From ffac1727b92167ca6847b7ae3adc71f091d8048f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 10 Jul 2022 11:51:34 +0200 Subject: ... --- _sources/generated.json | 24 +++++- _sources/generated.nix | 18 +++- accounts/gkleen@sif/xmonad/xmonad.hs | 2 + flake.lock | 79 +++++------------ flake.nix | 5 +- gup/Gupfile | 2 + gup/cabal2nix.gup | 4 + hosts/sif/default.nix | 9 ++ hosts/surtr/default.nix | 2 +- hosts/surtr/dns/default.nix | 2 +- .../surtr/dns/keys/mta-sts.bouncy.email_acme.yaml | 26 ++++++ hosts/surtr/dns/zones/email.bouncy.soa | 10 ++- hosts/surtr/email/default.nix | 20 ++++- hosts/surtr/http.nix | 99 ---------------------- hosts/surtr/http/default.nix | 67 +++++++++++++++ hosts/surtr/http/webdav/default.nix | 96 +++++++++++++++++++++ hosts/surtr/http/webdav/py-webdav/.gitignore | 1 + hosts/surtr/http/webdav/py-webdav/VERSION | 1 + hosts/surtr/http/webdav/py-webdav/setup.py | 17 ++++ .../surtr/http/webdav/py-webdav/webdav/__init__.py | 1 + hosts/surtr/http/webdav/py-webdav/webdav/webdav.py | 5 ++ hosts/surtr/matrix/default.nix | 8 +- hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email | 26 ++++++ nvfetcher.toml | 6 +- 24 files changed, 355 insertions(+), 175 deletions(-) create mode 100644 gup/Gupfile create mode 100644 gup/cabal2nix.gup create mode 100644 hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml delete mode 100644 hosts/surtr/http.nix create mode 100644 hosts/surtr/http/default.nix create mode 100644 hosts/surtr/http/webdav/default.nix create mode 100644 hosts/surtr/http/webdav/py-webdav/.gitignore create mode 100644 hosts/surtr/http/webdav/py-webdav/VERSION create mode 100644 hosts/surtr/http/webdav/py-webdav/setup.py create mode 100644 hosts/surtr/http/webdav/py-webdav/webdav/__init__.py create mode 100644 hosts/surtr/http/webdav/py-webdav/webdav/webdav.py create mode 100644 hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email diff --git a/_sources/generated.json b/_sources/generated.json index 9e718609..c65147bb 100644 --- a/_sources/generated.json +++ b/_sources/generated.json @@ -56,6 +56,24 @@ }, "version": "v0.2.10" }, + "freerdp": { + "cargoLocks": null, + "extract": null, + "name": "freerdp", + "passthru": null, + "pinned": false, + "src": { + "deepClone": false, + "fetchSubmodules": false, + "leaveDotGit": false, + "name": null, + "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0", + "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=", + "type": "git", + "url": "https://github.com/FreeRDP/FreeRDP" + }, + "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0" + }, "lesspipe": { "cargoLocks": null, "extract": null, @@ -209,11 +227,11 @@ "name": null, "owner": "umlaeute", "repo": "v4l2loopback", - "rev": "56cca901dcf0a5cb11cc613155cfbe863d5d8421", - "sha256": "sha256-NY9elPsoGQVGGDIe2US/HT0ES8NSmb0ohlABc0HEIP0=", + "rev": "4aadc417254bfa3b875bf0b69278ce400ce659b2", + "sha256": "sha256-nHxIW5BmaZC6g7SElxboTcwtMDF4SCqi11MjYWsUZpo=", "type": "github" }, - "version": "56cca901dcf0a5cb11cc613155cfbe863d5d8421" + "version": "4aadc417254bfa3b875bf0b69278ce400ce659b2" }, "xcompose": { "cargoLocks": null, diff --git a/_sources/generated.nix b/_sources/generated.nix index def59267..b077edf5 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix @@ -36,6 +36,18 @@ sha256 = "sha256-j7/3Llc3jTeJGpOH3Aexm9qcNscuk0mbi4ZCCyzC3+s="; }); }; + freerdp = { + pname = "freerdp"; + version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; + src = fetchgit { + url = "https://github.com/FreeRDP/FreeRDP"; + rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; + fetchSubmodules = false; + deepClone = false; + leaveDotGit = false; + sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw="; + }; + }; lesspipe = { pname = "lesspipe"; version = "2.05"; @@ -122,13 +134,13 @@ }; v4l2loopback = { pname = "v4l2loopback"; - version = "56cca901dcf0a5cb11cc613155cfbe863d5d8421"; + version = "4aadc417254bfa3b875bf0b69278ce400ce659b2"; src = fetchFromGitHub ({ owner = "umlaeute"; repo = "v4l2loopback"; - rev = "56cca901dcf0a5cb11cc613155cfbe863d5d8421"; + rev = "4aadc417254bfa3b875bf0b69278ce400ce659b2"; fetchSubmodules = true; - sha256 = "sha256-NY9elPsoGQVGGDIe2US/HT0ES8NSmb0ohlABc0HEIP0="; + sha256 = "sha256-nHxIW5BmaZC6g7SElxboTcwtMDF4SCqi11MjYWsUZpo="; }); }; xcompose = { diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs index c12c590d..f96d659b 100644 --- a/accounts/gkleen@sif/xmonad/xmonad.hs +++ b/accounts/gkleen@sif/xmonad/xmonad.hs @@ -194,12 +194,14 @@ hostFromName h , assign "comm" $ className =? "Element" , assign "comm" $ className =? "Rocket.Chat" , assign "comm" $ className =? "Discord" + , assign "comm" $ className =? "Rainbow" , assign "media" $ (className =? "Alacritty" <&&> resource =? "media") , assign "monitor" $ className =? "Grafana" , assign "monitor" $ className =? "Virt-viewer" , assign "monitor" $ (className =? "Alacritty" <&&> resource =? "htop") , assign "monitor" $ (className =? "Alacritty" <&&> resource =? "monitor") , assign "monitor" $ className =? "xfreerdp" + , assign "monitor" $ className =? "org.remmina.Remmina" , Just $ (className =? "Alacritty" <&&> resource =? "htop") -?> centerFloat , Just $ (className =? "Scp-dbus-service.py") -?> centerFloat , Just $ (className =? "Alacritty" <&&> resource =? "log") -?> centerFloat diff --git a/flake.lock b/flake.lock index 48609f3c..c5bd114c 100644 --- a/flake.lock +++ b/flake.lock @@ -74,22 +74,17 @@ }, "home-manager": { "inputs": { - "flake-compat": [ - "flake-compat" - ], "nixpkgs": [ "nixpkgs" ], - "nmd": "nmd", - "nmt": "nmt", "utils": "utils_2" }, "locked": { - "lastModified": 1655594877, - "narHash": "sha256-AQ39Vlb6zhsJqIRz2cN923+ESBxHmeHMHoPqA80xOCE=", + "lastModified": 1656367977, + "narHash": "sha256-0hV17V9Up9pnAtPJ+787FhrsPnawxoTPA/VxgjRMrjc=", "owner": "nix-community", "repo": "home-manager", - "rev": "5197e5df7d3a148b1ad080235f70800987bc3549", + "rev": "3bf16c0fd141c28312be52945d1543f9ce557bb1", "type": "github" }, "original": { @@ -110,11 +105,11 @@ ] }, "locked": { - "lastModified": 1655849525, - "narHash": "sha256-j/XrVVistvM+Ua+0tNFvO5z83isL+LBgmBi9XppxuKA=", + "lastModified": 1656360098, + "narHash": "sha256-QfuZz3RK7oPPIZFC7l72BVIct/NH24hHKqcF0U1LJok=", "owner": "DavHau", "repo": "mach-nix", - "rev": "552d4caa73722b262204319526f9e77f9370f702", + "rev": "288338000307fdd23a1fc230a6dd1d5bd4fdde53", "type": "github" }, "original": { @@ -126,11 +121,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1655630673, - "narHash": "sha256-kYhka8nZ7hp3Pg6f21SDEcyt7aYfjIIbLlcDKRj2jhk=", + "lastModified": 1656875529, + "narHash": "sha256-LngTxPQozuYs/FdIoFhm9a1IoL4EqAJIgVcGRhSxtMY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "baac374635d18c960df37658b0f0b59d0767d468", + "rev": "f09a9cdbd3afc01ac03573959560d24bf9ec607b", "type": "github" }, "original": { @@ -142,11 +137,11 @@ }, "nixpkgs-21_11": { "locked": { - "lastModified": 1655562720, - "narHash": "sha256-OrN8DkBRZqZMzMuECuQNvSQ5gWoFBCxDvxYXjIQ/pH0=", + "lastModified": 1656782578, + "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "27dffce7eaa9648b4a13a461e786f169a17c0889", + "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b", "type": "github" }, "original": { @@ -158,11 +153,11 @@ }, "nixpkgs-22_05": { "locked": { - "lastModified": 1655584987, - "narHash": "sha256-YmWxPm6ctu+9nV80DtYtMfOBosNymeTpj8+Z0JTDfhU=", + "lastModified": 1656782561, + "narHash": "sha256-sZVLNNKIcELllTHqydsckz8HBfVqxeAt51acaaQWLCw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "57622cb817210146b379adbbd036d3da0d1f367c", + "rev": "18038cee44aa0c3c99a2319c3c1c4d16d6612d81", "type": "github" }, "original": { @@ -172,38 +167,6 @@ "type": "github" } }, - "nmd": { - "flake": false, - "locked": { - "lastModified": 1653339422, - "narHash": "sha256-8nc7lcYOgih3YEmRMlBwZaLLJYpLPYKBlewqHqx8ieg=", - "owner": "rycee", - "repo": "nmd", - "rev": "9e7a20e6ee3f6751f699f79c0b299390f81f7bcd", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmd", - "type": "gitlab" - } - }, - "nmt": { - "flake": false, - "locked": { - "lastModified": 1648075362, - "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", - "owner": "rycee", - "repo": "nmt", - "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", - "type": "gitlab" - }, - "original": { - "owner": "rycee", - "repo": "nmt", - "type": "gitlab" - } - }, "nvfetcher": { "inputs": { "flake-compat": [ @@ -232,11 +195,11 @@ "pypi-deps-db": { "flake": false, "locked": { - "lastModified": 1656230916, - "narHash": "sha256-ySccLr2XgC9kiLwt/g+tjGyf03iwnAh1Odj3EZ+mZ/o=", + "lastModified": 1656835523, + "narHash": "sha256-FrhbCP17ewooEw9HKpvPPLHvpeMIjR/JYBvX1pl8bvM=", "owner": "DavHau", "repo": "pypi-deps-db", - "rev": "76e139c4fc7d8201dd1c437ba15761c982d6d4dd", + "rev": "d94f2eb44cb6dd5cf2ce4c50ee6dee7207edebc2", "type": "github" }, "original": { @@ -266,11 +229,11 @@ "nixpkgs-22_05": "nixpkgs-22_05" }, "locked": { - "lastModified": 1655611128, - "narHash": "sha256-+Rfr9i0UvQL0hK1npP7X1sf0Zb2C1YDff0acj0lhyWA=", + "lastModified": 1656820546, + "narHash": "sha256-g+1URmRH75RDAzVUtVb4Ls7X8n1iocAGULtSE7JUdwU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "6692484ba5339b77c7e62eafcfff2263a5488fb7", + "rev": "85907ae7384477e447499f6e942d822d6f2998d8", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 97fb4204..72c93162 100644 --- a/flake.nix +++ b/flake.nix @@ -176,10 +176,11 @@ }; installerConfig = if pathExists ./installer.nix then "installer.nix" else (if pathExists ./installer then "installer" else null); + mkInstallerForSystem = system: (lib.systems.elaborate system).isLinux; installers = let mkInstallers = system: mapAttrs (mkInstaller system) (installerProfiles system); mkInstaller = system: name: {profile, output}: let mkOutput = output; in rec { config = mkNixosConfiguration [profile { config = { nixpkgs.system = system; }; }] ./. installerConfig "installer"; output = mkOutput config; }; - in forAllSystems (system: _systemPkgs: optionalAttrs (!(isNull installerConfig)) (mkInstallers system)); + in forAllSystems (system: _systemPkgs: optionalAttrs (!(isNull installerConfig) && mkInstallerForSystem system) (mkInstallers system)); installerNixosConfigurations = listToAttrs (concatLists (mapAttrsToList (system: mapAttrsToList (profile: { config, ... }: nameValuePair ("installer-${system}-${profile}") config)) installers)); # packages = forAllSystems (system: systemPkgs: composeManyExtensions (attrValues self.overlays) self.legacyPackages.${system} systemPkgs); @@ -240,5 +241,7 @@ in mapAttrs (_n: v: if v ? "profiles" then v // { profiles = filterEnabled v.profiles; } else v) (filterEnabled (recursiveUpdate defaults overrides)); checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + + expr = self.nixosConfigurations.surtr.config.systemd.services.uwsgi.serviceConfig.ExecStart; }; } diff --git a/gup/Gupfile b/gup/Gupfile new file mode 100644 index 00000000..0c9b6b80 --- /dev/null +++ b/gup/Gupfile @@ -0,0 +1,2 @@ +cabal2nix.gup: + hosts/surtr/email/spm/spm.nix \ No newline at end of file diff --git a/gup/cabal2nix.gup b/gup/cabal2nix.gup new file mode 100644 index 00000000..ce623eee --- /dev/null +++ b/gup/cabal2nix.gup @@ -0,0 +1,4 @@ +#!/usr/bin/env zsh + +gup -u ${2:h}/package.yaml ${2:r}.cabal +env -C ${2:h} -- nix run nixos#cabal2nix -- . > $1 \ No newline at end of file diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 3b5ef6fc..257743fd 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -54,6 +54,15 @@ in { kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ]; extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; kernelModules = ["v4l2loopback"]; + kernelPatches = [ + { name = "edac-config"; + patch = null; + extraConfig = '' + EDAC y + EDAC_IE31200 y + ''; + } + ]; tmpOnTmpfs = true; diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index c9ecc945..87dd27b0 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus ./email + ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql.nix ./prometheus ./email ]; config = { diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 5b439a8f..808c56da 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -184,7 +184,7 @@ in { addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; } { domain = "bouncy.email"; - acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "bouncy.email"]; + acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "mta-sts.bouncy.email" "bouncy.email"]; } ]} ''; diff --git a/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml new file mode 100644 index 00000000..ee78810d --- /dev/null +++ b/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:MKHoCzI9odlwPov5Ci9r2IaFCCT7DhOB8EJIFNdgG8xLwdk67SkTQ3kMGXM52EDPWdZ6a90HyKVDgL3O2vl8wbRu49jAIxCYr4t3QhLserNpMikxvAqItivtJKvBL0ah8B4mbjEH1KLou8DZgpDPdL8s+MxTOuYuLBvu/LPGRyabhKVSXmSRIL1iYx7RShe6r2PxiHN6wPmISj9YcwuuWygQRxkEqpybjUQzJe8tYFzuJ19rIUCZ26hI+k3khtFVET4TnouQAdTYXx6I/t/8Q8P7oILPFq4c,iv:w85RawhDWoLtTpWcbHo8W7bXCMa6apQNa4pQLd/whZc=,tag:z3WELFieEDeP9Zrna5brfQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-07-10T09:38:55Z", + "mac": "ENC[AES256_GCM,data:w2Ir2YQgkH0+5jNFW7mHyFVW2VEh98ADI99v6e55U7jKdEn70oF8cv787kMHNqpbwYamO9pSAz14is5Po+n11MH0UxESuU0cE7tfvoaUDIDgHNFVENB9dlKrKmnzXyEbN0+p33EP+/QmKYu4yLGc8t33NqoeD7Mc2McnmXJUvm0=,iv:7N480RaBLjIBXWJZG76VzIEyxm2eIxOi9GoZbGm2H50=,tag:JceWZoMQMwqxTYBRMPRnzA==,type:str]", + "pgp": [ + { + "created_at": "2022-07-10T09:38:54Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAYwPoDNsPVr3pUAih0sMWoebzWi8KQk6nthYKrBvc5mAw\nnuAjBhLc6Tzr8/vf5JbYcPiopd4qgIbPwqW8KAK28EdAz1+VrfM/mpI3wy0lO2YT\n0l4BQBjlvteoUfgV3nYDVbma7hh78Ip7vn0ebzeYCXbGqfCmhZXuZVG9k9rQ+v5t\nenIL1aLxLOBZSbcuDF415MZvKndU5LoQdciVfsFrex8TVzrYKQ62dBr00uysEgTz\n=TPo8\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-07-10T09:38:54Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAxFqsAJsqWvEmwQiLdSmcVP29dwQF9uLgGCwQCTtjuQYw\njFRrmwCYoCAMM0J7jExm6h7bVwy3pyGeIuya8X1sf6ZRJczGXvGwByK16kVdfgN2\n0l4BAlEaxS/5F6pMNJ0TMdYBMMGJWEa4H0xSE8DkF4Ep5bdxjaY3Pz09m8HWzJRA\nelshtXB8QcFLRG9BQRcPYd4ZEM+HqUCWF1C+7hBJ2SytDSHNZlXtxfd7ey3Jxg8+\n=oqf0\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 77acee8b..271a061e 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022051500 ; serial + 2022071000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -63,3 +63,11 @@ spm IN AAAA 2a03:4000:52:ada:: spm IN MX 0 mailin.bouncy.email. spm IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.spm IN NS ns.yggdrasil.li. + +_mta-sts IN TXT "v=STSv1; id=2022071000" +_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" +mta-sts IN A 202.61.241.61 +mta-sts IN AAAA 2a03:4000:52:ada:: +mta-sts IN MX 0 mailin.bouncy.email. +mta-sts IN TXT "v=spf1 redirect=bouncy.email" +_acme-challenge.mta-sts IN NS ns.yggdrasil.li. diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index b952070b..e3437a6b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -580,6 +580,7 @@ in { "mailin.bouncy.email" = {}; "mailsub.bouncy.email" = {}; "imap.bouncy.email" = {}; + "mta-sts.bouncy.email" = {}; "surtr.yggdrasil.li" = {}; } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); @@ -637,13 +638,28 @@ in { proxy_set_header SPM-DOMAIN "${domain}"; ''; }; - }) spmDomains); + }) spmDomains) // { + "mta-sts.bouncy.email" = { + locations."/".root = pkgs.runCommand "mta-sts" {} '' + mkdir -p $out/.well-known + cp ${pkgs.writeText "mta-sts.txt" '' + version: STSv1 + mode: testing + mx: mailin.bouncy.email + max_age: 604800 + ''} $out/.well-known/mta-sts.txt + ''; + }; + }; }; systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" - ]) spmDomains; + ]) spmDomains ++ [ + "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" + "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" + ]; systemd.services.spm = { serviceConfig = { diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix deleted file mode 100644 index af27f178..00000000 --- a/hosts/surtr/http.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - config = { - security.pam.services."webdav".text = '' - auth requisite pam_succeed_if.so user ingroup webdav quiet_success - auth required pam_unix.so likeauth nullok nodelay quiet - account sufficient pam_unix.so quiet - ''; - users.groups."webdav" = {}; - - services.nginx = { - enable = true; - # package = pkgs.nginxQuic; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - sslDhparam = config.security.dhparams.params.nginx.path; - commonHttpConfig = '' - ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; - - log_format main - '$remote_addr "$remote_user" ' - '"$host" "$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$gzip_ratio'; - - access_log syslog:server=unix:/dev/log main; - error_log syslog:server=unix:/dev/log info; - - client_body_temp_path /run/nginx-client-bodies; - ''; - additionalModules = with pkgs.nginxModules; [ dav pam ]; - virtualHosts = { - "webdav.141.li" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; - sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; - sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; - locations."/".extraConfig = '' - root /srv/files/$remote_user; - - auth_pam "WebDAV"; - auth_pam_service_name "webdav"; - ''; - extraConfig = '' - dav_methods PUT DELETE MKCOL COPY MOVE; - dav_ext_methods PROPFIND OPTIONS; - dav_access user:rw; - autoindex on; - - client_max_body_size 0; - create_full_put_path on; - - add_header Strict-Transport-Security "max-age=63072000" always; - ''; - }; - }; - }; - security.acme.domains."webdav.141.li" = { - zone = "141.li"; - certCfg = { - postRun = '' - ${pkgs.systemd}/bin/systemctl try-restart nginx.service - ''; - }; - }; - systemd.services.nginx = { - preStart = lib.mkForce config.services.nginx.preStart; - serviceConfig = { - SupplementaryGroups = [ "shadow" ]; - ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - LoadCredential = [ - "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" - "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" - "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" - ]; - RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; - RuntimeDirectoryMode = "0750"; - - NoNewPrivileges = lib.mkForce false; - PrivateDevices = lib.mkForce false; - ProtectHostname = lib.mkForce false; - ProtectKernelTunables = lib.mkForce false; - ProtectKernelModules = lib.mkForce false; - RestrictAddressFamilies = lib.mkForce [ ]; - LockPersonality = lib.mkForce false; - MemoryDenyWriteExecute = lib.mkForce false; - RestrictRealtime = lib.mkForce false; - RestrictSUIDSGID = lib.mkForce false; - SystemCallArchitectures = lib.mkForce ""; - ProtectClock = lib.mkForce false; - ProtectKernelLogs = lib.mkForce false; - RestrictNamespaces = lib.mkForce false; - SystemCallFilter = lib.mkForce ""; - ReadWritePaths = [ "/srv/files" ]; - }; - }; - }; -} diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix new file mode 100644 index 00000000..a77252ff --- /dev/null +++ b/hosts/surtr/http/default.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./webdav + ]; + + config = { + services.nginx = { + enable = true; + # package = pkgs.nginxQuic; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslDhparam = config.security.dhparams.params.nginx.path; + commonHttpConfig = '' + ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + + log_format main + '$remote_addr "$remote_user" ' + '"$host" "$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$gzip_ratio'; + + access_log syslog:server=unix:/dev/log main; + error_log syslog:server=unix:/dev/log info; + + client_body_temp_path /run/nginx-client-bodies; + ''; + additionalModules = with pkgs.nginxModules; [ dav pam ]; + }; + systemd.services.nginx = { + preStart = lib.mkForce config.services.nginx.preStart; + serviceConfig = { + SupplementaryGroups = [ "shadow" ]; + ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; + RuntimeDirectoryMode = "0750"; + + NoNewPrivileges = lib.mkForce false; + PrivateDevices = lib.mkForce false; + ProtectHostname = lib.mkForce false; + ProtectKernelTunables = lib.mkForce false; + ProtectKernelModules = lib.mkForce false; + RestrictAddressFamilies = lib.mkForce [ ]; + LockPersonality = lib.mkForce false; + MemoryDenyWriteExecute = lib.mkForce false; + RestrictRealtime = lib.mkForce false; + RestrictSUIDSGID = lib.mkForce false; + SystemCallArchitectures = lib.mkForce ""; + ProtectClock = lib.mkForce false; + ProtectKernelLogs = lib.mkForce false; + RestrictNamespaces = lib.mkForce false; + SystemCallFilter = lib.mkForce ""; + ReadWritePaths = [ "/srv/files" ]; + }; + }; + + services.uwsgi = { + enable = true; + plugins = ["python3"]; + instance = { + type = "emperor"; + vassals = {}; + }; + }; + }; +} diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix new file mode 100644 index 00000000..f0aec1e9 --- /dev/null +++ b/hosts/surtr/http/webdav/default.nix @@ -0,0 +1,96 @@ +{ config, libs, pkgs, flakeInputs, ... }: +let + webdavSocket = config.services.uwsgi.runDir + "/webdav.sock"; + + webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage { + ignoreDataOutdated = true; + pname = "py-webdav"; + version = builtins.readFile ./py-webdav/VERSION; + src = ./py-webdav; + python = "python3"; + requirements = '' + PyNaCl ==1.5.* + psycopg ==3.0.* + WsgiDAV ==4.0.* + ''; + }; +in { + config = { + security.pam.services."webdav".text = '' + auth requisite pam_succeed_if.so user ingroup webdav quiet_success + auth required pam_unix.so likeauth nullok nodelay quiet + account sufficient pam_unix.so quiet + ''; + users.groups."webdav" = {}; + + services.nginx = { + upstreams."py-webdav" = { + servers = { + "unix://${webdavSocket}" = {}; + }; + }; + + virtualHosts."webdav.141.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; + locations = { + "/".extraConfig = '' + root /srv/files/$remote_user; + + auth_pam "WebDAV"; + auth_pam_service_name "webdav"; + ''; + + "/py/".extraConfig = '' + rewrite ^/py(.*) $1 break; + + include ${config.services.nginx.package}/conf/uwsgi_params; + uwsgi_param SCRIPT_NAME /py; + uwsgi_pass py-webdav; + ''; + }; + extraConfig = '' + dav_methods PUT DELETE MKCOL COPY MOVE; + dav_ext_methods PROPFIND OPTIONS; + dav_access user:rw; + autoindex on; + + client_max_body_size 0; + create_full_put_path on; + + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + }; + security.acme.domains."webdav.141.li" = { + certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; + + systemd.services.nginx.serviceConfig.LoadCredential = [ + "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" + "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" + "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" + ]; + + + services.uwsgi.instance.vassals.webdav = { + type = "normal"; + socket = webdavSocket; + listen = 1024; + master = true; + vacuum = true; + chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}"; + + plugins = ["python3"]; + pythonPackages = self: [webdavApp]; + module = "webdav"; + callable = "app"; + }; + }; +} diff --git a/hosts/surtr/http/webdav/py-webdav/.gitignore b/hosts/surtr/http/webdav/py-webdav/.gitignore new file mode 100644 index 00000000..ed8ebf58 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/.gitignore @@ -0,0 +1 @@ +__pycache__ \ No newline at end of file diff --git a/hosts/surtr/http/webdav/py-webdav/VERSION b/hosts/surtr/http/webdav/py-webdav/VERSION new file mode 100644 index 00000000..6e8bf73a --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/VERSION @@ -0,0 +1 @@ +0.1.0 diff --git a/hosts/surtr/http/webdav/py-webdav/setup.py b/hosts/surtr/http/webdav/py-webdav/setup.py new file mode 100644 index 00000000..dbe345c1 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/setup.py @@ -0,0 +1,17 @@ +import setuptools + +with open('VERSION', 'r', encoding='utf-8') as version_file: + version = version_file.read().strip() + +setuptools.setup( + name="py-webdav", + version=version, + package_dir={"": "."}, + packages=setuptools.find_packages(), + python_requires=">=3.8", + install_requires=[ + "PyNaCl ==1.5.*", + "psycopg ==3.0.*", + "WsgiDAV ==4.0.*", + ], +) diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py new file mode 100644 index 00000000..398378e2 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py @@ -0,0 +1 @@ +from .webdav import app diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py new file mode 100644 index 00000000..783f5d82 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py @@ -0,0 +1,5 @@ +def app(env, start_response): + start_response('200 Success', [('Content-Type', 'text/plain; charset=utf-8')]) + return [ bytes(f'{key}: {value}\n', 'utf8') + for key, value in env.items() + ] diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 9c9c3565..a469be69 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -140,11 +140,9 @@ with lib; services.nginx = { recommendedProxySettings = true; - upstreams = { - "matrix-synapse" = { - servers = { - "127.0.0.1:8008" = {}; - }; + upstreams."matrix-synapse" = { + servers = { + "127.0.0.1:8008" = {}; }; }; diff --git a/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email b/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email new file mode 100644 index 00000000..ce10db57 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:v0QhyJhcbR+ouKYAxvTYWltoA7vmltvb8oTYs0vecTVMx2j2+UkAjw8xJ4qD,iv:007nDkrj4kvYJMa+W3YysDOXws9UZspC3w5vaTGI/II=,tag:Gzpj7bubRknVBNOfQYvoYg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-07-10T09:39:02Z", + "mac": "ENC[AES256_GCM,data:7dvWXtZd++BwWH6Qaw0WzRhxVVT9U8PFyE9MJ1E/NssSfkAZHaxDpV1kgRaHJav4lIjvUq83oWxBkEcnasfg6zF12xawxbCckf597r3ctndGtyyHLk0b0xBciiJRR8rFKeB81nKTiDzEA7ydfgbkPIktB/4xgi4vke5WHWPQ2Xs=,iv:NTTWRPUFvhDL5KndTwPEB4c3NCw6X9nDdWVPcowVN+Y=,tag:BO+TEaTY0RvptmlF9yhQfQ==,type:str]", + "pgp": [ + { + "created_at": "2022-07-10T09:39:02Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1eY+DFYwuexG+2C53SzO1qsn60d1UOeBgeBojLbKwSQw\n55k9cM4vYE50bRrnqEfEXn45u2qYj4NIl2WhfJ4luwvNcmLmqvQCKDOKblOEe6Qi\n0l4B6zMGpHNTSkbaKB/Y2zRpczJxRBJz/cEuimbHs57nMQKpFGst5tMvsGilq4tq\nE8iC77K6S+OFJmJulJ/Rw4Yrg+raZ0KkpVKo+hOOKEi2QaWdBLf6dL+NdH2Qpxqu\n=iJRT\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-07-10T09:39:02Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAMl+sivtfp0HDutQ2ENSGsoqeIG1//4F0TrmX3GlFVysw\nSA3Env4jdFAtHplG9/6J6PTtnRZNvnqlwoq3Gz1kEIdf8DhQP7/8uPzi2mJz916n\n0l4BOuQfwtJn/M6a7T4xWW4fPh/CgTD8e0TNV4lYboW/YwAhCgOSaRKnObMzGquR\nJ6Fx6q7+y2Be3zpHdOMHpQ1OmEVmysLRo4DeuV6WYDqSOqSklNMVi6D9b+KIQAJo\n=jbRk\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/nvfetcher.toml b/nvfetcher.toml index bc3095ca..c723654e 100644 --- a/nvfetcher.toml +++ b/nvfetcher.toml @@ -53,4 +53,8 @@ fetch.github = "po5/chapterskip" [lesspipe] src.github = "wofr06/lesspipe" src.prefix = "v" -fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz" \ No newline at end of file +fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz" + +[freerdp] +src.git = "https://github.com/FreeRDP/FreeRDP" +fetch.git = "https://github.com/FreeRDP/FreeRDP" \ No newline at end of file -- cgit v1.2.3