AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add some services

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-02-21 02:25:13 +03:00
parent 780c4e1289
commit 91a5c6a96f
5 changed files with 250 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
machines/NixOS-CT/default.nix
View File

@ -5,6 +5,9 @@
nginx nginx
coturn coturn
fail2ban
mailserver
vaultwarden
]; ];
deviceSpecific.devInfo = { deviceSpecific.devInfo = {

59
profiles/servers/fail2ban.nix Normal file
View File

@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }: {
services.openssh.logLevel = "VERBOSE";
services.fail2ban = {
enable = true;
maxretry = 3;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
# "8.8.8.8"
];
jails = {
vaultwarden = ''
enabled = true
port = 80,443,8081
filter = vaultwarden
banaction = %(banaction_allports)s
logpath = /var/log/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
'';
vaultwarden-admin = ''
enabled = true
port = 80,443
filter = vaultwarden-admin
banaction = %(banaction_allports)s
logpath = /var/log/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
'';
};
};
environment.etc."fail2ban/filter.d/vaultwarden.conf" = {
enable = config.services.vaultwarden.enable;
text = ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
'';
};
environment.etc."fail2ban/filter.d/vaultwarden-admin.conf" = {
enable = config.services.vaultwarden.enable;
text = ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
'';
};
}

116
profiles/servers/mailserver.nix Normal file
View File

@ -0,0 +1,116 @@
{ pkgs, config, lib, inputs, ... }:
let
module = toString inputs.simple-nixos-mailserver;
in {
imports = [ module ];
secrets.mailserver = {
owner = "dovecot2:dovecot2";
services = [ "dovecot2" ];
};
secrets.mailserver-vaultwarden = {
owner = "dovecot2:dovecot2";
services = [ "dovecot2" ];
};
security.acme.certs."mail.ataraxiadev.com" = {
webroot = "/var/lib/acme/acme-challenge";
postRun = ''
systemctl reload postfix
systemctl reload dovecot2
'';
};
services.postfix = {
dnsBlacklists = [
"all.s5h.net"
"b.barracudacentral.org"
"bl.spamcop.net"
"blacklist.woody.ch"
# "bogons.cymru.com"
# "cbl.abuseat.org"
# "combined.abuse.ch"
# "db.wpbl.info"
# "dnsbl-1.uceprotect.net"
# "dnsbl-2.uceprotect.net"
# "dnsbl-3.uceprotect.net"
# "dnsbl.anticaptcha.net"
# "dnsbl.dronebl.org"
# "dnsbl.inps.de"
# "dnsbl.sorbs.net"
# "dnsbl.spfbl.net"
# "drone.abuse.ch"
# "duinv.aupads.org"
# "dul.dnsbl.sorbs.net"
# "dyna.spamrats.com"
# "dynip.rothen.com"
# "http.dnsbl.sorbs.net"
# "ips.backscatterer.org"
# "ix.dnsbl.manitu.net"
# "korea.services.net"
# "misc.dnsbl.sorbs.net"
# "noptr.spamrats.com"
# "orvedb.aupads.org"
# "pbl.spamhaus.org"
# "proxy.bl.gweep.ca"
# "psbl.surriel.com"
# "relays.bl.gweep.ca"
# "relays.nether.net"
# "sbl.spamhaus.org"
# "singular.ttk.pte.hu"
# "smtp.dnsbl.sorbs.net"
# "socks.dnsbl.sorbs.net"
# "spam.abuse.ch"
# "spam.dnsbl.anonmails.de"
# "spam.dnsbl.sorbs.net"
# "spam.spamrats.com"
# "spambot.bls.digibase.ca"
# "spamrbl.imp.ch"
# "spamsources.fabel.dk"
# "ubl.lashback.com"
# "ubl.unsubscore.com"
# "virus.rbl.jp"
# "web.dnsbl.sorbs.net"
# "wormrbl.imp.ch"
# "xbl.spamhaus.org"
# "z.mailspike.net"
# "zen.spamhaus.org"
# "zombie.dnsbl.sorbs.net"
];
dnsBlacklistOverrides = ''
ataraxiadev.com OK
mail.ataraxiadev.com OK
127.0.0.0/8 OK
10.0.0.0/8 OK
172.16.0.0/12 OK
192.168.0.0/16 OK
'';
};
mailserver = rec {
enable = true;
openFirewall = true;
fqdn = "mail.ataraxiadev.com";
domains = [ "ataraxiadev.com" ];
loginAccounts = {
"ataraxiadev@ataraxiadev.com" = {
aliases =
[ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
hashedPasswordFile = config.secrets.mailserver.decrypted;
};
"vaultwarden@ataraxiadev.com" = {
aliases = [ "vaultwarden" ];
hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted;
};
};
localDnsResolver = false;
certificateScheme = 1;
certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
enableImap = true;
enableImapSsl = false;
# enablePop3 = true;
# enablePop3Ssl = false;
enableSubmission = true;
enableSubmissionSsl = false;
virusScanning = false;
};
}

42
profiles/servers/nginx.nix
View File

@ -14,6 +14,7 @@
"jitsi.ataraxiadev.com" "jitsi.ataraxiadev.com"
"stats.ataraxiadev.com" "stats.ataraxiadev.com"
"startpage.ataraxiadev.com" "startpage.ataraxiadev.com"
"vw.ataraxiadev.com"
]; ];
}; };
}; };
@ -30,10 +31,23 @@
useACMEHost = "ataraxiadev.com"; useACMEHost = "ataraxiadev.com";
forceSSL = true; forceSSL = true;
}; };
proxyPass = { proxySettings = {
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
};
hardened = {
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
''; '';
}; };
in { in {
@ -43,7 +57,7 @@
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
''; '';
}; } // hardened;
} // default; } // default;
"matrix:443" = { "matrix:443" = {
serverAliases = [ serverAliases = [
@ -62,7 +76,7 @@
}]; }];
locations."/" = { locations."/" = {
proxyPass = "http://matrix-ct:81"; proxyPass = "http://matrix-ct:81";
} // proxyPass; } // proxySettings // hardened;
} // default; } // default;
"matrix:8448" = { "matrix:8448" = {
serverAliases = [ "matrix.ataraxiadev.com" ]; serverAliases = [ "matrix.ataraxiadev.com" ];
@ -73,13 +87,31 @@
}]; }];
locations."/" = { locations."/" = {
proxyPass = "http://matrix-ct:8449"; proxyPass = "http://matrix-ct:8449";
} // proxyPass; } // proxySettings // hardened;
} // default; } // default;
"startpage.ataraxiadev.com" = { "startpage.ataraxiadev.com" = {
locations."/" = { locations."/" = {
root = "/srv/http/startpage.ataraxiadev.com/"; root = "/srv/http/startpage.ataraxiadev.com/";
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
'';
}; };
} // default; } // default;
"vw.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://localhost:8812";
} // proxySettings // hardened;
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
} // proxySettings // hardened;
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
} // proxySettings // hardened;
} // default;
}; };
}; };

35
profiles/servers/vaultwarden.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, pkgs, lib, ... }: {
secrets.vaultwarden = {
owner = "${toString config.users.users.vaultwarden.uid}";
permissions = "400";
};
services.vaultwarden = {
enable = true;
backupDir = "/backups/vaultwarden";
config = {
domain = "https://vw.ataraxiadev.com";
extendedLogging = true;
invitationsAllowed = false;
logFile = "/var/log/vaultwarden.log";
logLevel = "warn";
rocketPort = 8812;
showPasswordHint = false;
signupsAllowed = false;
signupsDomainsWhitelist = "ataraxiadev.com";
signupsVerify = true;
smtpAuthMechanism = "Login";
smtpFrom = "vaultwarden@ataraxiadev.com";
smtpFromName = "Vaultwarden";
smtpHost = "mail.ataraxiadev.com";
smtpPort = 587;
smtpSsl = true;
websocketAddress = "0.0.0.0";
websocketEnabled = true;
websocketPort = 3012;
webVaultEnabled = true;
# rocketWorkers = 10;
};
environmentFile = config.secrets.vaultwarden.decrypted;
};
}