diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519.pub similarity index 100% rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub rename to config/common/data/pubkeys/despondos_host_ed25519.pub diff --git a/config/common/data/pubkeys/vw-backup_host_ed25519.pub b/config/common/data/pubkeys/vw-backup_host_ed25519.pub new file mode 100644 index 0000000..797d489 --- /dev/null +++ b/config/common/data/pubkeys/vw-backup_host_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxKGASvmnZ+1wZLnRShq3416gZkN8qK6YmHQANjxfk8 root@vw-backup diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix index e844887..fbed680 100644 --- a/config/common/services/nginx.nix +++ b/config/common/services/nginx.nix @@ -13,29 +13,6 @@ sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'same-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index 562cba6..f4414ea 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -16,7 +16,11 @@ programs.ssh.knownHosts = { despondos = { hostNames = [ "despondos.nao.sh" ]; - publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519.pub; + }; + vw-backup = { + hostNames = [ "vw-backup.dotsrc.org" ]; + publicKeyFile = ../data/pubkeys/vw-backup_host_ed25519.pub; }; }; diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index 8fcb8be..a976db7 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -10,7 +10,7 @@ ./services/mail.nix ./services/tor.nix ./services/vaultwarden.nix - ./services/duplicity.nix + ./services/restic.nix ./data/secrets/secrets.nix ]; @@ -52,7 +52,7 @@ ]; }; - users.groups.backup.members = [ "virtualMail" "vaultwarden" "duplicity" ]; + users.groups.backup.members = [ "virtualMail" "vaultwarden" ]; users.groups.nginx.members = [ "deploy-web" ]; security.sudo.wheelNeedsPassword = false; diff --git a/config/hosts/capetillo/data/secrets/restic_dotsrc_pass b/config/hosts/capetillo/data/secrets/restic_dotsrc_pass new file mode 100644 index 0000000..40fa5c2 Binary files /dev/null and b/config/hosts/capetillo/data/secrets/restic_dotsrc_pass differ diff --git a/config/hosts/capetillo/data/secrets/restic_pass b/config/hosts/capetillo/data/secrets/restic_nixaalborg_pass similarity index 100% rename from config/hosts/capetillo/data/secrets/restic_pass rename to config/hosts/capetillo/data/secrets/restic_nixaalborg_pass diff --git a/config/hosts/capetillo/data/secrets/secrets.nix b/config/hosts/capetillo/data/secrets/secrets.nix index 41404b4..0fd850d 100644 Binary files a/config/hosts/capetillo/data/secrets/secrets.nix and b/config/hosts/capetillo/data/secrets/secrets.nix differ diff --git a/config/hosts/capetillo/services/duplicity.nix b/config/hosts/capetillo/services/duplicity.nix deleted file mode 100644 index 1a7e684..0000000 --- a/config/hosts/capetillo/services/duplicity.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: -{ - - services.duplicity = { - enable = true; - include = [ "/var/lib/bitwarden_rs/backup" ]; - frequency = "hourly"; - targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden"; - extraFlags = [ "--no-encryption" ]; - }; -} diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix index 1674476..a955155 100644 --- a/config/hosts/capetillo/services/mail.nix +++ b/config/hosts/capetillo/services/mail.nix @@ -6,7 +6,7 @@ # Pick a commit from the branch you are interested in url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz"; # And set its hash - sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; + sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44"; }) ]; diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix index 091cd62..d7ff070 100644 --- a/config/hosts/capetillo/services/nginx.nix +++ b/config/hosts/capetillo/services/nginx.nix @@ -12,6 +12,7 @@ add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri; ''; }; @@ -19,15 +20,15 @@ forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://localhost:8812"; + proxyPass = "http://127.0.0.1:8812"; proxyWebsockets = true; }; locations."/notifications/hub" = { - proxyPass = "http://localhost:3012"; + proxyPass = "http://127.0.0.1:3012"; proxyWebsockets = true; }; locations."/notifications/hub/negotiate" = { - proxyPass = "http://localhost:8812"; + proxyPass = "http://127.0.0.1:8812"; proxyWebsockets = true; }; }; @@ -35,6 +36,14 @@ enableACME = true; forceSSL = true; root = "/var/www/mta-sts/public"; + extraConfig = '' + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'same-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + ''; }; "ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = { # TODO: Do this with unix sockets instead @@ -43,6 +52,14 @@ port = 8080; } ]; root = "/var/www/nixaalb.org/public"; + extraConfig = '' + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'same-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + ''; }; }; diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix index b49af89..4640744 100644 --- a/config/hosts/capetillo/services/restic.nix +++ b/config/hosts/capetillo/services/restic.nix @@ -10,8 +10,18 @@ pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; timerConfig = { "OnCalendar" = "02:15"; }; extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; - passwordFile = builtins.toString config.secrets.files.restic_pass.file; + passwordFile = builtins.toString config.secrets.files.restic_nixaalborg_pass.file; user = "virtualMail"; }; + "vaultwarden" = { + paths = [ "/var/lib/bitwarden_rs/backup" ]; + repository = "sftp:restic@vw-backup.dotsrc.org:/var/backups/vaultwarden"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "hourly"; }; + extraOptions = [ "sftp.command='ssh restic@vw-backup.dotsrc.org -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_dotsrc_pass.file; + user = "vaultwarden"; + }; }; } diff --git a/config/hosts/capetillo/services/vaultwarden.nix b/config/hosts/capetillo/services/vaultwarden.nix index 957682f..f795671 100644 --- a/config/hosts/capetillo/services/vaultwarden.nix +++ b/config/hosts/capetillo/services/vaultwarden.nix @@ -12,16 +12,15 @@ websocketEnabled = true; websocketAddress = "127.0.0.1"; websocketPort = "3012"; - #dataDir = "/var/lib/vaultwarden"; - smtpHost = "127.0.0.1"; + smtpHost = "nixaalb.org"; smtpFrom = "noreply@dotsrc.org"; smtpFromName = "Vaultwarden"; smtpPort = 465; smtpSsl = true; smtpExplicitTls = true; - smtpAuthMechanism = "Login"; + smtpAuthMechanism = "Plain"; }; }; - systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" }; + systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly"; }; } diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 88375ac..8062daf 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c", - "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm", + "rev": "9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a", + "sha256": "1ajyqr8zka1zlb25jx1v4xys3zqmdy3prbm1vxlid6ah27a8qnzh", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz", + "url": "https://github.com/nmattia/niv/archive/9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,22 +17,22 @@ "homepage": "", "owner": "nixos", "repo": "nixos-hardware", - "rev": "08cda8e3a5a4e685af525e5a589dfeb74267d505", - "sha256": "0bf3mbss7c3lyf5h8g1vwjbs0cg4h0c8ixbaz1kv24ahyy8n61y3", + "rev": "10eab1c4cd8e715c0b41d32c28af2b89fc67bed0", + "sha256": "1ig5d807x99c7rsma3r23vfys1n05836y6rj5iy6ypbad7vw7cs4", "type": "tarball", - "url": "https://github.com/nixos/nixos-hardware/archive/08cda8e3a5a4e685af525e5a589dfeb74267d505.tar.gz", + "url": "https://github.com/nixos/nixos-hardware/archive/10eab1c4cd8e715c0b41d32c28af2b89fc67bed0.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "release-21.05", + "branch": "release-21.11", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d", - "sha256": "163xpxkav524pq7wbc6sbsl9fkzc4wshpjq0h7vq7csnsb8w6p77", + "rev": "6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac", + "sha256": "0h0hjk48azjjz2xpwx5l0hvwk2g40minchqf077klii3zka35731", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "infinisil", "repo": "nixus", - "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57", - "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb", + "rev": "60ea7eb5e18d58ac7742234855b7192112fd4049", + "sha256": "0c9jkhd6xmgaw2gzbcsf7k1p42sn8dyhla71x1bp902mnfdgjsxx", "type": "tarball", - "url": "https://github.com/infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz", + "url": "https://github.com/infinisil/nixus/archive/60ea7eb5e18d58ac7742234855b7192112fd4049.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }