diff --git a/flake.lock b/flake.lock index f9bbc07..30cea79 100644 --- a/flake.lock +++ b/flake.lock @@ -539,11 +539,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1738940734, - "narHash": "sha256-7yH/LFyop6RoazqROOpQGlMRqbw80DfzUroTj9rTVro=", + "lastModified": 1739193599, + "narHash": "sha256-oJBav9MiFmhZxQWt6si1T5QQuhxWqGOOQNekeJABaXU=", "ref": "refs/heads/master", - "rev": "031ee73ab11dd5f91f56cdcac1483b1d59788178", - "revCount": 274, + "rev": "0d69dc15bea7b1a99fce08ea8517f392cbc253ee", + "revCount": 278, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/cloudnix/default.nix b/hosts/cloudnix/default.nix index 679c528..8e7c97f 100644 --- a/hosts/cloudnix/default.nix +++ b/hosts/cloudnix/default.nix @@ -32,11 +32,13 @@ in { ../common/optional/distributed-builds/local-machine.nix ../common/optional/nixos-containers/semitamaps.nix ../common/optional/nixos-containers/vaultwarden.nix + ../common/optional/nixos-containers/xmpp.nix + ../common/optional/fail2ban.nix ../common/optional/restic-backup.nix - ../common/optional/nginx/semitamaps.nix ../common/optional/nginx/vaultwarden.nix + ../common/optional/nginx/xmpp.nix outputs.nixosModules.nixosAutoUpgrade diff --git a/hosts/common/optional/nginx/semitamaps.nix b/hosts/common/optional/nginx/semitamaps.nix index e9a65aa..9e1deef 100644 --- a/hosts/common/optional/nginx/semitamaps.nix +++ b/hosts/common/optional/nginx/semitamaps.nix @@ -1,7 +1,20 @@ -{ - networking.firewall.allowedTCPPorts = [ 80 ]; - services.nginx.enable = true; - services.nginx.virtualHosts."samchance.xyz" = { - root = "/srv/hello/"; +{configVars, ...}: let + email = configVars.email.user; + domain = configVars.domains.xmpp; +in { + security.acme = { + acceptTerms = true; + defaults.email = email; + }; + networking.firewall.allowedTCPPorts = [80 443]; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + root = "/srv/hello/"; + }; }; } diff --git a/hosts/common/optional/nginx/xmpp.nix b/hosts/common/optional/nginx/xmpp.nix new file mode 100644 index 0000000..dc4d7a8 --- /dev/null +++ b/hosts/common/optional/nginx/xmpp.nix @@ -0,0 +1,92 @@ +{configVars, ...}: let + email = configVars.email.user; + xmppDomain = configVars.domains.xmpp; + xmppIp = configVars.networking.addresses.xmpp.localAddress; + xmppPort = configVars.networking.addresses.xmpp.port; +in { + networking.firewall.allowedTCPPorts = [80 443]; + users.groups.www-data = { + gid = 33; + }; + + users.users.nginx = { + isSystemUser = true; + uid = 60; + extraGroups = ["www-data"]; + }; + + systemd.tmpfiles.rules = [ + "d /var/www/${xmppDomain} 0777 root root" + ]; + + services.httpd.virtualHosts."root" = { + hostName = "${xmppDomain}"; + documentRoot = "/var/www/${xmppDomain}"; + }; + + security.acme = { + acceptTerms = true; + defaults.email = email; + certs = { + "${xmppDomain}" = { + webroot = "/var/www/${xmppDomain}"; + email = email; + extraDomainNames = [ + "chat.${xmppDomain}" + ]; + group = "www-data"; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."chat.${xmppDomain}" = { + # enableACME = true; + forceSSL = true; + extraConfig = '' + client_max_body_size 10G; + ''; + sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + locations = { + "/" = { + proxyPass = "http://${xmppIp}:${toString xmppPort}"; + extraConfig = '' + proxy_set_header Host "${xmppDomain}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + tcp_nodelay on; + ''; + }; + "/xmpp-websocket" = { + proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Connection "Upgrade"; + proxy_set_header Upgrade $http_upgrade; + + proxy_set_header Host "${xmppDomain}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900s; + ''; + }; + "/upload/" = { + extraConfig = '' + proxy_buffering off; + proxy_set_header Host $host; + # pass PUT requests to mod_http_upload for processing + if ($request_method = PUT) { + proxy_pass http://${xmppIp}:${toString xmppPort}; + } + alias /var/lib/prosody/http_upload; # storage path of mod_http_upload. NGINX will serve these files to the clients. + ''; + }; + }; + }; + }; +} diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix new file mode 100644 index 0000000..72743f0 --- /dev/null +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -0,0 +1,210 @@ +{ + pkgs, + lib, + configVars, + inputs, + ... +}: let + containerName = "xmpp"; + xmppDomain = configVars.domains.xmpp; + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + hostAddress = configVars.networking.addresses.xmpp.hostAddress; + localAddress = configVars.networking.addresses.xmpp.localAddress; + sops-nix = inputs.sops-nix; + xmppPorts = [3478 5281 5280 5269 5222 5223]; +in { + networking = { + nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp1s0"; + }; + firewall = { + enable = true; + allowedTCPPorts = xmppPorts; + }; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/prosody 0750" + ]; + + containers."${containerName}" = { + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = localAddress; + nixpkgs = pkgs.path; + bindMounts = { + "/etc/ssh/ssh_host_ed25519_key" = { + hostPath = "/etc/ssh/ssh_host_ed25519_key"; + isReadOnly = true; + }; + "/var/lib/prosody" = { + hostPath = "/var/lib/prosody"; + isReadOnly = false; + }; + "/var/lib/acme/${xmppDomain}/" = { + hostPath = "/var/lib/acme/${xmppDomain}/"; + isReadOnly = false; + }; + }; + forwardPorts = + lib.map (port: { + containerPort = port; + hostPort = port; + }) + xmppPorts; + config = { + pkgs, + lib, + config, + ... + }: let + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; + in { + users.groups.www-data = { + gid = 33; + }; + + users.users.prosody = { + isSystemUser = true; + uid = 149; + extraGroups = ["www-data"]; + }; + + networking = { + firewall = { + enable = true; + rejectPackets = true; + allowedTCPPorts = xmppPorts ++ [80 443]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + sops = { + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + }; + secrets = { + "software/coturn/static-auth-secret" = { + mode = "0644"; + }; + }; + }; + + imports = [ + sops-nix.nixosModules.sops + ]; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.prosody + ]; + + sops.templates."prosody_secrets.lua" = { + mode = "644"; + content = '' + turn_external_secret = ${config.sops.placeholder."software/coturn/static-auth-secret"}; + ''; + }; + + services.prosody = { + enable = true; + package = pkgs.prosody.override { + withCommunityModules = [ + "turn_external" + "conversejs" + "admin_web" + ]; + }; + extraModules = ["turn_external" "conversejs" "admin_web" "http" "websocket"]; + allowRegistration = true; + extraConfig = '' + include "${config.sops.templates."prosody_secrets.lua".path}" + registration_invite_only = true; + allow_user_invites = true; + cross_domain_bosh = true; + turn_external_host = "turn.${xmppDomain}"; + turn_external_port = 3478; + http_default_host = "${xmppDomain}"; + certificates = "certs" + cross_domain_websocket = { "https://${xmppDomain}" } + consider_websocket_secure = true + + legacy_ssl_ports = { 5223 } + legacy_ssl_ssl = { + certificate = "/var/lib/acme/${xmppDomain}/cert.pem"; + key = "/var/lib/acme/${xmppDomain}/key.pem"; + } + + ''; + modules.bosh = true; + s2sRequireEncryption = true; + c2sRequireEncryption = true; + s2sSecureAuth = false; + admins = ["root@${xmppDomain}"]; + ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; + virtualHosts."${xmppDomain}" = { + enabled = true; + ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; + extraConfig = '' + http_external_url = "https://chat.${xmppDomain}/" + invites_page = "https://chat.${xmppDomain}/register?t={invite.token}" + http_paths = { + invites_page = "/invite"; + invites_register_web = "/register"; + } + ''; + domain = "${xmppDomain}"; + }; + muc = [ + { + domain = "conference.${xmppDomain}"; + } + ]; + uploadHttp = { + domain = "https://upload.${xmppDomain}"; + uploadFileSizeLimit = "1000000000"; # 1 gb file-size limit + uploadExpireAfter = "31557600"; # files deleted after 1 year + }; + }; + + services.coturn = { + enable = true; + realm = "turn.${xmppDomain}"; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users = { + root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + }; + + system.stateVersion = "24.05"; + }; + }; +}