add some services

2022-02-21 02:25:13 +03:00 · 2022-02-21 02:25:13 +03:00 · 91a5c6a96f
commit 91a5c6a96f
parent 780c4e1289
5 changed files with 250 additions and 5 deletions
--- a/machines/NixOS-CT/default.nix
+++ b/machines/NixOS-CT/default.nix
@ -5,6 +5,9 @@

    nginx
    coturn
+    fail2ban
+    mailserver
+    vaultwarden
  ];

  deviceSpecific.devInfo = {
--- a/profiles/servers/fail2ban.nix
+++ b/profiles/servers/fail2ban.nix
@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }: {
+  services.openssh.logLevel = "VERBOSE";
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 3;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      # "8.8.8.8"
+    ];
+    jails = {
+      vaultwarden = ''
+        enabled = true
+        port = 80,443,8081
+        filter = vaultwarden
+        banaction = %(banaction_allports)s
+        logpath = /var/log/vaultwarden.log
+        maxretry = 3
+        bantime = 14400
+        findtime = 14400
+      '';
+      vaultwarden-admin = ''
+        enabled = true
+        port = 80,443
+        filter = vaultwarden-admin
+        banaction = %(banaction_allports)s
+        logpath = /var/log/vaultwarden.log
+        maxretry = 3
+        bantime = 14400
+        findtime = 14400
+      '';
+    };
+  };
+
+  environment.etc."fail2ban/filter.d/vaultwarden.conf" = {
+    enable = config.services.vaultwarden.enable;
+    text = ''
+      [INCLUDES]
+      before = common.conf
+      [Definition]
+      failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
+      ignoreregex =
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/vaultwarden-admin.conf" = {
+    enable = config.services.vaultwarden.enable;
+    text = ''
+      [INCLUDES]
+      before = common.conf
+      [Definition]
+      failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
+      ignoreregex =
+    '';
+  };
+}
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -0,0 +1,116 @@
+{ pkgs, config, lib, inputs, ... }:
+let
+  module = toString inputs.simple-nixos-mailserver;
+in {
+  imports = [ module ];
+  secrets.mailserver = {
+    owner = "dovecot2:dovecot2";
+    services = [ "dovecot2" ];
+  };
+  secrets.mailserver-vaultwarden = {
+    owner = "dovecot2:dovecot2";
+    services = [ "dovecot2" ];
+  };
+
+  security.acme.certs."mail.ataraxiadev.com" = {
+    webroot = "/var/lib/acme/acme-challenge";
+    postRun = ''
+      systemctl reload postfix
+      systemctl reload dovecot2
+    '';
+  };
+
+  services.postfix = {
+    dnsBlacklists = [
+      "all.s5h.net"
+      "b.barracudacentral.org"
+      "bl.spamcop.net"
+      "blacklist.woody.ch"
+      # "bogons.cymru.com"
+      # "cbl.abuseat.org"
+      # "combined.abuse.ch"
+      # "db.wpbl.info"
+      # "dnsbl-1.uceprotect.net"
+      # "dnsbl-2.uceprotect.net"
+      # "dnsbl-3.uceprotect.net"
+      # "dnsbl.anticaptcha.net"
+      # "dnsbl.dronebl.org"
+      # "dnsbl.inps.de"
+      # "dnsbl.sorbs.net"
+      # "dnsbl.spfbl.net"
+      # "drone.abuse.ch"
+      # "duinv.aupads.org"
+      # "dul.dnsbl.sorbs.net"
+      # "dyna.spamrats.com"
+      # "dynip.rothen.com"
+      # "http.dnsbl.sorbs.net"
+      # "ips.backscatterer.org"
+      # "ix.dnsbl.manitu.net"
+      # "korea.services.net"
+      # "misc.dnsbl.sorbs.net"
+      # "noptr.spamrats.com"
+      # "orvedb.aupads.org"
+      # "pbl.spamhaus.org"
+      # "proxy.bl.gweep.ca"
+      # "psbl.surriel.com"
+      # "relays.bl.gweep.ca"
+      # "relays.nether.net"
+      # "sbl.spamhaus.org"
+      # "singular.ttk.pte.hu"
+      # "smtp.dnsbl.sorbs.net"
+      # "socks.dnsbl.sorbs.net"
+      # "spam.abuse.ch"
+      # "spam.dnsbl.anonmails.de"
+      # "spam.dnsbl.sorbs.net"
+      # "spam.spamrats.com"
+      # "spambot.bls.digibase.ca"
+      # "spamrbl.imp.ch"
+      # "spamsources.fabel.dk"
+      # "ubl.lashback.com"
+      # "ubl.unsubscore.com"
+      # "virus.rbl.jp"
+      # "web.dnsbl.sorbs.net"
+      # "wormrbl.imp.ch"
+      # "xbl.spamhaus.org"
+      # "z.mailspike.net"
+      # "zen.spamhaus.org"
+      # "zombie.dnsbl.sorbs.net"
+    ];
+    dnsBlacklistOverrides = ''
+      ataraxiadev.com OK
+      mail.ataraxiadev.com OK
+      127.0.0.0/8 OK
+      10.0.0.0/8 OK
+      172.16.0.0/12 OK
+      192.168.0.0/16 OK
+    '';
+  };
+  mailserver = rec {
+    enable = true;
+    openFirewall = true;
+    fqdn = "mail.ataraxiadev.com";
+    domains = [ "ataraxiadev.com" ];
+    loginAccounts = {
+      "ataraxiadev@ataraxiadev.com" = {
+        aliases =
+          [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
+        hashedPasswordFile = config.secrets.mailserver.decrypted;
+      };
+      "vaultwarden@ataraxiadev.com" = {
+        aliases = [ "vaultwarden" ];
+        hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted;
+      };
+    };
+    localDnsResolver = false;
+    certificateScheme = 1;
+    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
+    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
+    enableImap = true;
+    enableImapSsl = false;
+    # enablePop3 = true;
+    # enablePop3Ssl = false;
+    enableSubmission = true;
+    enableSubmissionSsl = false;
+    virusScanning = false;
+  };
+}
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -14,6 +14,7 @@
          "jitsi.ataraxiadev.com"
          "stats.ataraxiadev.com"
          "startpage.ataraxiadev.com"
+          "vw.ataraxiadev.com"
        ];
      };
    };
@ -30,10 +31,23 @@
        useACMEHost = "ataraxiadev.com";
        forceSSL = true;
      };
-      proxyPass = {
+      proxySettings = {
        extraConfig = ''
-          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Forwarded-Server $host;
+        '';
+      };
+      hardened = {
+        extraConfig = ''
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Frame-Options "SAMEORIGIN";
+          add_header X-Robots-Tag "none";
+          add_header Referrer-Policy "strict-origin-when-cross-origin";
+          add_header X-Content-Type-Options "nosniff";
        '';
      };
    in {
@ -43,7 +57,7 @@
          extraConfig = ''
            proxy_set_header X-Forwarded-For $remote_addr;
          '';
-        };
+        } // hardened;
      } // default;
      "matrix:443" = {
        serverAliases = [
@ -62,7 +76,7 @@
        }];
        locations."/" = {
          proxyPass = "http://matrix-ct:81";
-        } // proxyPass;
+        } // proxySettings // hardened;
      } // default;
      "matrix:8448" = {
        serverAliases = [ "matrix.ataraxiadev.com" ];
@ -73,13 +87,31 @@
        }];
        locations."/" = {
          proxyPass = "http://matrix-ct:8449";
-        } // proxyPass;
+        } // proxySettings // hardened;
      } // default;
      "startpage.ataraxiadev.com" = {
        locations."/" = {
          root = "/srv/http/startpage.ataraxiadev.com/";
+          extraConfig = ''
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag "none";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Content-Type-Options "nosniff";
+          '';
        };
      } // default;
+      "vw.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://localhost:8812";
+        } // proxySettings // hardened;
+        locations."/notifications/hub" = {
+          proxyPass = "http://localhost:3012";
+          proxyWebsockets = true;
+        } // proxySettings // hardened;
+        locations."/notifications/hub/negotiate" = {
+          proxyPass = "http://localhost:8812";
+        } // proxySettings // hardened;
+      } // default;
    };
  };

--- a/profiles/servers/vaultwarden.nix
+++ b/profiles/servers/vaultwarden.nix
@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }: {
+  secrets.vaultwarden = {
+    owner = "${toString config.users.users.vaultwarden.uid}";
+    permissions = "400";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    backupDir = "/backups/vaultwarden";
+    config = {
+      domain = "https://vw.ataraxiadev.com";
+      extendedLogging = true;
+      invitationsAllowed = false;
+      logFile = "/var/log/vaultwarden.log";
+      logLevel = "warn";
+      rocketPort = 8812;
+      showPasswordHint = false;
+      signupsAllowed = false;
+      signupsDomainsWhitelist = "ataraxiadev.com";
+      signupsVerify = true;
+      smtpAuthMechanism = "Login";
+      smtpFrom = "vaultwarden@ataraxiadev.com";
+      smtpFromName = "Vaultwarden";
+      smtpHost = "mail.ataraxiadev.com";
+      smtpPort = 587;
+      smtpSsl = true;
+      websocketAddress = "0.0.0.0";
+      websocketEnabled = true;
+      websocketPort = 3012;
+      webVaultEnabled = true;
+      # rocketWorkers = 10;
+    };
+    environmentFile = config.secrets.vaultwarden.decrypted;
+  };
+}