Merge pull request 'server1_develop' (#22) from server1_develop into server1

Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/22 Reviewed-by: sils <sils@sils.li>
author: sils <sils@sils.li> 2023-04-11 10:55:18 +0200
committer: sils <sils@sils.li> 2023-04-11 10:55:18 +0200
commit: 5a6dd9797b67c08d58236956fbb43b7fe57f5730 (patch)
tree: 27418564bc75d03c66c0e5cf5209f0b66e625998
parent: Fix(services): Remove Minecraft (diff)
parent: Chore(flake): Update (diff)
download: nixos-server-5a6dd9797b67c08d58236956fbb43b7fe57f5730.tar.gz
nixos-server-5a6dd9797b67c08d58236956fbb43b7fe57f5730.zip
20 files changed, 288 insertions, 44 deletions
diff --git a/flake.lock b/flake.lock
index 8af459c..d23d600 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,12 +1,28 @@
 {
   "nodes": {
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1675512093,
-        "narHash": "sha256-u1CY4feK14B57E6T+0Bhkuoj8dpBxCPrWO+SP87UVP8=",
+        "lastModified": 1680899675,
+        "narHash": "sha256-3ogGOPFcSuhf7NrPNREFApkGkLBR2og5lyBJY7+mbig=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8e8240194eda25b61449f29bb5131e02b28a5486",
+        "rev": "d426ae4241ef89fcbd646cd796abd3e83167f54d",
         "type": "github"
       },
       "original": {
@@ -16,9 +32,77 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_11": {
+      "locked": {
+        "lastModified": 1669558522,
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1669542132,
+        "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a115bb9bd56831941be3776c8a94005867f316a7",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-22_11": "nixpkgs-22_11",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1671659164,
+        "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-22.11",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 2e52203..36ae34e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,18 +4,25 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11";
   };
 
   outputs = {
     self,
     nixpkgs,
+    simple-nixos-mailserver,
     ...
   } @ attrs: {
     nixosConfigurations."server1" = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = attrs;
-      modules = [./hosts/server1/configuration.nix];
+      modules = [
+        ./hosts/server1/configuration.nix
+        simple-nixos-mailserver.nixosModule
+        {
+          mailserver = import ./system/mail {};
+        }
+      ];
     };
   };
 }
-
diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix
index 729ef0f..891c5dc 100644
--- a/hosts/server1/configuration.nix
+++ b/hosts/server1/configuration.nix
@@ -1,10 +1,9 @@
 {pkgs, ...}: {
   imports = [
     ./networking.nix # network configuration that just works
+    ./hardware.nix
 
     ../../system
-
-    ../../services
   ];
 
   boot.cleanTmpDir = true;
@@ -12,7 +11,7 @@
   networking.hostName = "server1";
   networking.domain = "vhack.eu";
 
-  system.fileSystemLayouts.mainDisk = "/dev/vda3";
+  system.fileSystemLayouts.mainDisk = "/dev/disk/by-uuid/7d960eb9-9334-4aef-9f7c-9a908a91a6db";
 
   system.stateVersion = "22.11";
 }
diff --git a/system/system/hardware.nix b/hosts/server1/hardware.nix
index c4c7dc9..9fabafe 100644
--- a/system/system/hardware.nix
+++ b/hosts/server1/hardware.nix
@@ -4,6 +4,6 @@
     (modulesPath + "/profiles/headless.nix")
   ];
   boot.loader.grub.device = "/dev/vda";
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
-  boot.initrd.kernelModules = ["nvme" "btrfs"];
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
 }
diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix
index 26d6719..cd0484f 100644
--- a/hosts/server1/networking.nix
+++ b/hosts/server1/networking.nix
@@ -5,8 +5,14 @@
     nameservers = [
       "8.8.8.8"
     ];
-    defaultGateway = "89.58.56.1";
-    defaultGateway6 = "fe80::1";
+    defaultGateway = {
+      address = "89.58.56.1";
+      interface = "eth0";
+    };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
     dhcpcd.enable = false;
     usePredictableInterfaceNames = lib.mkForce false;
     interfaces = {
@@ -19,11 +25,7 @@
         ];
         ipv6.addresses = [
           {
-            address = "2a03:4000:6a:3f3:6422:6dff:fe82:939b";
-            prefixLength = 64;
-          }
-          {
-            address = "fe80::6422:6dff:fe82:939b";
+            address = "2a03:4000:6a:3f3::1";
             prefixLength = 64;
           }
         ];
@@ -44,6 +46,5 @@
   };
   services.udev.extraRules = ''
     ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0"
-
   '';
 }
diff --git a/services/default.nix b/services/default.nix
deleted file mode 100644
index 8029ee2..0000000
--- a/services/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{config, ...}: {
-  imports = [
-    ./services/nix.nix
-    ./services/opensshd.nix
-    ./services/rust-motd.nix
-  ];
-}
diff --git a/system/default.nix b/system/default.nix
index 2af4982..d67ada2 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -1,8 +1,8 @@
 {config, ...}: {
   imports = [
-    ./system/fileSystemLayouts.nix
-    ./system/hardware.nix
-    ./system/packages.nix
-    ./system/users.nix
+    ./file_system_layouts
+    ./packages
+    ./services
+    ./users
   ];
 }
diff --git a/system/system/fileSystemLayouts.nix b/system/file_system_layouts/default.nix
index 9d03a05..31b0b0b 100644
--- a/system/system/fileSystemLayouts.nix
+++ b/system/file_system_layouts/default.nix
@@ -40,6 +40,10 @@ in {
         device = "/srv/nix-config";
         options = ["bind"];
       };
+      "/var/lib/acme" = {
+        device = "/srv/acme";
+        options = ["bind"];
+      };
     };
   };
 }
diff --git a/system/mail/default.nix b/system/mail/default.nix
new file mode 100644
index 0000000..b1da088
--- /dev/null
+++ b/system/mail/default.nix
@@ -0,0 +1,50 @@
+# vim: ts=2
+{...}: let
+  all_admins = [
+    "sils@vhack.eu"
+    "soispha@vhack.eu"
+    "nightingale@vhack.eu"
+  ];
+in {
+  enable = true;
+  fqdn = "server1.vhack.eu";
+  domains = ["vhack.eu"];
+
+  useFsLayout = true;
+
+  loginAccounts = {
+    "sils@vhack.eu" = {
+      hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm";
+    };
+    "soispha@vhack.eu" = {
+      hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
+    };
+    "nightingale@vhack.eu" = {
+      hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change
+    };
+  };
+
+  extraVirtualAliases = {
+    "abuse@vhack.eu" = all_admins;
+    "postmaster@vhack.eu" = all_admins;
+    "admin@vhack.eu" = all_admins;
+  };
+
+  mailDirectory = "/srv/mail/vmail";
+  dkimKeyDirectory = "/srv/mail/dkim";
+  sieveDirectory = "/srv/mail/sieve";
+  backup.snapshotRoot = "/srv/mail/backup";
+
+  enableImap = false;
+  enableImapSsl = true;
+  enablePop3 = false;
+  enablePop3Ssl = true;
+  # SMTP
+  enableSubmission = false;
+  enableSubmissionSsl = true;
+  openFirewall = true;
+
+  keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
+  certificateScheme = 1;
+  certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem";
+}
diff --git a/system/system/packages.nix b/system/packages/default.nix
index 4d33c6e..4d33c6e 100644
--- a/system/system/packages.nix
+++ b/system/packages/default.nix
diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix
new file mode 100644
index 0000000..a163e77
--- /dev/null
+++ b/system/services/acme/default.nix
@@ -0,0 +1,30 @@
+{...}: {
+  users.users.nginx.extraGroups = ["acme"];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "acmechallenge.vhack.eu" = {
+        serverAliases = ["*.vhack.eu"];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@vhack.eu";
+    certs = {
+      "server1.vhack.eu" = {
+        webroot = "/var/lib/acme/.challenges";
+        group = "nginx";
+        extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"];
+      };
+    };
+  };
+}
diff --git a/system/services/default.nix b/system/services/default.nix
new file mode 100644
index 0000000..6e5cb3c
--- /dev/null
+++ b/system/services/default.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  imports = [
+    ./acme
+#  ./firewall
+    #./minecraft
+    ./nginx
+    ./nix
+    ./opensshd
+    ./rust-motd
+    ./fail2ban
+  ];
+}
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
new file mode 100644
index 0000000..5aee097
--- /dev/null
+++ b/system/services/fail2ban/default.nix
@@ -0,0 +1,30 @@
+# vim: ts=2
+{...}: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2; # ban after 2 failures
+    daemonConfig = ''
+      [Definition]
+      logtarget = SYSLOG
+      socket    = /run/fail2ban/fail2ban.sock
+      pidfile   = /run/fail2ban/fail2ban.pid
+      dbfile    = /srv/fail2ban/fail2ban.sqlite3
+    '';
+    bantime-increment = {
+      enable = true;
+      rndtime = "8m";
+      overalljails = true;
+      multipliers = "2 4 16 128 256";
+      maxtime = "72h";
+    };
+    jails = {
+      dovecot = ''
+        # block IPs which failed to log-in
+        # aggressive mode add blocking for aborted connections
+        enabled = true
+        filter = dovecot[mode=aggressive]
+        maxretry = 2
+      '';
+    };
+  };
+}
diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix
new file mode 100644
index 0000000..23dbcc4
--- /dev/null
+++ b/system/services/firewall/default.nix
@@ -0,0 +1,11 @@
+# vim: ts=2
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # for mail protocols:
+      465 # SMTP SSL
+      995 # POP3 SSL
+      993 # IMAP SSL
+    ];
+  };
+}
diff --git a/services/services/minecraft.nix b/system/services/minecraft/default.nix
index 754c974..754c974 100644
--- a/services/services/minecraft.nix
+++ b/system/services/minecraft/default.nix
diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix
new file mode 100644
index 0000000..204783b
--- /dev/null
+++ b/system/services/nginx/default.nix
@@ -0,0 +1,15 @@
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "vhack.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/srv/www/vhack.eu";
+      };
+    };
+  };
+}
diff --git a/services/services/nix.nix b/system/services/nix/default.nix
index bd562ec..bd562ec 100644
--- a/services/services/nix.nix
+++ b/system/services/nix/default.nix
diff --git a/services/services/opensshd.nix b/system/services/opensshd/default.nix
index cb9f2ba..75c5aef 100644
--- a/services/services/opensshd.nix
+++ b/system/services/opensshd/default.nix
@@ -8,7 +8,6 @@
     passwordAuthentication = false;
     hostKeys = [
       {
-        comment = "key comment";
         path = "/srv/sshd/ssh_host_ed25519_key";
         rounds = 1000;
         type = "ed25519";
diff --git a/services/services/rust-motd.nix b/system/services/rust-motd/default.nix
index 21bc1cd..1a41b32 100644
--- a/services/services/rust-motd.nix
+++ b/system/services/rust-motd/default.nix
@@ -3,6 +3,15 @@
   pkgs,
   ...
 }: {
+  systemd.services.rust-motd = {
+    path = builtins.attrValues {
+      inherit
+        (pkgs)
+        bash
+        fail2ban # Needed for rust-motd fail2ban integration
+        ;
+    };
+  };
   programs.rust-motd = {
     enable = true;
     enableMotdInSSHD = true;
@@ -45,17 +54,20 @@
       # [user_service_status]
       # gpg-agent = "gpg-agent"
 
-      #s_s_l_certs = {
-      # sort_method = "manual"
-      #
-      #    certs = {
-      #    CertName1 = "/path/to/cert1.pem"
-      #    CertName2 = "/path/to/cert2.pem"
-      # }
-      #};
+      s_s_l_certs = {
+        sort_method = "manual";
+
+        certs = {
+          "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem";
+          "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem";
+        };
+      };
 
       filesystems = {
         root = "/";
+        persistent = "/srv";
+        store = "/nix";
+        boot = "/boot";
       };
 
       memory = {
diff --git a/system/system/users.nix b/system/users/default.nix
index 34e1648..3555221 100644
--- a/system/system/users.nix
+++ b/system/users/default.nix
@@ -5,11 +5,8 @@
   users.users = {
     root = {
       #uid = 0;
-      #initialHashedPassword = null; # to lock root
-      # Backup, if something happens. TODO remove this later
+      initialHashedPassword = null; # to lock root
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
       ];
     };
 
@@ -17,7 +14,7 @@
       name = "sils";
       isNormalUser = true;
       home = "/srv/home/sils";
-      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE
+      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC";
       uid = 1000;
       extraGroups = [
         "wheel"
author	sils <sils@sils.li>	2023-04-11 10:55:18 +0200
committer	sils <sils@sils.li>	2023-04-11 10:55:18 +0200
commit	5a6dd9797b67c08d58236956fbb43b7fe57f5730 (patch)
tree	27418564bc75d03c66c0e5cf5209f0b66e625998
parent	Fix(services): Remove Minecraft (diff)
parent	Chore(flake): Update (diff)
download	nixos-server-5a6dd9797b67c08d58236956fbb43b7fe57f5730.tar.gz nixos-server-5a6dd9797b67c08d58236956fbb43b7fe57f5730.zip