From ec60e54c9aeaa39fbcf535b018017061529ac555 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 2 Mar 2020 22:38:36 +0100 Subject: [PATCH 1/4] maj 20.03 --- overlays/riot-web.nix | 22 ++++++------ services/haproxy-acme.nix | 1 + systems/LoutreOS/configuration.nix | 2 +- systems/LoutreOS/services.nix | 58 +++++++++++++++--------------- 4 files changed, 41 insertions(+), 42 deletions(-) diff --git a/overlays/riot-web.nix b/overlays/riot-web.nix index c92dfa5..33428ff 100644 --- a/overlays/riot-web.nix +++ b/overlays/riot-web.nix @@ -1,17 +1,15 @@ self: super: { riot-web = super.riot-web.override { - conf = '' - { - "default_hs_url": "https://matrix.nyanlout.re", - "default_is_url": "https://vector.im", - "brand": "Nyanloutre", - "default_theme": "dark", - "integrations_ui_url": "https://dimension.t2bot.io/riot", - "integrations_rest_url": "https://dimension.t2bot.io/api/v1/scalar", - "integrations_widgets_urls": ["https://dimension.t2bot.io/widgets"], - "integrations_jitsi_widget_url": "https://dimension.t2bot.io/widgets/jitsi" - } - ''; + conf = { + default_hs_url = "https://matrix.nyanlout.re"; + default_is_url = "https://vector.im"; + brand = "Nyanloutre"; + default_theme = "dark"; + integrations_ui_url = "https://dimension.t2bot.io/riot"; + integrations_rest_url = "https://dimension.t2bot.io/api/v1/scalar"; + integrations_widgets_urls = ["https://dimension.t2bot.io/widgets"]; + integrations_jitsi_widget_url = "https://dimension.t2bot.io/widgets/jitsi"; + }; }; } diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix index 4309e95..9383f38 100644 --- a/services/haproxy-acme.nix +++ b/services/haproxy-acme.nix @@ -126,6 +126,7 @@ in }; }; + security.acme.acceptTerms = true; security.acme.certs = { ${cfg.domaine} = { extraDomains = mapAttrs' (name: value: diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 8edcfe9..a1d8c67 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -33,7 +33,7 @@ in ]; nixpkgs.config.allowUnfree = false; - nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.0-slimserver" "minecraft-server" ]); + nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.1-slimserver" "minecraft-server" ]); services.zfs = { autoSnapshot.enable = true; diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index ebbfc84..6f77f1f 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -262,36 +262,36 @@ in }; }; - systemd.services.minecraft-overviewer = - let - clientJar = pkgs.fetchurl { - url = "https://overviewer.org/textures/1.14"; - sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k"; - name = "client.jar"; - }; - configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } '' - substitute ${./config-overviewer.py} $out \ - --subst-var CLIENT_JAR - ''; - in - { - script = '' - ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} - ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi - rm /var/www/minecraft-overviewer/progress.json - ''; - serviceConfig = { - User = "nginx"; - Group = "nginx"; - }; - }; + # systemd.services.minecraft-overviewer = + # let + # clientJar = pkgs.fetchurl { + # url = "https://overviewer.org/textures/1.14"; + # sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k"; + # name = "client.jar"; + # }; + # configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } '' + # substitute ${./config-overviewer.py} $out \ + # --subst-var CLIENT_JAR + # ''; + # in + # { + # script = '' + # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} + # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi + # rm /var/www/minecraft-overviewer/progress.json + # ''; + # serviceConfig = { + # User = "nginx"; + # Group = "nginx"; + # }; + # }; - systemd.timers.minecraft-overviewer = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { - OnCalendar = "*-*-* 04:00:00"; - }; - }; + # systemd.timers.minecraft-overviewer = { + # wantedBy = [ "multi-user.target" ]; + # timerConfig = { + # OnCalendar = "*-*-* 04:00:00"; + # }; + # }; systemd.packages = with pkgs; [ tgt From 551cf94d4ea5902e1f993472acfe72bc1cbc3b5f Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 2 Mar 2020 22:39:16 +0100 Subject: [PATCH 2/4] vsftpd: utilisation du certif let's encrypt --- containers/vsftpd.nix | 6 +++--- services/haproxy-acme.nix | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/containers/vsftpd.nix b/containers/vsftpd.nix index 409ab6f..77e01dd 100644 --- a/containers/vsftpd.nix +++ b/containers/vsftpd.nix @@ -12,7 +12,7 @@ userlistDeny = false; localUsers = true; userlist = ["claire" "manu" "lakeu" "fusil" "stryxion" "nico"]; - rsaCertFile = "/var/vsftpd/vsftpd.pem"; + rsaCertFile = "/var/lib/acme/nyanlout.re/full.pem"; extraConfig = '' pasv_min_port=64000 pasv_max_port=65535 @@ -59,8 +59,8 @@ }; }; bindMounts = { - "/var/vsftpd/vsftpd.pem" = { - hostPath = "/var/vsftpd/vsftpd.pem"; + "/var/lib/acme/nyanlout.re" = { + hostPath = "/var/lib/acme/nyanlout.re"; }; "/mnt/medias" = { hostPath = "/mnt/medias"; diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix index 9383f38..8bdef07 100644 --- a/services/haproxy-acme.nix +++ b/services/haproxy-acme.nix @@ -138,6 +138,7 @@ in group = "acme"; postRun = '' systemctl reload haproxy.service + nixos-container run vsftpd -- systemctl restart vsftpd ''; }; }; From 5d755bf63b7df2cf14a35c318e39b60b7457bd2e Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 2 Mar 2020 22:40:01 +0100 Subject: [PATCH 3/4] tgt: disable --- systems/LoutreOS/services.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index 6f77f1f..c0d1a5e 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -293,16 +293,16 @@ in # }; # }; - systemd.packages = with pkgs; [ - tgt - ]; + # systemd.packages = with pkgs; [ + # tgt + # ]; - environment.etc."tgt/targets.conf".text = '' - - backing-store /dev/zvol/loutrepool/steam-lun - initiator-address 10.30.50.3 - - ''; + # environment.etc."tgt/targets.conf".text = '' + # + # backing-store /dev/zvol/loutrepool/steam-lun + # initiator-address 10.30.50.3 + # + # ''; users.groups.acme.members = [ "matrix-synapse" ]; From f86ef0518dae498ce5c170c471c8b35096058879 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 2 Mar 2020 23:20:17 +0100 Subject: [PATCH 4/4] web: refactor nginx config --- services/haproxy-acme.nix | 17 ++++++---- systems/LoutreOS/web.nix | 67 ++++++++++++++++++++++++--------------- 2 files changed, 53 insertions(+), 31 deletions(-) diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix index 8bdef07..f7b16e3 100644 --- a/services/haproxy-acme.nix +++ b/services/haproxy-acme.nix @@ -20,23 +20,28 @@ let ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets defaults + mode http option forwardfor option http-server-close + option httplog + option dontlognull timeout client 10s timeout connect 4s timeout server 30s + timeout tunnel 3600s errorfile 503 ${./errorfiles/503.html} userlist LOUTRE user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1 - frontend public + frontend http-in bind :::80 v4v6 - bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1 - mode http acl letsencrypt-acl path_beg /.well-known/acme-challenge/ - acl haproxy-acl path_beg /haproxy - redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl - http-response set-header Strict-Transport-Security max-age=15768000 use_backend letsencrypt-backend if letsencrypt-acl + redirect scheme https code 301 if !letsencrypt-acl + frontend public + bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1 + http-response set-header Strict-Transport-Security max-age=15768000 + http-request add-header X-Forwarded-Proto https + acl haproxy-acl path_beg /haproxy use_backend haproxy_stats if haproxy-acl ${concatStrings ( mapAttrsToList (name: value: diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix index 599a8c9..d98099f 100644 --- a/systems/LoutreOS/web.nix +++ b/systems/LoutreOS/web.nix @@ -2,6 +2,17 @@ with lib; +#### VHost table #### +# 10000 riot.nyanlout.re +# 10001 factorio.nyanlout.re +# 10002 minecraft.nyanlout.re +# 10003 nyanlout.re +# 10004 musique-meyenheim.fr +# 10005 social.nyanlout.re +# 10006 pgmanage.nyanlout.re +# 10007 maxspiegel.fr +#### + let domaine = "nyanlout.re"; @@ -32,16 +43,16 @@ in "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; }; "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; }; "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; }; - "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot"; auth = false; }; + "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot.nyanlout.re"; auth = false; }; "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; }; "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; }; "gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; }; "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; }; - "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio"; auth = false; }; + "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio.nyanlout.re"; auth = false; }; "airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; }; - "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "wkd"; auth = false; }; + "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "nyanlout.re"; auth = false; }; "musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; }; - "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft-overviewer"; auth = false; }; + "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft.nyanlout.re"; auth = false; }; }; }; @@ -49,37 +60,43 @@ in nginx = { enable = true; + recommendedProxySettings = true; + appendHttpConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header X-Forwarded-For; + ''; virtualHosts = { - "riot" = { - listen = [ { addr = "127.0.0.1"; port = 52345; } ]; + "riot.nyanlout.re" = { + listen = [ { addr = "127.0.0.1"; port = 10000; } ]; locations = { "/" = { root = pkgs.riot-web; }; }; }; - "factorio" = { - listen = [ { addr = "127.0.0.1"; port = 52351; } ]; + "factorio.nyanlout.re" = { + listen = [ { addr = "127.0.0.1"; port = 10001; } ]; locations = { "/" = { root = "/var/www/factorio"; }; }; }; - "minecraft-overviewer" = { - listen = [ { addr = "127.0.0.1"; port = 52354; } ]; + "minecraft.nyanlout.re" = { + listen = [ { addr = "127.0.0.1"; port = 10002; } ]; locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; }; }; - "wkd" = { - listen = [ { addr = "127.0.0.1"; port = 52352; } ]; - locations = { "/.well-known/openpgpkey/" = { - alias = "/var/lib/gnupg/wks/nyanlout.re"; - extraConfig = '' - add_header Access-Control-Allow-Origin * always; - ''; - }; }; + "nyanlout.re" = { + listen = [ { addr = "127.0.0.1"; port = 10003; } ]; + locations = { + "/" = { + alias = "/var/www/site-perso/"; + }; + "/.well-known/openpgpkey/" = { + alias = "/var/lib/gnupg/wks/nyanlout.re"; + extraConfig = '' + add_header Access-Control-Allow-Origin * always; + ''; + }; + }; }; "musique-meyenheim.fr" = { - listen = [ { addr = "127.0.0.1"; port = 52353; } ]; + listen = [ { addr = "127.0.0.1"; port = 10004; } ]; locations = { "/" = { proxyPass = "http://unix:/run/site-musique.sock"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - ''; }; "/static/" = { alias = "/var/www/site-musique/staticfiles/"; @@ -96,7 +113,7 @@ in pgmanage = { enable = true; - port = 52347; + port = 10006; connections = { localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres"; }; @@ -126,7 +143,7 @@ in site-max = { enable = true; - port = 52348; + port = 10007; domaine = "maxspiegel.fr"; }; };