From 91a5c6a96f5a828f98ee99a3e5a01991a7fcfdc0 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Mon, 21 Feb 2022 02:25:13 +0300 Subject: [PATCH] add some services --- machines/NixOS-CT/default.nix | 3 + profiles/servers/fail2ban.nix | 59 ++++++++++++++++ profiles/servers/mailserver.nix | 116 +++++++++++++++++++++++++++++++ profiles/servers/nginx.nix | 42 +++++++++-- profiles/servers/vaultwarden.nix | 35 ++++++++++ 5 files changed, 250 insertions(+), 5 deletions(-) create mode 100644 profiles/servers/fail2ban.nix create mode 100644 profiles/servers/mailserver.nix create mode 100644 profiles/servers/vaultwarden.nix diff --git a/machines/NixOS-CT/default.nix b/machines/NixOS-CT/default.nix index 5702d41..340f9de 100644 --- a/machines/NixOS-CT/default.nix +++ b/machines/NixOS-CT/default.nix @@ -5,6 +5,9 @@ nginx coturn + fail2ban + mailserver + vaultwarden ]; deviceSpecific.devInfo = { diff --git a/profiles/servers/fail2ban.nix b/profiles/servers/fail2ban.nix new file mode 100644 index 0000000..15dce1f --- /dev/null +++ b/profiles/servers/fail2ban.nix @@ -0,0 +1,59 @@ +{ config, pkgs, lib, ... }: { + services.openssh.logLevel = "VERBOSE"; + + services.fail2ban = { + enable = true; + maxretry = 3; + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + # "8.8.8.8" + ]; + jails = { + vaultwarden = '' + enabled = true + port = 80,443,8081 + filter = vaultwarden + banaction = %(banaction_allports)s + logpath = /var/log/vaultwarden.log + maxretry = 3 + bantime = 14400 + findtime = 14400 + ''; + vaultwarden-admin = '' + enabled = true + port = 80,443 + filter = vaultwarden-admin + banaction = %(banaction_allports)s + logpath = /var/log/vaultwarden.log + maxretry = 3 + bantime = 14400 + findtime = 14400 + ''; + }; + }; + + environment.etc."fail2ban/filter.d/vaultwarden.conf" = { + enable = config.services.vaultwarden.enable; + text = '' + [INCLUDES] + before = common.conf + [Definition] + failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ + ignoreregex = + ''; + }; + + environment.etc."fail2ban/filter.d/vaultwarden-admin.conf" = { + enable = config.services.vaultwarden.enable; + text = '' + [INCLUDES] + before = common.conf + [Definition] + failregex = ^.*Invalid admin token\. IP: .*$ + ignoreregex = + ''; + }; +} \ No newline at end of file diff --git a/profiles/servers/mailserver.nix b/profiles/servers/mailserver.nix new file mode 100644 index 0000000..ca9dbf8 --- /dev/null +++ b/profiles/servers/mailserver.nix @@ -0,0 +1,116 @@ +{ pkgs, config, lib, inputs, ... }: +let + module = toString inputs.simple-nixos-mailserver; +in { + imports = [ module ]; + secrets.mailserver = { + owner = "dovecot2:dovecot2"; + services = [ "dovecot2" ]; + }; + secrets.mailserver-vaultwarden = { + owner = "dovecot2:dovecot2"; + services = [ "dovecot2" ]; + }; + + security.acme.certs."mail.ataraxiadev.com" = { + webroot = "/var/lib/acme/acme-challenge"; + postRun = '' + systemctl reload postfix + systemctl reload dovecot2 + ''; + }; + + services.postfix = { + dnsBlacklists = [ + "all.s5h.net" + "b.barracudacentral.org" + "bl.spamcop.net" + "blacklist.woody.ch" + # "bogons.cymru.com" + # "cbl.abuseat.org" + # "combined.abuse.ch" + # "db.wpbl.info" + # "dnsbl-1.uceprotect.net" + # "dnsbl-2.uceprotect.net" + # "dnsbl-3.uceprotect.net" + # "dnsbl.anticaptcha.net" + # "dnsbl.dronebl.org" + # "dnsbl.inps.de" + # "dnsbl.sorbs.net" + # "dnsbl.spfbl.net" + # "drone.abuse.ch" + # "duinv.aupads.org" + # "dul.dnsbl.sorbs.net" + # "dyna.spamrats.com" + # "dynip.rothen.com" + # "http.dnsbl.sorbs.net" + # "ips.backscatterer.org" + # "ix.dnsbl.manitu.net" + # "korea.services.net" + # "misc.dnsbl.sorbs.net" + # "noptr.spamrats.com" + # "orvedb.aupads.org" + # "pbl.spamhaus.org" + # "proxy.bl.gweep.ca" + # "psbl.surriel.com" + # "relays.bl.gweep.ca" + # "relays.nether.net" + # "sbl.spamhaus.org" + # "singular.ttk.pte.hu" + # "smtp.dnsbl.sorbs.net" + # "socks.dnsbl.sorbs.net" + # "spam.abuse.ch" + # "spam.dnsbl.anonmails.de" + # "spam.dnsbl.sorbs.net" + # "spam.spamrats.com" + # "spambot.bls.digibase.ca" + # "spamrbl.imp.ch" + # "spamsources.fabel.dk" + # "ubl.lashback.com" + # "ubl.unsubscore.com" + # "virus.rbl.jp" + # "web.dnsbl.sorbs.net" + # "wormrbl.imp.ch" + # "xbl.spamhaus.org" + # "z.mailspike.net" + # "zen.spamhaus.org" + # "zombie.dnsbl.sorbs.net" + ]; + dnsBlacklistOverrides = '' + ataraxiadev.com OK + mail.ataraxiadev.com OK + 127.0.0.0/8 OK + 10.0.0.0/8 OK + 172.16.0.0/12 OK + 192.168.0.0/16 OK + ''; + }; + mailserver = rec { + enable = true; + openFirewall = true; + fqdn = "mail.ataraxiadev.com"; + domains = [ "ataraxiadev.com" ]; + loginAccounts = { + "ataraxiadev@ataraxiadev.com" = { + aliases = + [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ]; + hashedPasswordFile = config.secrets.mailserver.decrypted; + }; + "vaultwarden@ataraxiadev.com" = { + aliases = [ "vaultwarden" ]; + hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted; + }; + }; + localDnsResolver = false; + certificateScheme = 1; + certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem"; + keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem"; + enableImap = true; + enableImapSsl = false; + # enablePop3 = true; + # enablePop3Ssl = false; + enableSubmission = true; + enableSubmissionSsl = false; + virusScanning = false; + }; +} \ No newline at end of file diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index c13c71f..e01de5d 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -14,6 +14,7 @@ "jitsi.ataraxiadev.com" "stats.ataraxiadev.com" "startpage.ataraxiadev.com" + "vw.ataraxiadev.com" ]; }; }; @@ -30,10 +31,23 @@ useACMEHost = "ataraxiadev.com"; forceSSL = true; }; - proxyPass = { + proxySettings = { extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + }; + hardened = { + extraConfig = '' + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Robots-Tag "none"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Content-Type-Options "nosniff"; ''; }; in { @@ -43,7 +57,7 @@ extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; ''; - }; + } // hardened; } // default; "matrix:443" = { serverAliases = [ @@ -62,7 +76,7 @@ }]; locations."/" = { proxyPass = "http://matrix-ct:81"; - } // proxyPass; + } // proxySettings // hardened; } // default; "matrix:8448" = { serverAliases = [ "matrix.ataraxiadev.com" ]; @@ -73,13 +87,31 @@ }]; locations."/" = { proxyPass = "http://matrix-ct:8449"; - } // proxyPass; + } // proxySettings // hardened; } // default; "startpage.ataraxiadev.com" = { locations."/" = { root = "/srv/http/startpage.ataraxiadev.com/"; + extraConfig = '' + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag "none"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Content-Type-Options "nosniff"; + ''; }; } // default; + "vw.ataraxiadev.com" = { + locations."/" = { + proxyPass = "http://localhost:8812"; + } // proxySettings // hardened; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + } // proxySettings // hardened; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:8812"; + } // proxySettings // hardened; + } // default; }; }; diff --git a/profiles/servers/vaultwarden.nix b/profiles/servers/vaultwarden.nix new file mode 100644 index 0000000..f1006fb --- /dev/null +++ b/profiles/servers/vaultwarden.nix @@ -0,0 +1,35 @@ +{ config, pkgs, lib, ... }: { + secrets.vaultwarden = { + owner = "${toString config.users.users.vaultwarden.uid}"; + permissions = "400"; + }; + + services.vaultwarden = { + enable = true; + backupDir = "/backups/vaultwarden"; + config = { + domain = "https://vw.ataraxiadev.com"; + extendedLogging = true; + invitationsAllowed = false; + logFile = "/var/log/vaultwarden.log"; + logLevel = "warn"; + rocketPort = 8812; + showPasswordHint = false; + signupsAllowed = false; + signupsDomainsWhitelist = "ataraxiadev.com"; + signupsVerify = true; + smtpAuthMechanism = "Login"; + smtpFrom = "vaultwarden@ataraxiadev.com"; + smtpFromName = "Vaultwarden"; + smtpHost = "mail.ataraxiadev.com"; + smtpPort = 587; + smtpSsl = true; + websocketAddress = "0.0.0.0"; + websocketEnabled = true; + websocketPort = 3012; + webVaultEnabled = true; + # rocketWorkers = 10; + }; + environmentFile = config.secrets.vaultwarden.decrypted; + }; +} \ No newline at end of file