diff options
Diffstat (limited to '')
-rw-r--r-- | system/impermanence/default.nix | 1 | ||||
-rw-r--r-- | system/impermanence/mods/etebase-server.nix | 10 | ||||
-rw-r--r-- | system/secrets/default.nix | 6 | ||||
-rw-r--r-- | system/secrets/etebase-server/passwd.tix | 17 | ||||
-rw-r--r-- | system/secrets/secrets.nix | 1 | ||||
-rw-r--r-- | system/services/default.nix | 1 | ||||
-rw-r--r-- | system/services/etebase/default.nix | 42 | ||||
-rw-r--r-- | system/services/nix/default.nix | 1 | ||||
-rw-r--r-- | system/services/taskserver/certs/ca.cert.pem (renamed from system/services/taskserver/ca.cert.pem) | 0 | ||||
-rw-r--r-- | system/services/taskserver/certs/ca.key.pem.gpg | bin | 0 -> 13824 bytes | |||
-rwxr-xr-x | system/services/taskserver/certs/check_expire | 6 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate | 21 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.ca | 2 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.client | 20 | ||||
-rwxr-xr-x | system/services/taskserver/certs/generate.crl | 2 | ||||
-rw-r--r-- | system/services/taskserver/certs/isrgrootx1.pem | 31 | ||||
-rw-r--r-- | system/services/taskserver/default.nix | 7 | ||||
-rw-r--r-- | system/users/default.nix | 2 |
18 files changed, 145 insertions, 25 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index f42c084..dd363ae 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -2,6 +2,7 @@ # TODO: Only activate them if their module is also active imports = [ ./mods/acme.nix + ./mods/etebase-server.nix ./mods/mail.nix ./mods/mastodon.nix ./mods/matrix.nix diff --git a/system/impermanence/mods/etebase-server.nix b/system/impermanence/mods/etebase-server.nix new file mode 100644 index 0000000..cfe5a39 --- /dev/null +++ b/system/impermanence/mods/etebase-server.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/etebase-server"; + user = "etebase-server"; + group = "etebase-server"; + mode = "0700"; + } + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index c0042d7..6107faa 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -37,6 +37,12 @@ owner = "root"; group = "root"; }; + etebase-server = { + file = ./etebase-server/passwd.tix; + mode = "700"; + owner = "etebase-server"; + group = "etebase-server"; + }; }; }; } diff --git a/system/secrets/etebase-server/passwd.tix b/system/secrets/etebase-server/passwd.tix new file mode 100644 index 0000000..8d8e3c2 --- /dev/null +++ b/system/secrets/etebase-server/passwd.tix @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UiswNDhQNWpsaFZUQTdY +U3F2TFlrSzhMbmRBWEIyTGQ2VGVramdPTDI4CjRGSnlqUm5rWWJ2Vk5neE56azdt +WitpbXlPWngxSGtEalBKWkRZdHF5QjQKLT4gWDI1NTE5IDRSSW1jcHhocjBIM0tM +ZjRxNUhZWkhkd1c5aVlucTMxTTVhSHRIMHMyU0EKbWlQZ0xKRXUvOWluSkZQRWdp +UjNMQWR3MHNwbUVYbm4vSGJQOGtrb2ZxVQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +SEpCY1JWZm5yMG1lL3QwUERPVUFqRWo5ZVJEb1JqNGVLS3pXVkhaYk1SYwpjb3dW +UWcrMkdmYTlvckFOYmsvcGwvY1dvc1oxY1FaY2p4eURCK3BIR044Ci0+ICgreWhl +KG9RLWdyZWFzZSAobEpLXVEgNVA3IGQKekx5YVFkeFRBUlJiUis2cFVyWlBPNncK +LS0tIFJxa0hDZUIyYm5uYlhiZjRnNHRLNTRrRW01d1hCL2dCZnByL1M2SkFyQXMK +gsR7erKGQrBhXlcnR73PbnC+PzOQlsBOg6a6DosGyixbnEgZ4DfyeK5Ep1oPB81Q +zcS9AV7h+8NlpmVM4G+0JCIC8I3TTCEQyOPwiu+GVXr4GYy/3stg+pK1htkt2V2M +WraPl//K3kvFln1KRt5lbsVXLX8SYZS4UJDzK25oJElwdNuqXHqwMkTmXjEgnbvS +pjgaNak5ooxHiZfCtzismLx5iL+P/+oohegUPvW16fQTq/eKp3mIjeBZmrWNnTuL +/xlhk0vp0+jS3+TqgGWSwAAqoCp/+TewUZ9f+GhU0/pkU3HP4+tx35rKN2wxerQj +nMbQ8SphigUeMpc501oDRw6X5ZAasoww +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 2fef23d..3314fc6 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -17,4 +17,5 @@ in { "miniflux/admin.tix".publicKeys = allSecrets; "mastodon/mail.tix".publicKeys = allSecrets; "taskserver/ca.tix".publicKeys = allSecrets; + "etebase-server/passwd.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 9998e43..e269dbc 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,5 +1,6 @@ {...}: { imports = [ + ./etebase ./fail2ban ./invidious ./keycloak diff --git a/system/services/etebase/default.nix b/system/services/etebase/default.nix new file mode 100644 index 0000000..65cc435 --- /dev/null +++ b/system/services/etebase/default.nix @@ -0,0 +1,42 @@ +{config, ...}: { + services.etebase-server = { + enable = true; + port = 8001; + settings = { + global.secret_file = "${config.age.secrets.etebase-server.path}"; + allowed_hosts = { + allowed_host1 = "etebase.vhack.eu"; + allowed_host2 = "dav.vhack.eu"; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "etebase.vhack.eu" = { + enableACME = true; + forceSSL = true; + + locations = { + # TODO: Maybe fix permissions to use pregenerated static files which would + # improve performance. + #"/static" = { + # root = config.services.etebase-server.settings.global.static_root; + #}; + "/" = { + proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}"; + }; + }; + serverAliases = [ + "dav.vhack.eu" + ]; + }; + }; + }; +} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix index ec5fe5d..13be0f0 100644 --- a/system/services/nix/default.nix +++ b/system/services/nix/default.nix @@ -15,6 +15,7 @@ experimental-features = ["nix-command" "flakes"]; trusted-users = [ "root" + "nixremote" "@wheel" ]; }; diff --git a/system/services/taskserver/ca.cert.pem b/system/services/taskserver/certs/ca.cert.pem index d6e5513..d6e5513 100644 --- a/system/services/taskserver/ca.cert.pem +++ b/system/services/taskserver/certs/ca.cert.pem diff --git a/system/services/taskserver/certs/ca.key.pem.gpg b/system/services/taskserver/certs/ca.key.pem.gpg new file mode 100644 index 0000000..f52482d --- /dev/null +++ b/system/services/taskserver/certs/ca.key.pem.gpg Binary files differdiff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire index 59f9dc6..89969cc 100755 --- a/system/services/taskserver/certs/check_expire +++ b/system/services/taskserver/certs/check_expire @@ -1,7 +1,7 @@ #!/bin/sh for cert in *.cert.pem; do - echo $cert - openssl x509 -noout -in $cert -dates - echo + echo "$cert" + openssl x509 -noout -in "$cert" -dates + echo done diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate index 253e4bb..283697f 100755 --- a/system/services/taskserver/certs/generate +++ b/system/services/taskserver/certs/generate @@ -10,13 +10,19 @@ # server.key.pem # server.cert.pem -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys"; +GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"; +BASEDIR="$(dirname "$0")" +cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 + +set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem mkdir -p "$GENERATION_LOCATION" -cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION" +cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 -./generate.ca +gpg --decrypt ca.key.pem.gpg > ca.key.pem +cat ./isrgrootx1.pem >> ./ca.cert.pem +[ -f ./ca.key.pem ] || ./generate.ca # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: @@ -28,14 +34,15 @@ cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 # process per client; Add the required client names and uncomment # ./generate.client <client_name> # -./generate.client soispha -./generate.client android-mobile -./generate.client android-tab # # Creates: # <client_name>.key.pem # <client_name>.cert.pem +# +./generate.client soispha +./generate.client android-mobile +./generate.client android-tab -rm ./vars ./generate.ca ./generate.crl ./generate.client +rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION" diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca index 4ffc6e9..a9fbc0c 100755 --- a/system/services/taskserver/certs/generate.ca +++ b/system/services/taskserver/certs/generate.ca @@ -35,7 +35,7 @@ EOF #locality = $LOCALITY fi -if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ] +if ! [ -f ca.cert.pem ] then $CERTTOOL \ --generate-self-signed \ diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client index 976cb82..4f0e503 100755 --- a/system/services/taskserver/certs/generate.client +++ b/system/services/taskserver/certs/generate.client @@ -16,21 +16,21 @@ then NAME=$1 fi -if ! [ -f ${NAME}.key.pem ] +if ! [ -f "$NAME".key.pem ] then # Create a client key. $CERTTOOL \ --generate-privkey \ --sec-param $SEC_PARAM \ - --outfile ${NAME}.key.pem + --outfile "$NAME".key.pem fi -chmod 600 ${NAME}.key.pem +chmod 600 "$NAME".key.pem -if ! [ -f ${NAME}.template ] +if ! [ -f "$NAME".template ] then # Sign a client cert with the key. - cat <<EOF >${NAME}.template + cat <<EOF >"$NAME".template organization = $ORGANIZATION cn = $CN expiration_days = $EXPIRATION_DAYS @@ -40,15 +40,15 @@ signing_key EOF fi -if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ] +if ! [ -f "$NAME".cert.pem ] then $CERTTOOL \ --generate-certificate \ - --load-privkey ${NAME}.key.pem \ + --load-privkey "$NAME".key.pem \ --load-ca-certificate ca.cert.pem \ --load-ca-privkey ca.key.pem \ - --template ${NAME}.template \ - --outfile ${NAME}.cert.pem + --template "$NAME".template \ + --outfile "$NAME".cert.pem fi -chmod 600 ${NAME}.cert.pem +chmod 600 "$NAME".cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl index 6a9daa8..e9f6715 100755 --- a/system/services/taskserver/certs/generate.crl +++ b/system/services/taskserver/certs/generate.crl @@ -18,7 +18,7 @@ expiration_days = $EXPIRATION_DAYS EOF fi -if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ] +if ! [ -f server.crl.pem ] then $CERTTOOL \ --generate-crl \ diff --git a/system/services/taskserver/certs/isrgrootx1.pem b/system/services/taskserver/certs/isrgrootx1.pem new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/system/services/taskserver/certs/isrgrootx1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index cd842a1..79ba8ab 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -7,7 +7,7 @@ in { services.taskserver = { enable = true; pki.manual = { - ca.cert = ./ca.cert.pem; + ca.cert = ./certs/ca.cert.pem; server = { cert = "${taskStore}/fullchain.pem"; key = "${taskStore}/key.pem"; @@ -21,7 +21,10 @@ in { organisations = import ./organisations.nix; openFirewall = true; fqdn = "taskserver.vhack.eu"; - listenHost = "taskserver.vhack.eu"; + + # This should tell taskd to bind to both ipv6 and ipv4 domains: + # This will ONLY work when the kernel option `sys.net.ipv6.bindv6only` is false + listenHost = "::"; }; security.acme.certs.taskserver = { domain = "taskserver.vhack.eu"; diff --git a/system/users/default.nix b/system/users/default.nix index 06020a6..8d4fe34 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -18,7 +18,7 @@ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A" ]; }; |