diff --git a/nixos/systems/altra/default.nix b/nixos/systems/altra/default.nix index 58a6e22..d78ea94 100644 --- a/nixos/systems/altra/default.nix +++ b/nixos/systems/altra/default.nix @@ -38,6 +38,7 @@ in ./http-synapse-proxy.nix ../../common/remote_access.nix + inputs.serokell-nix.nixosModules.acme-sh config'.flake.nixosModules.hashicorp inputs.disko.nixosModules.disko ]; diff --git a/nixos/systems/altra/http-synapse-proxy.nix b/nixos/systems/altra/http-synapse-proxy.nix index 8ed46b2..60ebb9b 100644 --- a/nixos/systems/altra/http-synapse-proxy.nix +++ b/nixos/systems/altra/http-synapse-proxy.nix @@ -1,76 +1,160 @@ { pkgs, inputs', lib, config, ... }: let inherit (lib) - singleton; + singleton + mkForce; + certs = config.services.acme-sh.certs; in { - users.users.nginx = { - group = "nginx"; + users.users.wwwrun = { + group = "wwwrun"; isSystemUser = true; - uid = config.ids.uids.nginx; + uid = config.ids.uids.wwwrun; }; - users.groups.nginx = { - gid = config.ids.gids.nginx; + users.groups.wwwrun = { + gid = config.ids.gids.wwwrun; }; - systemd.services.nginx-proxy = + systemd.services.apache-proxy = let - nginxConfiguration = inputs'.nixng.nglib.generators.toNginx { - daemon = "off"; - worker_processes = 2; + apacheConfiguration = inputs'.nixng.nglib.generators.toApache [ + { + LoadModule = [ + [ "mpm_event_module" "modules/mod_mpm_event.so" ] + [ "log_config_module" "modules/mod_log_config.so" ] + [ "unixd_module" "modules/mod_unixd.so" ] + [ "authz_core_module" "modules/mod_authz_core.so" ] + [ "authn_core_module" "modules/mod_authn_core.so" ] + [ "dir_module" "modules/mod_dir.so" ] + [ "mime_module" "modules/mod_mime.so" ] + [ "proxy_module" "modules/mod_proxy.so" ] + [ "proxy_http_module" "modules/mod_proxy_http.so" ] + [ "access_compat_module" "modules/mod_access_compat.so" ] + [ "proxy_connect_module" "modules/mod_proxy_connect.so" ] + [ "authn_file_module" "modules/mod_authn_file.so" ] + [ "authz_user_module" "modules/mod_authz_user.so" ] + [ "authz_host_module" "modules/mod_authz_host.so" ] + [ "auth_basic_module" "modules/mod_auth_basic.so" ] + [ "ssl_module" "modules/mod_ssl.so" ] + ]; + } + { + Listen = "0.0.0.0:8883"; - events."" = { - use = "epoll"; - worker_connections = 128; - }; + ServerRoot = "/var/empty"; + ServerName = "altra"; + PidFile = "/run/apache/apache.pid"; - error_log = "/var/log/nginx/error.log warn"; + DocumentRoot = "/var/empty"; + } - http."" = { - server_tokens = "off"; - include = singleton [ "${pkgs.nginx}/conf/mime.types" ]; - charset = "utf-8"; + { + ErrorLog = "/var/log/apache/error.log"; + TransferLog = "/var/log/apache/access.log"; - access_log = "/var/log/nginx/access.log combined"; + LogLevel = "debug"; + } - server."" = { - listen = [ "8883" ]; + { + AddType = singleton [ + "image/svg+xml" + "svg" + "svgz" + ]; + AddEncoding = [ + "gzip" + "svgz" + ]; - location."/" = { - satisfy = "all"; + TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types"; + } - allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ]; - deny = "all"; - - rewrite_by_lua_file - - auth_basic = "\"Administrator’s Area\""; - auth_basic_user_file = "/var/secret/htpasswd"; - - resolver = "8.8.8.8"; - proxy_pass = "http://$http_host$uri$is_args$args"; - - }; + { + Directory."/" = { + Require = [ "all" "denied" ]; + Options = "SymlinksIfOwnerMatch"; }; - }; - }; + + VirtualHost."*:8883" = [ + { + ProxyRequests = "on"; + AddDefaultCharset = "off"; + AllowCONNECT = "443"; + } + { + ServerName = "synapse-proxy.in.redalder.org"; + SSLEngine = "on"; + SSLCertificateFile = certs.apache-proxy.certPath; + SSLCertificateKeyFile = certs.apache-proxy.keyPath; + SSLCipherSuite = "HIGH:!aNULL:!MD5"; + } + { + Proxy."*" = { + Require = [ "all" "denied" ]; + }; + } + { + ProxyMatch."^([a-zA-Z]+\.)+[a-zA-Z]*:(443|8443).*$" = { + AuthType = "Basic"; + AuthName = "\"Password Required\""; + AuthUserFile = "/var/secret/htpasswd"; + + + RequireAll."" = { + Require = [ + [ "user synapse" ] + [ "method CONNECT" ] + ]; + RequireAny."" = { + Require = [ + [ "ip 10.64.2.1" ] + [ "ip 127.0.0.1" ] + ]; + }; + }; + }; + } + { + ProxyMatch."^http:\/\/([a-zA-Z]+\.)+[a-zA-Z]*(|:(80))$" = { + AuthType = "Basic"; + AuthName = "\"Password Required\""; + AuthUserFile = "/var/secret/htpasswd"; + + + RequireAll."" = { + Require = [ + [ "user synapse" ] + [ "not method CONNECT"] + ]; + RequireAny."" = { + Require = [ + [ "ip 10.64.0.2" ] + ]; + }; + }; + }; + } + ]; + } + ]; in { serviceConfig = { + Type = "forking"; Restart = "always"; RestartSec = "10s"; # User and group - User = "nginx"; - Group = "nginx"; + User = "wwwrun"; + Group = "wwwrun"; # Runtime directory and mode - RuntimeDirectory = "nginx"; + RuntimeDirectory = "apache"; RuntimeDirectoryMode = "0750"; # Cache directory and mode - CacheDirectory = "nginx"; + CacheDirectory = "apache"; CacheDirectoryMode = "0750"; # Logs directory and mode - LogsDirectory = "nginx"; + LogsDirectory = "apache"; LogsDirectoryMode = "0750"; # Proc filesystem ProcSubset = "pid"; @@ -96,18 +180,31 @@ in RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; - MemoryDenyWriteExecute = false; + MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid ~@ipc" ]; }; + wantedBy = [ "multi-user.target" ]; script = '' ls /proc/self/fd /dev - ${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration} + ${pkgs.apacheHttpd}/bin/httpd -f ${pkgs.writeText "apache.conf" apacheConfiguration} ''; - }; + }; + + services.acme-sh.certs.apache-proxy = { + production = true; + user = "wwwrun"; + domains."synapse-proxy.in.redalder.org" = "dns_hetzner"; + mainDomain = "synapse-proxy.in.redalder.org"; + postRun = "systemctl try-reload-or-restart --no-block apache-proxy.service"; + }; + + systemd.services."acme-sh-apache-proxy" = { + serviceConfig.EnvironmentFile = mkForce "/var/secret/hetzner.env"; + }; } diff --git a/nixos/systems/altra/networking.nix b/nixos/systems/altra/networking.nix index 683f40f..d8d0675 100644 --- a/nixos/systems/altra/networking.nix +++ b/nixos/systems/altra/networking.nix @@ -68,8 +68,9 @@ in # ]; # }; - # interfaces."wg0" = { - # allowedTCPPorts = [ + interfaces."wg0" = { + allowedTCPPorts = [ + 8883 # ## Consul # 8600 # DNS # 8500 # HTTP @@ -81,7 +82,7 @@ in # 4647 # 4648 # 10000 - # ]; + ]; # allowedTCPPortRanges = [ # { # from = 21000;