]; extraConfig = '' @@ -25,7 +25,7 @@ type "httpd" name "HTTP Opus" encoder "opus" - port "8012" + port "${toString ports.mpd-opus}" bitrate "96000" format "44100:16:2" always_on "yes" @@ -37,7 +37,7 @@ type "httpd" name "HTTP FLAC" encoder "flac" - port "8013" + port "${toString ports.mpd-flac}" format "44100:16:2" always_on "yes" tags "yes" @@ -45,24 +45,22 @@ ''; }; - systemd.services.mpd.serviceConfig.StateDirectory = [ "/mpd" ]; - services.nginx.virtualHosts."stream.owo.monster" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:8012"; + proxyPass = "http://127.0.0.1:${toString ports.mpd-opus}"; extraConfig = '' auth_basic "Music Password"; - auth_basic_user_file /secrets/music-stream-passwd; + auth_basic_user_file ${secrets-db.music_stream_passwd.path}; ''; }; "/flac" = { - proxyPass = "http://127.0.0.1:8013"; + proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}"; extraConfig = '' auth_basic "Music Password"; - auth_basic_user_file /secrets/music-stream-passwd; + auth_basic_user_file ${secrets-db.music_stream_passwd.path}; ''; }; }; diff --git a/hosts/hetzner-vm/services/quassel.nix b/hosts/hetzner-vm/services/quassel.nix index 557bb67..05749fd 100644 --- a/hosts/hetzner-vm/services/quassel.nix +++ b/hosts/hetzner-vm/services/quassel.nix @@ -4,16 +4,6 @@ _: { interfaces = [ "0.0.0.0" ]; }; - # needed so quassel can access SSL certs - # TODO: set up SSL - # users.groups.acme.members = [ "quassel" ]; - - # Not gonna serve anything there but shrug. - #services.nginx.virtualHosts."quassel.owo.monster" = { - # forceSSL = true; - # enableACME = true; - #}; - services.postgresql.ensureDatabases = [ "quassel" ]; services.postgresql.ensureUsers = [{ name = "quassel"; diff --git a/hosts/hetzner-vm/services/restic.nix b/hosts/hetzner-vm/services/restic.nix index cabbe45..fd361b5 100644 --- a/hosts/hetzner-vm/services/restic.nix +++ b/hosts/hetzner-vm/services/restic.nix @@ -1,6 +1,6 @@ { lib, config, pkgs, ... }: let - + secrets-db = (import ../secrets-db.nix { }); mail_config = (import ./mailserver/config.nix { }); backupPrepareCommand = "${ @@ -27,10 +27,6 @@ in { # Quassel & Invidious "/var/backup/postgresql" "/home/quassel/.config/quassel-irc.org" - # MPD State - "/mpd" - # doesn't work for restoring might as well not backup - # "/var/lib/tailscale" # mail mail_config.vmail_config.directory @@ -46,8 +42,8 @@ in { # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/HetznerVM"; - passwordFile = "/secrets/restic-Chaos-Backups-HetznerVM-password"; - environmentFile = "/secrets/restic-Chaos-Backups-HetznerVM-env"; + passwordFile = "${secrets-db.restic_password.path}"; + environmentFile = "${secrets-db.restic_env.path}"; timerConfig = { OnBootSec = "1m"; diff --git a/hosts/hetzner-vm/services/storage-sftp.nix b/hosts/hetzner-vm/services/storage-sftp.nix deleted file mode 100644 index 978070b..0000000 --- a/hosts/hetzner-vm/services/storage-sftp.nix +++ /dev/null @@ -1,25 +0,0 @@ -_: { - services.vsftpd = { - enable = false; - extraConfig = '' - listen_port=4220 - pasv_enable=Yes - pasv_min_port=51000 - pasv_max_port=51999 - ''; - localUsers = true; - userlistEnable = true; - userlist = [ "ftp-user" ]; - localRoot = "/storage"; - }; - users.users.ftp-user = { - isSystemUser = true; - group = "ftp-user"; - }; - users.groups.ftp-user = { }; - networking.firewall.allowedTCPPortRanges = [{ - from = 51000; - to = 51999; - }]; - networking.firewall.allowedTCPPorts = [ 4220 ]; -} diff --git a/hosts/lappy/profiles/mpd-music-sync.nix b/hosts/lappy/profiles/mpd-music-sync.nix deleted file mode 100644 index de27474..0000000 --- a/hosts/lappy/profiles/mpd-music-sync.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, ... }: -let passwordFile = "/secrets/mpd-music-sync-password"; -in { - systemd.tmpfiles.rules = [ "d /music 0755 mpd users -" ]; - systemd.services.mpd-music-sync = { - startAt = "daily"; - requires = [ "network.target" ]; - after = [ "network.target" ]; - path = [ pkgs.rclone ]; - script = '' - export PASSWORD=$(cat ${passwordFile}) - rclone sync :ftp:/storage/music /music \ - --ftp-host=hetzner-vm.servers.owo.monster \ - --ftp-port=4220 \ - --ftp-user=ftp-user \ - --ftp-pass=$(rclone obscure $PASSWORD) - chown mpd:users -R /music - ''; - }; -}