From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 18 Mar 2023 16:21:45 +0100
Subject: Refactor: Use better file layout

---
 system/services/acme/default.nix      | 30 +++++++++++++
 system/services/default.nix           |  9 ++++
 system/services/minecraft/default.nix | 26 ++++++++++++
 system/services/nginx/default.nix     | 15 +++++++
 system/services/nix/default.nix       | 18 ++++++++
 system/services/opensshd/default.nix  | 18 ++++++++
 system/services/rust-motd/default.nix | 79 +++++++++++++++++++++++++++++++++++
 7 files changed, 195 insertions(+)
 create mode 100644 system/services/acme/default.nix
 create mode 100644 system/services/default.nix
 create mode 100644 system/services/minecraft/default.nix
 create mode 100644 system/services/nginx/default.nix
 create mode 100644 system/services/nix/default.nix
 create mode 100644 system/services/opensshd/default.nix
 create mode 100644 system/services/rust-motd/default.nix

(limited to 'system/services')

diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix
new file mode 100644
index 0000000..a163e77
--- /dev/null
+++ b/system/services/acme/default.nix
@@ -0,0 +1,30 @@
+{...}: {
+  users.users.nginx.extraGroups = ["acme"];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "acmechallenge.vhack.eu" = {
+        serverAliases = ["*.vhack.eu"];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@vhack.eu";
+    certs = {
+      "server1.vhack.eu" = {
+        webroot = "/var/lib/acme/.challenges";
+        group = "nginx";
+        extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"];
+      };
+    };
+  };
+}
diff --git a/system/services/default.nix b/system/services/default.nix
new file mode 100644
index 0000000..acf20f5
--- /dev/null
+++ b/system/services/default.nix
@@ -0,0 +1,9 @@
+{config, ...}: {
+  imports = [
+    ./acme
+    ./nginx
+    ./nix
+    ./opensshd
+    ./rust-motd
+  ];
+}
diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix
new file mode 100644
index 0000000..754c974
--- /dev/null
+++ b/system/services/minecraft/default.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  users = {
+    groups.minecraft = {};
+    users.minecraft = {
+      isSystemUser = true;
+      group = "minecraft";
+    };
+  };
+  systemd.services.minecraft = {
+    wantedBy = ["multi-user.target"];
+    after = "network.target";
+    description = "Minecraft Server";
+    serviceConfig = {
+      WorkingDirectory = "/srv/minecraft";
+      User = "minecraft";
+      Group = "minecraft";
+      Restart = "always";
+      ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui";
+      SyslogIdentifier = "minecraft-server";
+    };
+  };
+}
diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix
new file mode 100644
index 0000000..204783b
--- /dev/null
+++ b/system/services/nginx/default.nix
@@ -0,0 +1,15 @@
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "vhack.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/srv/www/vhack.eu";
+      };
+    };
+  };
+}
diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix
new file mode 100644
index 0000000..bd562ec
--- /dev/null
+++ b/system/services/nix/default.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  nix = {
+    #    gc = {
+    #      automatic = true;
+    #      dates = "daily";
+    #      options = "--delete-older-than 3";
+    #    };
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+    };
+  };
+}
diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix
new file mode 100644
index 0000000..cb9f2ba
--- /dev/null
+++ b/system/services/opensshd/default.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  pkg,
+  ...
+}: {
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    hostKeys = [
+      {
+        comment = "key comment";
+        path = "/srv/sshd/ssh_host_ed25519_key";
+        rounds = 1000;
+        type = "ed25519";
+      }
+    ];
+  };
+}
diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix
new file mode 100644
index 0000000..21bc1cd
--- /dev/null
+++ b/system/services/rust-motd/default.nix
@@ -0,0 +1,79 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  programs.rust-motd = {
+    enable = true;
+    enableMotdInSSHD = true;
+    refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20)
+    settings = {
+      global = {
+        progress_full_character = "=";
+        progress_empty_character = "-";
+        progress_prefix = "[";
+        progress_suffix = "]";
+        time_format = "%Y-%m-%d %H:%M:%S";
+      };
+
+      banner = {
+        color = "red";
+        command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant";
+        # if you don't want a dependency on figlet, you can generate your
+        # banner however you want, put it in a file, and then use something like:
+        # command = "cat banner.txt"
+      };
+
+      # [weather]
+      # url = "https://wttr.in/New+York,New+York?0"
+      # proxy = "http://proxy:8080"
+
+      # [service_status]
+      # Accounts = "accounts-daemon"
+      # Cron = "cron"
+
+      # [docker_status]
+      # Local containers MUST start with a slash
+      # https://github.com/moby/moby/issues/6705
+      #"/nextcloud-nextcloud-1" = "Nextcloud"
+      #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database"
+
+      uptime = {
+        prefix = "Uptime:";
+      };
+
+      # [user_service_status]
+      # gpg-agent = "gpg-agent"
+
+      #s_s_l_certs = {
+      # sort_method = "manual"
+      #
+      #    certs = {
+      #    CertName1 = "/path/to/cert1.pem"
+      #    CertName2 = "/path/to/cert2.pem"
+      # }
+      #};
+
+      filesystems = {
+        root = "/";
+      };
+
+      memory = {
+        swap_pos = "beside"; # or "below" or "none"
+      };
+
+      fail2_ban = {
+        jails = ["sshd"]; #, "anotherjail"]
+      };
+
+      last_login = {
+        sils = 2;
+        soispha = 2;
+        nightingale = 2;
+      };
+
+      last_run = {
+      };
+    };
+  };
+}
-- 
cgit 1.4.1


From dc4334de217175ad7d1c0a4e2e3f98b2fef51784 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 18 Mar 2023 16:56:04 +0100
Subject: Fix(system/users): Remove unneeded root ssh login keys

All users are in the wheel group, thus direct login as root is no longer
needed.
---
 system/services/opensshd/default.nix | 1 -
 system/users/default.nix             | 7 ++-----
 2 files changed, 2 insertions(+), 6 deletions(-)

(limited to 'system/services')

diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix
index cb9f2ba..75c5aef 100644
--- a/system/services/opensshd/default.nix
+++ b/system/services/opensshd/default.nix
@@ -8,7 +8,6 @@
     passwordAuthentication = false;
     hostKeys = [
       {
-        comment = "key comment";
         path = "/srv/sshd/ssh_host_ed25519_key";
         rounds = 1000;
         type = "ed25519";
diff --git a/system/users/default.nix b/system/users/default.nix
index 34e1648..3555221 100644
--- a/system/users/default.nix
+++ b/system/users/default.nix
@@ -5,11 +5,8 @@
   users.users = {
     root = {
       #uid = 0;
-      #initialHashedPassword = null; # to lock root
-      # Backup, if something happens. TODO remove this later
+      initialHashedPassword = null; # to lock root
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
       ];
     };
 
@@ -17,7 +14,7 @@
       name = "sils";
       isNormalUser = true;
       home = "/srv/home/sils";
-      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE
+      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC";
       uid = 1000;
       extraGroups = [
         "wheel"
-- 
cgit 1.4.1


From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sun, 19 Mar 2023 17:43:26 +0100
Subject: Fix(system/mail): Only accept connections on safe ports

It is sort of standard to ignore connections over the unencrypted port
25, thus we are doing the same.
---
 system/mail/default.nix              |  4 ++--
 system/services/default.nix          |  2 ++
 system/services/firewall/default.nix | 11 +++++++++++
 3 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 system/services/firewall/default.nix

(limited to 'system/services')

diff --git a/system/mail/default.nix b/system/mail/default.nix
index 8eaa53b..7102958 100644
--- a/system/mail/default.nix
+++ b/system/mail/default.nix
@@ -30,13 +30,11 @@ in {
     "admin@vhack.eu" = all_admins;
   };
 
-
   mailDirectory = "/srv/mail/vmail";
   dkimKeyDirectory = "/srv/mail/dkim";
   sieveDirectory = "/srv/mail/sieve";
   backup.snapshotRoot = "/srv/mail/backup";
 
-
   enableImap = false;
   enableImapSsl = true;
   enablePop3 = false;
@@ -44,8 +42,10 @@ in {
   # SMTP
   enableSubmission = false;
   enableSubmissionSsl = true;
+  openFirewall = false; # handled below
 
   keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
   certificateScheme = 1;
   certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem";
+
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index acf20f5..4c39b8b 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,8 @@
 {config, ...}: {
   imports = [
     ./acme
+    ./firewall
+    ./minecraft
     ./nginx
     ./nix
     ./opensshd
diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix
new file mode 100644
index 0000000..23dbcc4
--- /dev/null
+++ b/system/services/firewall/default.nix
@@ -0,0 +1,11 @@
+# vim: ts=2
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # for mail protocols:
+      465 # SMTP SSL
+      995 # POP3 SSL
+      993 # IMAP SSL
+    ];
+  };
+}
-- 
cgit 1.4.1


From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sun, 19 Mar 2023 17:46:18 +0100
Subject: Fix(system/services/minecraft): Remove to make compile

---
 system/services/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/services')

diff --git a/system/services/default.nix b/system/services/default.nix
index 4c39b8b..f36cb29 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -2,7 +2,7 @@
   imports = [
     ./acme
     ./firewall
-    ./minecraft
+    #./minecraft
     ./nginx
     ./nix
     ./opensshd
-- 
cgit 1.4.1


From 8d8ad7a9f79ba88cc5b07e8f5f4d1a4cded4ff1b Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 13:41:53 +0100
Subject: Feat(system/services/fail2ban): Add fail2ban

This should clear the logs somewhat.
---
 system/services/default.nix          |  1 +
 system/services/fail2ban/default.nix | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 system/services/fail2ban/default.nix

(limited to 'system/services')

diff --git a/system/services/default.nix b/system/services/default.nix
index f36cb29..5d9e5b6 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -7,5 +7,6 @@
     ./nix
     ./opensshd
     ./rust-motd
+    ./fail2ban
   ];
 }
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
new file mode 100644
index 0000000..5b5e9e7
--- /dev/null
+++ b/system/services/fail2ban/default.nix
@@ -0,0 +1,14 @@
+# vim: ts=2
+{...}: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2; # ban after 2 failures
+    bantime-increment = {
+      enable = true;
+      rndtime = "8m";
+      overalljails = true;
+      multipliers = "2 4 16 128 256";
+      maxtime = "72h";
+    };
+  };
+}
-- 
cgit 1.4.1


From 1fc72de6b6606f6c97ccf9883a88705260dd3ac8 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 13:59:51 +0100
Subject: Fix(system/services/fail2ban): Make db persistent

---
 system/services/fail2ban/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'system/services')

diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
index 5b5e9e7..949b486 100644
--- a/system/services/fail2ban/default.nix
+++ b/system/services/fail2ban/default.nix
@@ -3,6 +3,13 @@
   services.fail2ban = {
     enable = true;
     maxretry = 2; # ban after 2 failures
+    daemonConfig = ''
+      [Definition]
+      logtarget = SYSLOG
+      socket    = /run/fail2ban/fail2ban.sock
+      pidfile   = /run/fail2ban/fail2ban.pid
+      dbfile    = /srv/fail2ban/fail2ban.sqlite3
+    '';
     bantime-increment = {
       enable = true;
       rndtime = "8m";
-- 
cgit 1.4.1


From dce980ddb127a470b188fd6efbfb8ddb5b0fe315 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 14:00:29 +0100
Subject: Feat(system/services/fail2ban): Add dovecot jail

This should reduce the log spam even further.
---
 system/services/fail2ban/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'system/services')

diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
index 949b486..5aee097 100644
--- a/system/services/fail2ban/default.nix
+++ b/system/services/fail2ban/default.nix
@@ -17,5 +17,14 @@
       multipliers = "2 4 16 128 256";
       maxtime = "72h";
     };
+    jails = {
+      dovecot = ''
+        # block IPs which failed to log-in
+        # aggressive mode add blocking for aborted connections
+        enabled = true
+        filter = dovecot[mode=aggressive]
+        maxretry = 2
+      '';
+    };
   };
 }
-- 
cgit 1.4.1


From 64a554d1af2de6d07ebe61be1f5a3181a5f90b81 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 14:32:23 +0100
Subject: Fix(system/services/rust-motd): Add fail2ban binary

---
 system/services/rust-motd/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'system/services')

diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix
index 21bc1cd..4f65dce 100644
--- a/system/services/rust-motd/default.nix
+++ b/system/services/rust-motd/default.nix
@@ -3,6 +3,15 @@
   pkgs,
   ...
 }: {
+  systemd.services.rust-motd = {
+    path = builtins.attrValues {
+      inherit
+        (pkgs)
+        bash
+        fail2ban # Needed for rust-motd fail2ban integration
+        ;
+    };
+  };
   programs.rust-motd = {
     enable = true;
     enableMotdInSSHD = true;
-- 
cgit 1.4.1


From 4758e5881daa1aa762c6e6e9734faea618dea70c Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 14:32:56 +0100
Subject: Feat(system/services/rust-motd): Show status of ssl-certs

---
 system/services/rust-motd/default.nix | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'system/services')

diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix
index 4f65dce..100fcb4 100644
--- a/system/services/rust-motd/default.nix
+++ b/system/services/rust-motd/default.nix
@@ -54,14 +54,14 @@
       # [user_service_status]
       # gpg-agent = "gpg-agent"
 
-      #s_s_l_certs = {
-      # sort_method = "manual"
-      #
-      #    certs = {
-      #    CertName1 = "/path/to/cert1.pem"
-      #    CertName2 = "/path/to/cert2.pem"
-      # }
-      #};
+      s_s_l_certs = {
+        sort_method = "manual";
+
+        certs = {
+          server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem";
+          vhack.eu = "/var/lib/acme/vhack.eu/cert.pem";
+        };
+      };
 
       filesystems = {
         root = "/";
-- 
cgit 1.4.1


From f84a9f6a80657d9c9f072a9338d46f7d8c2b79f5 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 14:33:48 +0100
Subject: Feat(system/services/rust-motd): Info about filesystems

---
 system/services/rust-motd/default.nix | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'system/services')

diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix
index 100fcb4..f21c0c4 100644
--- a/system/services/rust-motd/default.nix
+++ b/system/services/rust-motd/default.nix
@@ -65,6 +65,9 @@
 
       filesystems = {
         root = "/";
+        persistent = "/srv";
+        store = "/nix";
+        boot = "/boot";
       };
 
       memory = {
-- 
cgit 1.4.1


From f21504ae85559a2b5a6381afeda451e1eb310f9d Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 14:40:30 +0100
Subject: Fix(system/services/rust-motd): Quote ssl-cert names

---
 system/services/rust-motd/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/services')

diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix
index f21c0c4..1a41b32 100644
--- a/system/services/rust-motd/default.nix
+++ b/system/services/rust-motd/default.nix
@@ -58,8 +58,8 @@
         sort_method = "manual";
 
         certs = {
-          server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem";
-          vhack.eu = "/var/lib/acme/vhack.eu/cert.pem";
+          "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem";
+          "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem";
         };
       };
 
-- 
cgit 1.4.1


From cb92ffc878fcb417bd66b3b30ef1ff189a5aa44c Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Fri, 7 Apr 2023 22:02:24 +0200
Subject: Fix(system/mail): Allow opening ports in the firewall

As the previous configuration only opened some ports, receiving mail was
impossible. This allows NSM to open the required ports directly,
ensuring that none was missed.

SECURITY:
As all other options than SSL are still disabled, this change should not
introduce unencrypted mail transfer.
This has not been tested.
---
 system/mail/default.nix     | 2 +-
 system/services/default.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/services')

diff --git a/system/mail/default.nix b/system/mail/default.nix
index d2fd55c..b1da088 100644
--- a/system/mail/default.nix
+++ b/system/mail/default.nix
@@ -42,7 +42,7 @@ in {
   # SMTP
   enableSubmission = false;
   enableSubmissionSsl = true;
-  openFirewall = false; # handled below
+  openFirewall = true;
 
   keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
   certificateScheme = 1;
diff --git a/system/services/default.nix b/system/services/default.nix
index 5d9e5b6..6e5cb3c 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,7 +1,7 @@
 {config, ...}: {
   imports = [
     ./acme
-    ./firewall
+#  ./firewall
     #./minecraft
     ./nginx
     ./nix
-- 
cgit 1.4.1