diff --git a/flake.nix b/flake.nix index ca21552..da203c2 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ }; }; - outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs: + outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs: let selfPkgs = import ./pkgs; username = "liv"; @@ -71,7 +71,7 @@ modules = [( import ./hosts/violet )]; - specialArgs = { host="violet"; inherit self inputs username iceshrimp ; }; + specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; }; }; vm = nixpkgs.lib.nixosSystem { diff --git a/hosts/violet/default.nix b/hosts/violet/default.nix index 8ecee1a..9369fcf 100644 --- a/hosts/violet/default.nix +++ b/hosts/violet/default.nix @@ -1,10 +1,11 @@ -{ pkgs, config, iceshrimp, ... }: +{ pkgs, config, iceshrimp, agenix, ... }: { imports = [ ./hardware-configuration.nix ./../../modules/core ./../../modules/services/violet.nix iceshrimp.nixosModules.default + agenix.nixosModules.default ]; networking.hostName = "violet"; @@ -31,19 +32,19 @@ criticalPowerAction = "PowerOff"; }; - auto-cpufreq = { - enable = true; - settings = { - battery = { - governor = "powersave"; - turbo = "auto"; - }; - charger = { - governor = "performance"; - turbo = "auto"; - }; - }; - }; + # auto-cpufreq = { + # enable = true; + # settings = { + # battery = { + # governor = "powersave"; + # turbo = "auto"; + # }; + # charger = { + # governor = "performance"; + # turbo = "auto"; + # }; + # }; + # }; }; boot = { diff --git a/modules/core/wireguard.nix b/modules/core/wireguard.nix new file mode 100644 index 0000000..7ca3965 --- /dev/null +++ b/modules/core/wireguard.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.7.0.2/24" "fddd:2c4:2c4:2c4::2/64" ]; + dns = [ "9.9.9.9" "149.112.112.112" ]; + privateKeyFile = "/root/wireguard-keys/privatekey"; + + peers = [{ + publicKey = "GfrFhe2JV8FS/711WAdx6CLF/QIEj1KoOGP/ErxBHkg="; + presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "57.129.46.171:51820"; + persistentKeepalive = 25; + }]; + }; + }; +} diff --git a/modules/services/iceshrimp.nix b/modules/services/iceshrimp.nix index edb3709..69dc2f7 100644 --- a/modules/services/iceshrimp.nix +++ b/modules/services/iceshrimp.nix @@ -2,12 +2,17 @@ { services = { - # redis.servers.iceshrimp = { - # enable = true; - # port = 6380; - # bind = "0.0.0.0"; - # settings.protected-mode = "no"; - # }; + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + iceshrimp = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index fdd6bbe..e717fc3 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -1,18 +1,19 @@ -{ pkgs, lib, config, ... }: +{ pkgs, lib, config, agenix, ... }: let - fqdn = "quack.social"; + fqdn = "liv.town"; baseUrl = "https://${fqdn}"; clientConfig."m.homeserver".base_url = baseUrl; serverConfig."m.server" = "${fqdn}:443"; mkWellKnown = data: '' default_type application/json; - add_header Access-Control-Allow-Origin *; + # add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { - #age.secrets.matrix-synapse = { - # file = "../../../secrets/matrix-synapse.age"; - #}; + security.acme = { + acceptTerms = true; + defaults.email = "ahwx@ahwx.org"; + }; services = { # postgresql.enable = true; @@ -30,6 +31,32 @@ in { recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; + + # Hardened TLS and HSTS preloading + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Do not add HSTS header to HTTP requests. + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts = { # If the A and AAAA DNS records on example.org do not point on the same host as the # records for myhostname.example.org, you can easily move the /.well-known @@ -67,18 +94,29 @@ in { }; }; + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + matrix-synapse = { enable = true; settings = { - # database.name = "psycopg2"; - # database.args = { - # user = "matrix-synapse"; - # password = "synapse"; - # }; + database.name = "psycopg2"; + database.args = { + user = "matrix-synapse"; + password = "synapse"; + }; server_name = "${fqdn}"; public_baseurl = "https://${fqdn}"; enable_registration = false; - #registration_shared_secret = config.age.secrets.matrix-synapse; + registration_shared_secret = config.age.secrets.matrix-synapse; #macaroon_secret_key = config.age.secrets.matrix-synapse; listeners = [ { port = 8008; diff --git a/modules/services/violet.nix b/modules/services/violet.nix index 74b86d7..21b656a 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -1,5 +1,6 @@ { ...}: { imports = - [(import ./iceshrimp.nix)]; + [(import ./iceshrimp.nix)] + ++ [(import ./matrix/default.nix)]; # ++ [(import ./tmux.nix)]; }