From f432b7057738cb5123c8e1b506a2a1199e71ee72 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Sun, 17 Oct 2021 11:52:47 -0400 Subject: Update cloud services Rebuilt email server, started wireguard setup. --- Biz/Bild/Sources.json | 8 +++--- Biz/Cloud.nix | 11 ++------ Biz/Cloud/Git.nix | 2 +- Biz/Cloud/Hardware.nix | 7 ++--- Biz/Cloud/Mail.nix | 7 ++++- Biz/Cloud/Networking.nix | 45 +++++++++++------------------ Biz/Cloud/Ports.nix | 4 ++- Biz/Cloud/Web.nix | 28 +++++++++++------- Biz/Cloud/Znc.nix | 12 ++++++-- Biz/Dev.nix | 1 + Biz/Dev/Configuration.nix | 22 +++++++++------ Biz/Dev/Hardware.nix | 7 +++-- Biz/Dev/Wireguard.nix | 72 +++++++++++++++++++++++++++++++++++++++++++++++ Biz/OsBase.nix | 1 - Biz/Packages.nix | 1 + 15 files changed, 157 insertions(+), 71 deletions(-) create mode 100644 Biz/Dev/Wireguard.nix diff --git a/Biz/Bild/Sources.json b/Biz/Bild/Sources.json index 0b2ab61..7659958 100644 --- a/Biz/Bild/Sources.json +++ b/Biz/Bild/Sources.json @@ -142,13 +142,13 @@ "description": "Nix Packages collection", "homepage": "git://simatime.com/nixpkgs.git", "name": "nixpkgs", - "owner": "simatime", - "repo": "git://simatime.com/nixpkgs.git", + "owner": "bsima", + "repo": "nixpkgs", "rev": "11452e4fe3b4afe566b47f1f85c2cec863a4f5bb", "sha256": "0csm6wxf1s6vx9kl0yl28lgiwnxans0023ib47qlrjbkmpaqy4b8", "type": "tarball", - "url": "https://simatime.com/archive/nixpkgs/biz/11452e4fe3b4afe566b47f1f85c2cec863a4f5bb.tar.gz", - "url_template": "https://simatime.com/archive///.tar.gz" + "url": "https://github.com/bsima/nixpkgs/archive/11452e4fe3b4afe566b47f1f85c2cec863a4f5bb.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" }, "regex-applicative": { "branch": "master", diff --git a/Biz/Cloud.nix b/Biz/Cloud.nix index 2a30b48..95d0150 100644 --- a/Biz/Cloud.nix +++ b/Biz/Cloud.nix @@ -2,12 +2,6 @@ # Cloud infrastructure, always online. Mostly for messaging-related stuff. -let - #nixos-mailserver = let ver = "v2.3.0"; in builtins.fetchTarball { - # url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${ver}/nixos-mailserver-${ver}.tar.gz"; - # sha256 = "0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919"; - #}; -in bild.os { imports = [ ./OsBase.nix @@ -15,7 +9,6 @@ bild.os { ./Users.nix ./Cloud/Chat.nix ./Cloud/Git.nix - ./Cloud/Grocy.nix ./Cloud/Hardware.nix ./Cloud/Mail.nix ./Cloud/Networking.nix @@ -25,6 +18,6 @@ bild.os { ]; networking.hostName = "simatime"; networking.domain = "simatime.com"; - # the datacenter for this VM is in SF - time.timeZone = "America/Los_Angeles"; + # the datacenter for this VM is in NYC + time.timeZone = "America/New_York"; } diff --git a/Biz/Cloud/Git.nix b/Biz/Cloud/Git.nix index bc9812c..eb61a10 100644 --- a/Biz/Cloud/Git.nix +++ b/Biz/Cloud/Git.nix @@ -1,7 +1,7 @@ { pkgs, lib, config, ... }: let - root = "/srv/git"; + root = "/var/git"; in { services = { gitolite = { diff --git a/Biz/Cloud/Hardware.nix b/Biz/Cloud/Hardware.nix index 20eab30..ab775dc 100644 --- a/Biz/Cloud/Hardware.nix +++ b/Biz/Cloud/Hardware.nix @@ -1,8 +1,7 @@ -{ ... }: +{ modulesPath, ... }: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.loader.grub.device = "/dev/vda"; + boot.initrd.kernelModules = [ "nvme" ]; fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; - swapDevices = [ - { device = "/swapfile"; } # 4GB - ]; } diff --git a/Biz/Cloud/Mail.nix b/Biz/Cloud/Mail.nix index e3ddc06..ecb64ff 100644 --- a/Biz/Cloud/Mail.nix +++ b/Biz/Cloud/Mail.nix @@ -20,7 +20,7 @@ loginAccounts = { "ben@simatime.com" = { - hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/"; + hashedPasswordFile = "/home/ben/hashed-mail-password"; aliases = [ # my default email "ben@bsima.me" @@ -31,6 +31,11 @@ catchAll = [ "simatime.com" "bsima.me" ]; quota = "10G"; }; + "dev@simatime.com" = { + hashedPasswordFile = "/home/ben/hashed-mail-password"; + aliases = [ "dev@bsima.me" ]; + quota = "10G"; + }; "nick@simatime.com" = { hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1"; aliases = [ diff --git a/Biz/Cloud/Networking.nix b/Biz/Cloud/Networking.nix index fa41650..05a1608 100644 --- a/Biz/Cloud/Networking.nix +++ b/Biz/Cloud/Networking.nix @@ -1,42 +1,31 @@ -{ lib, config, ... }: - -let - ports = import ./Ports.nix; -in { +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. networking = { - firewall = { - allowedTCPPorts = [ - ports.ssh - ports.git - ports.http - ports.https - ports.sabten - ports.gemini - ports.radicale - ]; - }; - nameservers = [ - "67.207.67.2" - "67.207.67.3" - ]; - defaultGateway = "159.89.128.1"; - defaultGateway6 = "2604:a880:2:d0::1"; + nameservers = [ "8.8.8.8" + ]; + defaultGateway = "143.198.112.1"; + defaultGateway6 = "2604:a880:400:d0::1"; dhcpcd.enable = false; - usePredictableInterfaceNames = lib.mkForce true; + usePredictableInterfaceNames = lib.mkForce false; interfaces = { eth0 = { ipv4.addresses = [ - { address="159.89.128.69"; prefixLength=20; } - { address="10.46.0.6"; prefixLength=16; } + { address="143.198.118.179"; prefixLength=20; } +{ address="10.10.0.7"; prefixLength=16; } ]; ipv6.addresses = [ - { address="2604:a880:2:d0::35:c001"; prefixLength = 64; } - { address="fe80::e899:c0ff:fe9c:e194"; prefixLength = 64; } + { address="2604:a880:400:d0::19f1:7001"; prefixLength=64; } +{ address="fe80::a06e:26ff:fee1:941"; prefixLength=64; } ]; + ipv4.routes = [ { address = "143.198.112.1"; prefixLength = 32; } ]; + ipv6.routes = [ { address = "2604:a880:400:d0::1"; prefixLength = 128; } ]; }; + }; }; services.udev.extraRules = '' - ATTR{address}=="ea:99:c0:9c:e1:94", NAME="eth0" + ATTR{address}=="a2:6e:26:e1:09:41", NAME="eth0" + ATTR{address}=="f2:4e:52:1a:72:ef", NAME="eth1" ''; } diff --git a/Biz/Cloud/Ports.nix b/Biz/Cloud/Ports.nix index 636c797..ad5ddc9 100644 --- a/Biz/Cloud/Ports.nix +++ b/Biz/Cloud/Ports.nix @@ -19,6 +19,8 @@ radicale = 5232; sabten = 8080; ssh = 22; - tor = 143; + tor = 144; torrents = { from = 3000; to = 3099; }; + wireguard = 51820; + znc = 5000; } diff --git a/Biz/Cloud/Web.nix b/Biz/Cloud/Web.nix index 9899258..68ff19e 100644 --- a/Biz/Cloud/Web.nix +++ b/Biz/Cloud/Web.nix @@ -5,6 +5,19 @@ let ports = import ./Ports.nix; in { + networking.firewall = { + allowedTCPPorts = [ + ports.ssh + ports.git + ports.http + ports.https + ports.sabten + ports.gemini + ports.radicale + ports.znc + ]; + }; + services = { radicale = { enable = true; @@ -23,10 +36,10 @@ in listen = "0.0.0.0:${toString ports.gemini} [::]:${toString ports.gemini}"; ":tls" = { store = "/var/lib/gmnisrv"; }; "bsima.me" = { - "root" = "/srv/www/ben"; + "root" = "/var/web/ben"; }; "simatime.com" = { - "root" = "/srv/www/simatime.com"; + "root" = "/var/web/simatime.com"; "cgi" = "on"; }; }; @@ -49,14 +62,14 @@ in enableACME = true; locations = { "/" = { - root = "/srv/www/simatime.com"; + root = "/var/web/simatime.com"; extraConfig = '' autoindex on; ''; }; # serve /~$USER paths "~ ^/~(.+?)(/.*)?$" = { - alias = "/srv/www/$1$2"; + alias = "/var/web/$1$2"; index = "index.html index.htm"; extraConfig = '' autoindex on; @@ -89,7 +102,7 @@ in "bsima.me" = { locations."/" = { - root = "/srv/www/ben"; + root = "/var/web/ben"; index = "index.html index.htm"; extraConfig = '' autoindex on; @@ -161,10 +174,6 @@ in }; }; - "grocy.${rootDomain}" = { - useACMEHost = rootDomain; - forceSSL = true; - }; }; }; }; @@ -182,6 +191,5 @@ in "sabten" "cal" "notebook" - "grocy" ]; } diff --git a/Biz/Cloud/Znc.nix b/Biz/Cloud/Znc.nix index 0ba8d6a..5ec4e56 100644 --- a/Biz/Cloud/Znc.nix +++ b/Biz/Cloud/Znc.nix @@ -19,13 +19,13 @@ N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"' ]; useLegacyConfig = false; config = { - LoadModule = [ "adminlog" "sasl" ]; + LoadModule = [ "adminlog" ]; Motd = "welcome to znc.simatime.com"; User.bsima = { Admin = true; Nick = "bsima"; AltNick = "bsima1"; - LoadModule = [ "chansaver" "controlpanel" "log" "sasl" ]; + LoadModule = [ "chansaver" "controlpanel" "log" ]; Network = { #efnet = { # Server = "irc.efnet.info +6697"; @@ -57,6 +57,14 @@ N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"' "#home-manager" = {}; }; }; + zeronode = { + Server = "irc.zeronode.net +6667"; + LoadModule = [ "simple_away" "nickserv" ]; + Nick = "ben"; + Chan = { + "#NoAgenda" = {}; + }; + }; #sorcery = { # Server = "irc.sorcery.net +6697"; #}; diff --git a/Biz/Dev.nix b/Biz/Dev.nix index 0f9b07c..e0eb89a 100644 --- a/Biz/Dev.nix +++ b/Biz/Dev.nix @@ -11,6 +11,7 @@ bild.os { ./Dev/Hardware.nix ./Dev/Hoogle.nix ./Dragons.nix + ./Dev/Wireguard.nix # ./Dev/Guix.nix # I need to package a bunch of guile libs first ]; networking.hostName = "lithium"; diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Configuration.nix index 2dcc816..8eb4958 100644 --- a/Biz/Dev/Configuration.nix +++ b/Biz/Dev/Configuration.nix @@ -5,7 +5,7 @@ let ports = import ../Cloud/Ports.nix; in { networking = { - nameservers = [ "1.1.1.1" "8.8.8.8" ]; + nameservers = [ "1.1.1.1" ]; hostName = "lithium"; hosts = { "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ]; @@ -13,17 +13,22 @@ in { firewall = { allowedTCPPorts = [ - 22 8000 8443 443 # standard ports - 500 10000 # no idea - ports.jellyfin + ports.bitcoind ports.delugeWeb - ports.murmur + ports.et + ports.gemini + ports.git + ports.http + ports.https + ports.jellyfin + ports.jupyter ports.mpd ports.mpd-stream + ports.murmur + ports.radicale + ports.sabten + ports.ssh ports.tor - ports.et - ports.bitcoind - ports.jupyter ]; allowedTCPPortRanges = [ ports.torrents @@ -61,6 +66,7 @@ in { environment.systemPackages = [ pkgs.wemux pkgs.tmux + pkgs.wireguard ]; nixpkgs = { diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Hardware.nix index 9297d66..dc5b573 100644 --- a/Biz/Dev/Hardware.nix +++ b/Biz/Dev/Hardware.nix @@ -8,9 +8,12 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" + ]; boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = [ + ]; fileSystems."/" = { device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b"; diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix new file mode 100644 index 0000000..5703f3d --- /dev/null +++ b/Biz/Dev/Wireguard.nix @@ -0,0 +1,72 @@ +{ lib, config, pkgs, ... }: + +/* +Wireguard VPN server + +References: + +- https://nixos.wiki/wiki/WireGuard +- https://wireguard.how/client/ios/ +*/ + +let + ports = import ../Cloud/Ports.nix; + ips = "10.100.0.1/24"; + + # a micro-library for creating iptables rules + iptables = rec { + bin = "${pkgs.iptables/bin/iptables}"; + append = {source}: lib.concatSep " " [ + bin + "--table" "nat" + "--append" "POSTROUTING" + "--source" source + "--out-interface" "eth0" + "--jump" "MASQUERADE" + ]; + delete = {source}: lib.concatSep " " [ + bin + "--table" "nat" + "--delete" "POSTROUTING" + "--source" source + "--out-interface" "eth0" + "--jump" "MASQUERADE" + ]; + + }; +in { + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall.allowedUDPPorts = [ ports.wireguard ]; + + networking.wireguard.enable = true; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ ips ]; + allowedIPsAsRoutes = true; + listenPort = ports.wireguard; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE + ''; + + privateKeyFile = "/var/wireguard/private"; + + peers = [ + #{ # helium + # publicKey = "TODO"; + # allowedIPs = [ "10.100.0.2/32" ]; + #} + { # ben's iPhone + publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc="; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; +} diff --git a/Biz/OsBase.nix b/Biz/OsBase.nix index 095b9ad..c9f9f9a 100644 --- a/Biz/OsBase.nix +++ b/Biz/OsBase.nix @@ -7,7 +7,6 @@ nix.gc.dates = "Sunday 02:15"; nix.optimise.automatic = true; nix.optimise.dates = [ "Sunday 02:30" ]; - #nixpkgs.overlays = overlays; programs.mosh.enable = true; programs.mosh.withUtempter = true; security.acme.email = "ben@bsima.me"; diff --git a/Biz/Packages.nix b/Biz/Packages.nix index 4de578f..2538546 100644 --- a/Biz/Packages.nix +++ b/Biz/Packages.nix @@ -16,6 +16,7 @@ with pkgs; traceroute vim vnstat + wireguard wget ]; } -- cgit v1.2.3