diff --git a/.sops.yaml b/.sops.yaml index fd76726..07b1f6b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,38 +1,29 @@ -# SOPS configuration for StuRa HTW Dresden infrastructure -# -# This file defines which keys can decrypt which secrets. -# Add GPG public keys (.asc files) or age keys to keys/hosts/ and keys/users/ -# to grant decryption access to hosts and users respectively. - keys: - # Admin/user keys - add GPG public keys here - # Example: - # - &user_admin_key age1... or pgp fingerprint + - &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + - &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr + - &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5 + - &v6proxy age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6 + - &proxy age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4 - # Host keys - add host-specific keys here - # Example: - # - &host_proxy_key age1... or pgp fingerprint - # - &host_git_key age1... or pgp fingerprint -# Define which keys can access which files creation_rules: - # Default rule: all secrets can be decrypted by admin keys - - path_regex: secrets/.*\.yaml$ - # key_groups: - # - pgp: - # - *user_admin_key - # - age: - # - *user_admin_key - - # Host-specific secrets (example) - # - path_regex: secrets/proxy/.*\.yaml$ - # key_groups: - # - pgp: - # - *user_admin_key - # - *host_proxy_key - - # - path_regex: secrets/git/.*\.yaml$ - # key_groups: - # - pgp: - # - *user_admin_key - # - *host_git_key + - path_regex: hosts/mail/secrets.sops.yml$ + key_groups: + - age: + - *mail + - *goeranh + - path_regex: hosts/auth/secrets.sops.yml$ + key_groups: + - age: + - *auth + - *goeranh + - path_regex: hosts/v6proxy/secrets.sops.yml$ + key_groups: + - age: + - *v6proxy + - *goeranh + - path_regex: hosts/proxy/secrets.sops.yml$ + key_groups: + - age: + - *proxy + - *goeranh diff --git a/flake.lock b/flake.lock index 4e0f8b8..9ed7807 100644 --- a/flake.lock +++ b/flake.lock @@ -15,11 +15,11 @@ "uv2nix": "uv2nix" }, "locked": { - "lastModified": 1776085803, - "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=", + "lastModified": 1772909021, + "narHash": "sha256-hcstQ1Z9aQSJM3AVCLb0/OPTicbME9nhP01GiPrOjZM=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb", + "rev": "7e4730351fb6df479c46a1bf7e23d46a0b0c5d46", "type": "github" }, "original": { @@ -47,16 +47,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1775573258, - "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=", + "lastModified": 1772567399, + "narHash": "sha256-0Vpf1hj9C8r+rhrCgwoNazpQ+mwgjdjDhuoKCxYQFWw=", "owner": "goauthentik", "repo": "authentik", - "rev": "5249546862986202b901c2afd860992ec48c6ef6", + "rev": "0dccbd4193c45c581e9fb7cd89df0c1487510f1f", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2026.2.2", + "ref": "version/2026.2.1", "repo": "authentik", "type": "github" } @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1776613567, - "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=", + "lastModified": 1773025010, + "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", "owner": "nix-community", "repo": "disko", - "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d", + "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", "type": "github" }, "original": { @@ -116,11 +116,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1767039857, - "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1772893680, - "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { @@ -224,11 +224,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1773912645, - "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", + "lastModified": 1773313890, + "narHash": "sha256-NXm/kOAk7HLziH1uWaUbNb9MhDS8yxFfQ8fMK5eN8/A=", "ref": "nixos-25.11", - "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", - "revCount": 843, + "rev": "9cdd6869e513df8153db4b920c8f15d394e150f7", + "revCount": 842, "type": "git", "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver" }, @@ -297,11 +297,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1773831496, - "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", + "lastModified": 1764020296, + "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "826430a188181a750ffa5948daff334039c5d741", + "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", "type": "github" }, "original": { @@ -313,11 +313,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1776734388, - "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=", + "lastModified": 1773222311, + "narHash": "sha256-BHoB/XpbqoZkVYZCfXJXfkR+GXFqwb/4zbWnOr2cRcU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac", + "rev": "0590cd39f728e129122770c029970378a79d076a", "type": "github" }, "original": { @@ -393,11 +393,11 @@ ] }, "locked": { - "lastModified": 1776771786, - "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=", + "lastModified": 1773096132, + "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598", + "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f0f177e..53bdc81 100644 --- a/flake.nix +++ b/flake.nix @@ -193,10 +193,10 @@ [ ./hosts/${input} ./default.nix - ./modules/monitoring.nix disko.nixosModules.disko authentik.nixosModules.default mailserver.nixosModules.mailserver + sops.nixosModules.default { _module.args = { inherit self modulesPath; }; } diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix new file mode 100644 index 0000000..4ae125b --- /dev/null +++ b/hosts/auth/authentik.nix @@ -0,0 +1,84 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + users.groups.authentik = { }; + users.users.authentik = { + isSystemUser = true; + extraGroups = [ "docker" ]; + group = "authentik"; + }; + + virtualisation.docker.enable = true; + + systemd.services = { + authentik-secrets-setup = { + enable = true; + }; + }; + users.groups.authentik-ldap = {}; + users.users.authentik-ldap = { + isSystemUser = true; + group = "authentik-ldap"; + }; + systemd.services.authentik-ldap.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "authentik-ldap"; + }; + services.authentik-ldap = { + enable = true; + environmentFile = config.sops.secrets."auth/ldap-env-file".path; + # environmentFile = "/var/lib/authentik-ldap-env"; + }; + services.authentik = { + enable = true; + # environmentFile = "/var/lib/authentik_secret"; + environmentFile = config.sops.secrets."auth/env-file".path; + settings = { + email = { + host = "mail.${config.networking.domain}"; + port = 25; + username = "authentik@${config.networking.domain}"; + use_tls = false; + use_ssl = false; + from = "authentik@${config.networking.domain}"; + }; + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + + systemd.services.authentik-secrets-generator = { + enable = true; + requiredBy = [ + "authentik-secrets-setup.service" + "authentik-worker.service" + ]; + script = '' + echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret + ''; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "auth.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9000"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; +} + diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix new file mode 100644 index 0000000..0d135dc --- /dev/null +++ b/hosts/auth/default.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "auth/env-file".owner = "authentik"; + "auth/ldap-env-file".owner = "authentik"; + }; + }; + imports = [ + "${modulesPath}/virtualisation/proxmox-lxc.nix" + ./authentik.nix + ]; + + networking = { + hostName = "auth"; + domain = lib.mkForce "test.htw.stura-dresden.de"; + useDHCP = false; + interfaces.eth0.ipv4.addresses = [ + { + address = "141.56.51.96"; + prefixLength = 24; + } + ]; + + defaultGateway = { + address = "141.56.51.254"; + interface = "eth0"; + }; + + firewall.allowedTCPPorts = [ + 80 + 443 + 3389 + ]; + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/auth/secrets.sops.yml b/hosts/auth/secrets.sops.yml new file mode 100644 index 0000000..45c456a --- /dev/null +++ b/hosts/auth/secrets.sops.yml @@ -0,0 +1,27 @@ +auth: + env-file: ENC[AES256_GCM,data:WDJ3daYCxybublm8VWO8W5HHmYYWKOcw81f+fQ0Vz78EOvbYI+SgEwnuAd/0/eeGkTPEJPSCfbymArs+YRTdibgO5y/34jdN0DOVQetZLPXrDbcZ/Sg=,iv:bykKdvkgmxwgptkGHKH4rnFknPA0PTrW+mEqIzIYERk=,tag:8UKhLz/VoPiXckcIEBfrLg==,type:str] + ldap-env-file: ENC[AES256_GCM,data:CpgiiUin3hj8+aykcSU2rasaCFt/CAC5lK3Ek7zxzw6hYCkhwxIc9a4Xfy9SxSQtASJ5dOOrOaa8gA1ahf4Z1g/1981fhxlQPeJd9PlJFgdL4CP5P6ZrPBKZKgygnreUo6HC7Rfc9x2CRmnDhQvMVUmQL9akZRNYasX+9IlRyKmLSFmi35IuryFhVLwfjfECmq51/Xo2WYzjWrayfFuOpS0jHWicQxXvXq6QcLvqmbk5euXiHDkFXOXcwMRr6mAompDAKa9BKXqcRDbxOWqzJ1gflEJvOJi249PeYFo+poTK1CUtBCTejFo=,iv:P1xN6wq5oeba1LSEn6UiArOka37alV/PhI5kOmpfDG0=,tag:Xisd5elHQ8mhvE6YEbCuLg==,type:str] +sops: + age: + - recipient: age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRmV2dGt1UXZ3M2RKd24y + V0x4MzZyYUh0aDVwQ1NmOCtyOHR6Z1c0R1ZNCi80Nk9PZFVTcVFIQjlZVXJNeXBN + TC9td05ZeWVVTCtFSWhqazN6bFF3akkKLS0tIEV3YzdRUDA5Q2dBd2JWUWNqOTU4 + SnZtdVd4Q3lCaStJTnV4U2cvZUZEMlkK85XYSh6VbDFPKPIhKBKtkErGtgsHjXxy + kq14EXwfZnnBlR76JMQgPvSLrDLdj+4tDIVcuE4JplCoSvbGKckGww== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQm5nUHkzZExKOXNzNjk4 + Y1JURVJwNXhFUGZJak8vbEtCNnE2dHFuNVVNClJHQ3E2RGJkbUtlMDNwcy9Ib01Q + dG9nRTVJejkySTdlb2IrbHF4Z3ZMTmcKLS0tIHUwNndGdW9EaWwyNmRUb2NQU2Vs + MC9VSmVqVlVHRlJ4NXozUkQ4ZDVEVlkKbfVoBNsral3n7rG7ujUgdQXF68EVB+4G + MKMuOiY05QGBViLYyKh1jioHv6nds1hCuc2vpLNB3J0KT3I2q/a0VQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T16:42:34Z" + mac: ENC[AES256_GCM,data:i9hTUqbrmc2mD8PAbCe2gWern4ArMIkTQWN7eaJcsjZ9m6LZjOQFpnrpgPg6fj3hazgnFn86veNvQGe/J50NLnwj2FCyF3jKG3xkc7rKa9fyD0Yz0XnpbNKtDb2YGxwyBmLsnnyl6sdpyvPipZYCfwM+bhB8OERIXVXKwbZOn1A=,iv:dKI/NsMcVBNBOw0kYEQqrgfdvLKDg4NM/yRBYDqXIxU=,tag:xkg0z7IUy2m4ivosB925vQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix new file mode 100644 index 0000000..61b9766 --- /dev/null +++ b/hosts/mail/default.nix @@ -0,0 +1,233 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +let + generatedAliases = pkgs.writeText "generated-aliases" ( + lib.concatStringsSep "\n" ( + lib.mapCartesianProduct + ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de") + { + aliases = [ + "abuse" + "hostmaster" + "noreply" + "postmaster" + "webmaster" + ]; + domain = config.mailserver.domains; + } + ) + ); + +in +{ + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "ldap_passwd".owner = "dovecot2"; + "wireguard-key".owner = "systemd-network"; + }; + }; + imports = [ + "${modulesPath}/virtualisation/proxmox-lxc.nix" + ]; + + security.pam.loginLimits = [ + { + domain = "*"; + type = "soft"; + item = "nofile"; + value = "8192"; + } + ]; + + networking = { + hostName = "mail"; + domain = lib.mkForce "test.htw.stura-dresden.de"; + useDHCP = false; + interfaces.ens18.ipv4.addresses = [ + { + address = "141.56.51.95"; + prefixLength = 24; + } + ]; + + defaultGateway = { + address = "141.56.51.254"; + interface = "eth0"; + }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.20/24" + "fd28:6691:1921:6299::20/64" + ]; + peers = [ + # mail.test.htw.stura-dresden.de + { + endpoint = "hetzner.test.htw.stura-dresden.de:51820"; + allowedIPs = [ + "10.100.0.1/24" + ]; + publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0="; + } + ]; + }; + }; + }; + }; + + services.nginx.virtualHosts = { + "lists.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:18507"; + # }; + }; + }; + services.automx2 = { + enable = true; + domain = "${config.networking.domain}"; + settings = { + automx2 = { + db_uri = "sqlite:////var/lib/automx2/db.sqlite"; + proxy_count = 1; + }; + }; + }; + services.mailman = { + enable = true; + hyperkitty = { + enable = true; + }; + serve.enable = true; + webHosts = [ + "lists.${config.networking.domain}" + ]; + }; + + services.mailman.siteOwner = "mailman@${config.networking.domain}"; + mailserver = { + enable = true; + fqdn = "mail.${config.networking.domain}"; + domains = [ + "${config.networking.domain}" + "lists.${config.networking.domain}" + ]; + ldap = { + enable = true; + bind = { + # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de"; + dn = "cn=dovecot,ou=users,dc=mail,dc=htw,dc=stura-dresden,dc=de"; + # passwordFile = "/var/lib/dovecot_ldap_passwd"; + passwordFile = config.sops.secrets.ldap_passwd.path; + }; + dovecot = { + userFilter = "(&(objectClass=posixAccount)(mail=%u))"; + passFilter = "(&(objectClass=posixAccount)(mail=%u))"; + userAttrs = "cn"; + }; + postfix = { + filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))"; + mailAttribute = "mail"; + uidAttribute = "cn"; + }; + #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de"; + searchBase = "dc=mail,dc=htw,dc=stura-dresden,dc=de"; + uris = [ + "ldap://auth.test.htw.stura-dresden.de:3389" + ]; + }; + + certificateScheme = "acme-nginx"; + enableImap = true; + enableImapSsl = true; + enableManageSieve = true; + enableSubmission = true; + enableSubmissionSsl = true; + extraVirtualAliases = { }; + lmtpSaveToDetailMailbox = "no"; # DOS potential + mailboxes = { + Drafts = { + auto = "subscribe"; + specialUse = "Drafts"; + }; + Sent = { + auto = "subscribe"; + specialUse = "Sent"; + }; + Spam = { + auto = "subscribe"; + specialUse = "Junk"; + }; + Trash = { + auto = "subscribe"; + specialUse = "Trash"; + }; + }; + maxConnectionsPerUser = 10; + messageSizeLimit = 10 * 1000 * 1024; # 10 MiB + + stateVersion = 3; + }; + + # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n"; + services.postfix = + let + submissionOptions = { + # hash:/etc/postfix/virtual, + smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + }; + in + { + masterConfig = { + submission = { + args = [ "-v" ]; + }; + submissions = { + args = [ "-v" ]; + }; + }; + settings.main = { + unknown_local_recipient_reject_code = 550; + relay_domains = [ + "hash:/var/lib/mailman/data/postfix_domains" + ]; + transport_maps = [ + "hash:/var/lib/mailman/data/postfix_lmtp" + ]; + local_recipient_maps = [ + "hash:/var/lib/mailman/data/postfix_lmtp" + ]; + }; + # mapFiles = { + # "valias" = lib.mkForce "/var/lib/postfix/valias"; + # "virtual" = lib.mkForce "/var/lib/postfix/virtual"; + # }; + submissionOptions = submissionOptions; + submissionsOptions = submissionOptions; + }; + + security.acme.acceptTerms = true; + security.acme.defaults.email = "cert@stura.htw-dresden.de"; + + networking.firewall.allowedTCPPorts = [ + 25 + 80 + 443 + 597 + ]; + + system.stateVersion = "24.11"; + +} + diff --git a/hosts/mail/secrets.sops.yml b/hosts/mail/secrets.sops.yml new file mode 100644 index 0000000..a90cdf0 --- /dev/null +++ b/hosts/mail/secrets.sops.yml @@ -0,0 +1,26 @@ +ldap_passwd: ENC[AES256_GCM,data:adUZCZcYfoxBQm3e4YeeXcQJSZjB3+v2zSNy7q0Ao39aDQMH5H0w4o9MXTREkPHW53JejC2ivo8Zl3yUhkeYRw==,iv:XB25CmtUGf+PeSsHtr+CA/HIfZq1IrOBPPQD3/r6Kc4=,tag:A/WGViM/Ix7n6mhjnbCtZg==,type:str] +wireguard-key: ENC[AES256_GCM,data:5EWg5yF1CDKIusFwONVSzxSMM0cfOzyUYcWQ0f8xTHZ7bViAw8HbjJpRI4o=,iv:UNTv+994Q5VscsjgWS4ppkHX0gPy7vc/qmRCYKvR8CE=,tag:i8ydlyJSfIUj81j78EX5Fg==,type:str] +sops: + age: + - recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenVrS0tkTWZRY2xDZklO + WTcwaENIY2I1bTFGMEZZVzBoeUNrT2RESmhFCnZXU2M1SjlGQWo0OEp0TzI0c21u + UkNuNEdQQldQdy9uSzhveEM2eFZrRUkKLS0tIGV4S3lreHJPVS96VUZ6SXRaSklW + MUE4eXN0bkNkU0dCckppdldvV2V4dHcKdKh6ekq6hB5pCUAEPdASqsxqAKZDwzCv + NyS2jitHo9XBtMQVJg4PmNcoRs5XLdqy2tP8upnGelj0B/Q9D+dhag== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVlVrdXhGMDRxMjhPb3Nv + c3lBS25OKzJIaWhHWHpKQXo0N1dFTnZLaHdnClVFVTFPVE1rNFVEclFVc3VjQVhu + SjF6Nnp6dE9oRUJYUVVnOWVpVE11WVkKLS0tIEJ0aVJzejROMHFPK1JQbkJjbUdi + bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5 + SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T18:05:57Z" + mac: ENC[AES256_GCM,data:NJM8uwSGIrjy4t+3AwNxp2e569ArH/cnRDipsHnTTQYV5NJLOTtwoFnTqVHBSREc2Sh38gXKye1ncwS3IG5CMsF1nsLOL/+Y9mUqQkLeWeld6Kal8c99yIr2oz8Hk4JTJt4j2C8/aNFhqu62VF7F6JNElWq2F3J5TPKPHRbE9yY=,iv:mj18t2s9hqNV4ore9T4R4jOgUGPuXGqwW91M9Uoh6aQ=,tag:v6T7LXjLQGoc9leFI5zY0g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix deleted file mode 100644 index e30daba..0000000 --- a/hosts/monitoring/default.nix +++ /dev/null @@ -1,246 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: -{ - imports = [ - "${modulesPath}/virtualisation/proxmox-lxc.nix" - ]; - - networking = { - hostName = "monitoring"; - fqdn = "monitoring.adm.htw.stura-dresden.de"; - interfaces.eth0.ipv4.addresses = [ - { - address = "141.56.51.20"; - prefixLength = 24; - } - ]; - defaultGateway = { - address = "141.56.51.254"; - interface = "eth0"; - }; - firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - 4317 # OTLP gRPC (Proxmox) - 4318 # OTLP HTTP (Proxmox) - ]; - }; - }; - - # Loki - Log aggregation system - services.loki = { - enable = true; - configuration = { - auth_enabled = false; - server = { - http_listen_port = 3100; - grpc_listen_port = 9096; - }; - common = { - path_prefix = "/var/lib/loki"; - storage.filesystem = { - chunks_directory = "/var/lib/loki/chunks"; - rules_directory = "/var/lib/loki/rules"; - }; - replication_factor = 1; - ring = { - instance_addr = "127.0.0.1"; - kvstore.store = "inmemory"; - }; - }; - limits_config = { - ingestion_rate_mb = 32; - ingestion_burst_size_mb = 64; - per_stream_rate_limit = "32MB"; - per_stream_rate_limit_burst = "64MB"; - max_query_series = 100000; - retention_period = "672h"; # 28 days - }; - compactor = { - retention_enabled = true; - working_directory = "/var/lib/loki/compactor"; - delete_request_store = "filesystem"; - }; - schema_config = { - configs = [ - { - from = "2024-01-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - }; - }; - - # Mimir - Scalable metrics storage - services.mimir = { - enable = true; - configuration = { - multitenancy_enabled = false; - memberlist = { - bind_addr = [ "0.0.0.0" ]; - bind_port = 7946; - advertise_addr = "141.56.51.20"; - join_members = [ "141.56.51.20:7946" ]; - }; - blocks_storage = { - backend = "filesystem"; - filesystem = { - dir = "/var/lib/mimir/data"; - }; - }; - compactor = { - data_dir = "/var/lib/mimir/compactor"; - }; - distributor = { - ring = { - kvstore.store = "memberlist"; - }; - }; - ingester = { - ring = { - kvstore.store = "memberlist"; - replication_factor = 1; - }; - }; - ruler_storage = { - backend = "filesystem"; - filesystem = { - dir = "/var/lib/mimir/rules"; - }; - }; - server = { - http_listen_port = 9009; - grpc_listen_port = 9095; - }; - limits = { - ingestion_rate = 100000; - ingestion_burst_size = 200000; - max_global_series_per_user = 0; - compactor_blocks_retention_period = "672h"; # 28 days - }; - store_gateway = { - sharding_ring = { - replication_factor = 1; - kvstore.store = "memberlist"; - }; - }; - }; - }; - - # Grafana - Visualization and dashboarding - services.grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = 3000; - domain = "mon.adm.htw.stura-dresden.de"; - root_url = "https://mon.adm.htw.stura-dresden.de"; - }; - security = { - admin_user = "admin"; - admin_password = "$__file{/var/lib/grafana/admin_password}"; - }; - }; - provision = { - enable = true; - datasources.settings.datasources = [ - { - name = "Mimir"; - type = "prometheus"; - url = "http://localhost:9009/prometheus"; - isDefault = true; - } - { - name = "Loki"; - type = "loki"; - url = "http://localhost:3100"; - } - ]; - }; - }; - - # Nginx reverse proxy with ACME certificates - services.nginx = { - enable = true; - - virtualHosts."log.adm.htw.stura-dresden.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3100"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; - - virtualHosts."met.adm.htw.stura-dresden.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9009"; - recommendedProxySettings = true; - }; - }; - - virtualHosts."mon.adm.htw.stura-dresden.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; - }; - - # Vector - receive OpenTelemetry data from Proxmox and forward to Loki/Mimir - services.vector.settings = { - sources.proxmox_otlp = { - type = "opentelemetry"; - grpc.address = "0.0.0.0:4317"; - http.address = "0.0.0.0:4318"; - }; - - transforms.proxmox_normalize_logs = { - type = "remap"; - inputs = [ "proxmox_otlp.logs" ]; - source = '' - .host = string(.resources."host.name") ?? "proxmox" - .unit = string(.attributes."service.name") ?? "proxmox" - ''; - }; - - transforms.proxmox_normalize_metrics = { - type = "remap"; - inputs = [ "proxmox_otlp.metrics" ]; - source = '' - .tags.host = string(.resources."host.name") ?? "proxmox" - ''; - }; - - }; - - stura.monitoring = { - extraMetricInputs = [ "proxmox_normalize_metrics" ]; - extraLogInputs = [ "proxmox_normalize_logs" ]; - }; - - services.openssh.enable = true; - - system.stateVersion = "25.11"; -} diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix index 80c0bb3..304becf 100644 --- a/hosts/nextcloud/default.nix +++ b/hosts/nextcloud/default.nix @@ -87,11 +87,6 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - commonHttpConfig = '' - real_ip_header proxy_protocol; - set_real_ip_from 141.56.51.1/32; - ''; - logError = '' /dev/null emerg ''; @@ -99,21 +94,9 @@ virtualHosts.${config.networking.fqdn} = { forceSSL = true; enableACME = true; - listen = [ - { - port = 80; - addr = "0.0.0.0"; - } - { - port = 443; - addr = "0.0.0.0"; - ssl = true; - proxyProtocol = true; - } - ]; - # extraConfig = '' - # access_log off; - # ''; + extraConfig = '' + access_log off; + ''; }; # virtualHosts."cloud.htw.stura-dresden.de" = { # forceSSL = true; diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index e688417..37d7951 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -6,6 +6,12 @@ ... }: { + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "wireguard-key".owner = "systemd-network"; + }; + }; imports = [ ./hardware-configuration.nix ./hetzner-disk.nix @@ -13,6 +19,7 @@ networking = { hostName = "proxy"; + nameservers = [ "141.56.51.1" ]; interfaces.ens18.ipv4.addresses = [ { address = "141.56.51.1"; @@ -20,99 +27,49 @@ } ]; defaultGateway.address = "141.56.51.254"; - firewall.enable = false; + firewall = { + allowedTCPPorts = [ + 22 + 53 # DNS + 80 + 443 + 1005 + 2142 + ]; + allowedUDPPorts = [ + 53 # DNS + 123 # NTP + ]; + }; nftables = { enable = true; - ruleset = '' - table inet filter { - set blacklist4 { - type ipv4_addr - flags interval - # manage: nft add element inet filter blacklist4 { 1.2.3.0/24 } - } - - set blacklist6 { - type ipv6_addr - flags interval - # manage: nft add element inet filter blacklist6 { 2001:db8::/32 } - } - - chain input { - type filter hook input priority filter; policy drop; - - iif "lo" accept - ct state established,related accept - - ip saddr 141.56.51.0/24 accept - ip saddr @blacklist4 drop - ip6 saddr @blacklist6 drop - - # public ports - tcp dport { 80, 443, 1005, 2142 } accept - - # lan-only: dns and ntp - ip saddr 141.56.51.0/24 tcp dport 53 accept - ip saddr 141.56.51.0/24 udp dport { 53, 123 } accept - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - - chain output { - type filter hook output priority filter; policy accept; - } - } - ''; + }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.2/24" + "fd28:6691:1921:6299::2/64" + ]; + listenPort = 51820; + peers = [ + # mail.test.htw.stura-dresden.de + { + endpoint = "hetzner.test.htw.stura-dresden.de:51820"; + allowedIPs = [ + "10.100.0.0/24" + ]; + persistentKeepalive = 30; + publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0="; + } + ]; + }; + }; }; }; - # Phase 1: Kernel-Level TCP Tuning - boot.kernel.sysctl = { - # Connection tracking - prevents "table full" errors - "net.netfilter.nf_conntrack_max" = 262144; # Conservative limit matching current kernel - "net.netfilter.nf_conntrack_buckets" = 65536; # 4:1 ratio - - # Reduce connection tracking timeouts (defaults are excessive) - "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; # 10 min (down from 5 days) - "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 30; # 30s - "net.netfilter.nf_conntrack_tcp_timeout_close_wait" = 15; # 15s - "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" = 30; # 30s - - # TCP connection handling - "net.core.somaxconn" = 65535; # Must be >= HAProxy maxconn - "net.core.netdev_max_backlog" = 16384; - "net.ipv4.tcp_max_syn_backlog" = 8192; - - # TCP buffer auto-tuning (16MB max) - "net.ipv4.tcp_rmem" = "4096 87380 16777216"; - "net.ipv4.tcp_wmem" = "4096 65536 16777216"; - "net.core.rmem_max" = 16777216; - "net.core.wmem_max" = 16777216; - - # TCP optimization - "net.ipv4.tcp_fin_timeout" = 15; - "net.ipv4.tcp_keepalive_time" = 300; # 5 min - "net.ipv4.tcp_keepalive_probes" = 3; - "net.ipv4.tcp_keepalive_intvl" = 15; - - # TCP Fast Open - "net.ipv4.tcp_fastopen" = 3; - - # BBR congestion control for better throughput - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "fq"; - - # Ephemeral port range - "net.ipv4.ip_local_port_range" = "10000 65535"; - - # TIME_WAIT socket reuse - "net.ipv4.tcp_tw_reuse" = 1; - }; - - # Enable BBR kernel module - boot.kernelModules = [ "tcp_bbr" ]; - # wenn instanzen in die flake migriert sind könnte man das autogenerierien services = let @@ -126,112 +83,108 @@ domain = "docs.adm.htw.stura-dresden.de"; httpPort = 8080; httpsPort = 8443; - sendProxy = false; }; plone = { dest = "141.56.51.3"; domain = "stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = true; }; plone_alt = { dest = "141.56.51.3"; domain = "www.stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = true; }; plone_neu = { dest = "141.56.51.3"; domain = "www.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = true; }; plone_neu2 = { dest = "141.56.51.3"; domain = "htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = true; }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; post = { dest = "141.56.51.56"; domain = "post.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; vot = { dest = "141.56.51.57"; domain = "vot.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; mail = { dest = "141.56.51.14"; domain = "mail.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; lists = { dest = "141.56.51.14"; domain = "lists.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; dat = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; + }; + pro = { + dest = "141.56.51.15"; + domain = "pro.htw.stura-dresden.de"; + httpPort = 80; + httpsPort = 443; + }; + cloud = { + dest = "141.56.51.16"; + domain = "cloud.htw.stura-dresden.de"; + httpPort = 80; + httpsPort = 443; }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = true; }; beach = { dest = "141.56.51.51"; domain = "beach.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; studicloud = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; bbb = { dest = "141.56.51.94"; domain = "bbb.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; bbb-test = { dest = "141.56.51.94"; domain = "bbb.test.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; }; } # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert @@ -250,15 +203,6 @@ prev // (builtins.foldl' ( val: vhost: - let - proxyProtocol = - if - self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [ ] - then - false - else - true; - in val // { "${vhost}" = { @@ -266,7 +210,6 @@ domain = vhost; httpsPort = 443; httpPort = 80; - sendProxy = proxyProtocol; }; } ) { } vhosts) @@ -323,43 +266,44 @@ "127.0.0.1" ]; listenOnIpv6 = [ ]; - # zones = { - # "htw.stura-dresden.de" = { - # master = true; - # file = pkgs.writeText "htw.stura-dresden.de.zone" '' - # $TTL 3600 - # @ IN SOA proxy.htw.stura-dresden.de. hostmaster.htw.stura-dresden.de. ( - # 2026031301 ; Serial (YYYYMMDDNN) - # 3600 ; Refresh (1 hour) - # 1800 ; Retry (30 minutes) - # 604800 ; Expire (1 week) - # 86400 ) ; Minimum TTL (1 day) - # - # ; Name servers - # @ IN NS proxy.htw.stura-dresden.de. - # - # ; Proxy host - main IPv4 gateway - # proxy IN A 141.56.51.1 - # proxy IN AAAA 2a01:4f8:1c19:96f8::1 - # - # ; Auto-generated CNAME records for all subdomains pointing to proxy - # ${lib.foldlAttrs ( - # prev: name: value: - # let - # zoneSuffix = ".htw.stura-dresden.de"; - # # Check if this domain belongs to our zone - # isInZone = lib.hasSuffix zoneSuffix value.domain; - # # Extract subdomain by removing the zone suffix - # subdomain = lib.removeSuffix zoneSuffix value.domain; - # in - # if isInZone && subdomain != "" && subdomain != "htw.stura-dresden.de" then - # prev + "${subdomain}${" "}IN${" "}CNAME${" "}proxy.htw.stura-dresden.de.\n" - # else - # prev - # ) "" forwards} - # ''; - # }; - # }; + zones = { + "htw.stura-dresden.de" = { + master = true; + file = pkgs.writeText "htw.stura-dresden.de.zone" '' + $TTL 3600 + @ IN SOA proxy.htw.stura-dresden.de. hostmaster.htw.stura-dresden.de. ( + 2026031301 ; Serial (YYYYMMDDNN) + 3600 ; Refresh (1 hour) + 1800 ; Retry (30 minutes) + 604800 ; Expire (1 week) + 86400 ) ; Minimum TTL (1 day) + + ; Name servers + @ IN NS proxy.htw.stura-dresden.de. + + ; Proxy host - main IPv4 gateway + proxy IN A 141.56.51.1 + proxy IN AAAA 2a01:4f8:1c19:96f8::1 + + ; Auto-generated CNAME records for all subdomains pointing to proxy + hetzner.test IN A 178.104.18.93 + ${lib.foldlAttrs ( + prev: name: value: + let + zoneSuffix = ".htw.stura-dresden.de"; + # Check if this domain belongs to our zone + isInZone = lib.hasSuffix zoneSuffix value.domain; + # Extract subdomain by removing the zone suffix + subdomain = lib.removeSuffix zoneSuffix value.domain; + in + if isInZone && subdomain != "" && subdomain != "htw.stura-dresden.de" then + prev + "${subdomain}${" "}IN${" "}CNAME${" "}proxy.htw.stura-dresden.de.\n" + else + prev + ) "" forwards} + ''; + }; + }; }; # Chrony NTP server for the internal network @@ -433,37 +377,20 @@ enable = true; config = '' global - # schreibe globalen log ins journal ip -> app + # schreibe globalen log ins journal ip -> app log /dev/log format raw local0 - maxconn 60000 # Safe limit below kernel conntrack (262144) - - # Buffer optimizations (Phase 2) - tune.bufsize 32768 # Power of 2 (was 32762) - tune.maxrewrite 8192 - - # Connection handling - tune.maxaccept 500 # Prevent accept starvation - tune.maxpollevents 300 - - # TCP buffer sizes (64KB) - tune.rcvbuf.client 65536 - tune.rcvbuf.server 65536 - tune.sndbuf.client 65536 - tune.sndbuf.server 65536 + maxconn 50000 + # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + tune.bufsize 32762 defaults log global mode tcp option tcplog - - # Optimized timeouts (Phase 5) - timeout connect 3s # Reduce from 5s - timeout client 60s # Increase from 30s - timeout server 60s # Increase from 30s - timeout queue 5s # Prevent indefinite queueing - - # Performance - option splice-auto # Zero-copy kernel splicing + timeout connect 5s + timeout client 30s + timeout server 30s # stats seite zeigt backend connection status, wenn check gesetzt ist frontend stats @@ -471,21 +398,13 @@ mode http stats enable stats uri /stats - stats refresh 5s # Reduce from 10s for real-time monitoring + stats refresh 10s stats show-legends stats show-node stats show-modules - stats admin if TRUE # Enable admin operations - http-request use-service prometheus-exporter if { path /metrics } frontend http-in bind *:80 - mode http - tcp-request connection expect-proxy layer4 if { src 178.104.18.93 } - maxconn 60000 - backlog 8192 - option dontlognull - option http-keep-alive # Reuse connections for redirects # hier wird eine regel pro domain aus der forwarder liste generiert ${lib.foldlAttrs ( @@ -504,8 +423,8 @@ prev: name: value: prev + '' - http-request redirect scheme https code 301 if !is_acme is_${name} use_backend ${name}_80 if is_${name} + http-request redirect scheme https code 301 if !is_acme is_${name} '' ) "" forwards} @@ -526,18 +445,10 @@ frontend sni_router bind *:443 mode tcp - tcp-request connection expect-proxy layer4 if { src 178.104.18.93 } - - # Reduce inspection delay - SNI is in first packet (Phase 3) - tcp-request inspect-delay 500ms # Was 1s + # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht + tcp-request inspect-delay 1s tcp-request content accept if { req_ssl_hello_type 1 } - # Connection handling - option clitcpka # Enable client TCP keep-alive - maxconn 60000 - backlog 16384 # Increase from default 1024 - option dontlognull # Skip logging of monitoring probes - # tcp redirect der anwendung basierend auf ssl_sni handshake parameter ${lib.foldlAttrs ( prev: name: value: @@ -568,118 +479,14 @@ server ${name} ${value.dest}:${builtins.toString value.httpPort} backend ${name}_443 mode tcp - option tcpka # Enable server TCP keep-alive (Phase 4) - timeout server 60s # Increase from 30s for long-lived HTTPS - timeout connect 3s # Reduce from 5s (local network) - server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${ - if value.sendProxy == true then "send-proxy-v2" else "" - } check inter 3000 rise 2 fall 3 maxconn 5000 + server ${name} ${value.dest}:${builtins.toString value.httpsPort} check '' ) "" forwards} ''; }; - vector.settings = { - enrichment_tables.geoip_table = { - type = "mmdb"; - path = "/var/lib/GeoIP/GeoLite2-City.mmdb"; - }; - sources.haproxy_metrics = { - type = "prometheus_scrape"; - endpoints = [ "http://127.0.0.1:8404/metrics" ]; - scrape_interval_secs = 15; - }; - transforms = { - add_host_label_haproxy = { - type = "remap"; - inputs = [ "haproxy_metrics" ]; - source = '' - .tags.host = get_hostname!() - ''; - }; - haproxy_logs_filter = { - type = "filter"; - inputs = [ "journald_logs" ]; - condition = ''."_SYSTEMD_UNIT" == "haproxy.service"''; - }; - haproxy_logs_parse = { - type = "remap"; - inputs = [ "haproxy_logs_filter" ]; - source = '' - .host = get_hostname!() - .unit = "haproxy" - # IPv4: "1.2.3.4:port" IPv6: "[2001:db8::1]:port" - parsed, err = parse_regex(.message, r'^(?:\[(?P[0-9a-fA-F:]+)\]|(?P[\d.]+)):\d+') - if err == null { - if is_null(parsed.ipv6) { - .client_ip = parsed.ipv4 - } else { - .client_ip = parsed.ipv6 - } - } - ''; - }; - haproxy_geoip = { - type = "remap"; - inputs = [ "haproxy_logs_parse" ]; - source = '' - if exists(.client_ip) && !is_null(.client_ip) { - .geoip = get_enrichment_table_record("geoip_table", {"ip": string!(.client_ip)}) ?? {} - } - ''; - }; - }; - sinks.mimir.inputs = lib.mkForce [ - "add_host_label_metrics" - "add_host_label_haproxy" - ]; - }; }; - - stura.monitoring.extraLogInputs = [ "haproxy_geoip" ]; - - users.users.root.packages = [ - (pkgs.writeShellScriptBin "nft-blacklist" '' - set -euo pipefail - - usage() { - echo "Usage: nft-blacklist " - echo " add - add entry to blacklist set" - echo " del - remove entry from blacklist set" - exit 1 - } - - [[ $# -ne 2 ]] && usage - - ACTION="$1" - ADDR="$2" - - if [[ "$ADDR" == *:* ]]; then - SET="blacklist6" - elif [[ "$ADDR" == *.* ]]; then - SET="blacklist4" - else - echo "Error: cannot determine address family for '$ADDR'" >&2 - exit 1 - fi - - case "$ACTION" in - add) - ${pkgs.nftables}/bin/nft add element inet filter "$SET" "{ $ADDR }" - echo "Added $ADDR to $SET" - ;; - del) - ${pkgs.nftables}/bin/nft delete element inet filter "$SET" "{ $ADDR }" - echo "Removed $ADDR from $SET" - ;; - *) - usage - ;; - esac - '') - ]; - environment.systemPackages = with pkgs; [ ]; diff --git a/hosts/proxy/secrets.sops.yml b/hosts/proxy/secrets.sops.yml new file mode 100644 index 0000000..207a35b --- /dev/null +++ b/hosts/proxy/secrets.sops.yml @@ -0,0 +1,25 @@ +wireguard-key: ENC[AES256_GCM,data:tEKd+iwfyabTj/spqh08Um3FX4grLeffTxCvBivkXrNqIzOymBdcgQL4IJ4=,iv:Z2sr5yzxTKXgBgfcd3LWB9jT2fX3uRpX07r4yMplSNY=,tag:IWgiEjjbHbIUORhwKjTM6g==,type:str] +sops: + age: + - recipient: age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUhhSlVQcHgvUEtDa0E2 + UU1ON3NiUUlHTXFUOEdNeUdGVWNVTWRRNW0wCmhTVnJONlZSMmt2OVJiMys5bnM2 + TDZPMExYaWlKSVFPVERnS1QvVTJlNXMKLS0tIElTYmxHNTFPSmNXYnkrY2RtRUVL + WHBCYWhtSWt1QW9hbEFwVmdqWUxjUmMKpqfV/bJVfyDI2Wa+jlwsXMx3tNV9G0S2 + VhmmpDnEJn6UDWAMYxNv0g3rtfhBkb2HyCtANNVQ7QROua9WHzJjlg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVUVkdDljcForNEJ2WmNm + N0QvTWhQWXQ1VHh5b0pCZFQ3aGxXSGY2bXprCmpEV2l6bkxnUDByNVZaVVR6N2lE + OG1sYkJrQmFVWW1vWXRZL1A2S29MejQKLS0tIEFKbkRmdWM0QW9vVlJWZElXSUcw + b1pCMjNIN1padE5JNVpZNFYwMnZGd00KM415cr6nuN6zfhDcfXFN2lMDWogLwDSE + Kq/ykUSuN9IU6AhslgBNRCmJRVHIzCmu5dU5NVZeqN1YT/EyAbEcyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T18:56:03Z" + mac: ENC[AES256_GCM,data:v1RkpxjvgLHS3OOA2aEG+uJ3yWpOvJLwFA5jRBRtMoMvrBD8O8sikzWJUczQnpw85F/ieFqK6RdT8SBA9lIuPXYMRRS8icHI2a8P+zwySsWsnzc9UaJjjvKtkYo9nnPNCM36HAFOKHiAzBm7FWMt1Tl+WQMyVCWLXCN7ao0MjIo=,iv:8xCrY7QOhW5Mc/AWWXFocqwTUD9qvH4dLYYtnsU6PHw=,tag:09Nw7qFfjefrv0jBwaFINA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/redmine/default.nix b/hosts/redmine/default.nix index 2bbd398..d327168 100644 --- a/hosts/redmine/default.nix +++ b/hosts/redmine/default.nix @@ -90,9 +90,7 @@ services.redmine.settings.production.email_delivery = { delivery_method = ":smtp"; smtp_settings = { - # @tan 27-03-2026: muss an "alten" mailserver senden - #address = "mail.${config.networking.domain}"; - address = "mail.stura.htw-dresden.de"; + address = "mail.${config.networking.domain}"; port = 25; }; #### Alternativ waere vielleicht auch das Versand von Mails durch das Programm sendmail (als lokale Installation) moeglich. @@ -134,29 +132,13 @@ #### Der StuRa speichert nicht! services.nginx.logError = ''/dev/null emerg''; - # services.nginx.appendHttpConfig = '' - # access_log off; - # ''; - services.nginx.commonHttpConfig = '' - real_ip_header proxy_protocol; - set_real_ip_from 141.56.51.1/32; + services.nginx.appendHttpConfig = '' + access_log off; ''; #### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server. services.nginx.virtualHosts."${config.networking.fqdn}" = { #### https://search.nixos.org/options?show=services.nginx.virtualHosts..default - listen = [ - { - port = 80; - addr = "0.0.0.0"; - } - { - port = 443; - addr = "0.0.0.0"; - ssl = true; - proxyProtocol = true; - } - ]; default = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}"; diff --git a/hosts/v6proxy/default.nix b/hosts/v6proxy/default.nix index 39e2521..a87195b 100644 --- a/hosts/v6proxy/default.nix +++ b/hosts/v6proxy/default.nix @@ -6,6 +6,12 @@ ... }: { + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "wireguard-key".owner = "systemd-network"; + }; + }; imports = [ ./hardware-configuration.nix ./hetzner-disk.nix @@ -38,44 +44,46 @@ "9.9.9.9" "1.1.1.1" ]; - firewall.enable = false; + firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + ]; + }; nftables = { enable = true; - ruleset = '' - table inet filter { - set blacklist4 { - type ipv4_addr - flags interval - # manage at runtime: nft add element inet filter blacklist4 { 1.2.3.0/24 } - } - - set blacklist6 { - type ipv6_addr - flags interval - # manage at runtime: nft add element inet filter blacklist6 { 2001:db8::/32 } - } - - chain input { - type filter hook input priority filter; policy drop; - - iif "lo" accept - ct state established,related accept - - ip saddr @blacklist4 drop - ip6 saddr @blacklist6 drop - - tcp dport { 22, 80, 443 } accept - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - - chain output { - type filter hook output priority filter; policy accept; - } - } - ''; + }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + listenPort = 51820; + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.1/24" + "fd28:6691:1921:6299::1/64" + ]; + peers = [ + # mail.test.htw.stura-dresden.de + { + allowedIPs = [ + "10.100.0.20/32" + ]; + publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk="; + } + # proxy.htw.stura-dresden.de + { + allowedIPs = [ + "10.100.0.2/32" + "fd28:6691:1921:6299::2/64" + ]; + endpoint = "141.56.51.1:51820"; + publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U="; + } + ]; + }; + }; }; }; @@ -125,50 +133,13 @@ server proxy 141.56.51.1:80 backend http_443 mode tcp - server proxy 141.56.51.1:443 send-proxy-v2 + server proxy 141.56.51.1:443 ''; }; }; - users.users.root.packages = [ - (pkgs.writeShellScriptBin "nft-blacklist" '' - set -euo pipefail - - usage() { - echo "Usage: nft-blacklist " - echo " add - add entry to blacklist set" - echo " del - remove entry from blacklist set" - exit 1 - } - - [[ $# -ne 2 ]] && usage - - ACTION="$1" - ADDR="$2" - - if [[ "$ADDR" == *:* ]]; then - SET="blacklist6" - elif [[ "$ADDR" == *.* ]]; then - SET="blacklist4" - else - echo "Error: cannot determine address family for '$ADDR'" >&2 - exit 1 - fi - - case "$ACTION" in - add) - ${pkgs.nftables}/bin/nft add element inet filter "$SET" "{ $ADDR }" - echo "Added $ADDR to $SET" - ;; - del) - ${pkgs.nftables}/bin/nft delete element inet filter "$SET" "{ $ADDR }" - echo "Removed $ADDR from $SET" - ;; - *) - usage - ;; - esac - '') + environment.systemPackages = with pkgs; [ + wireguard-tools ]; system.stateVersion = "25.11"; diff --git a/hosts/v6proxy/secrets.sops.yml b/hosts/v6proxy/secrets.sops.yml new file mode 100644 index 0000000..46628d1 --- /dev/null +++ b/hosts/v6proxy/secrets.sops.yml @@ -0,0 +1,25 @@ +wireguard-key: ENC[AES256_GCM,data:K3UoCWtF2rL8uCzmu8yn4sHKHOrcKmnNBvRQdC9Ph3fWMdDqNqh0jwSByjQ=,iv:feFxNykRK1RJ6EPPVXqXtEVmXeGez4PwJ9h7m1KYUIE=,tag:hSTf/gAUVSjI1GburqRDVA==,type:str] +sops: + age: + - recipient: age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbVd3OUNCMUI3eUI2QlVa + WFNjVUpXYVlLdUxiSzhQdHhhRWRpWEhzV1IwCkdYMG5DOXBxTnMwNFpYM1FweDNp + ZXd2aXJaNWxOYXRnaW1nSjdNQVpQOU0KLS0tIEY4Q1JqV1FSekVwc0prNjRCUDdm + cmpLdW1abFR5SlhxZnpJdnBlNjJQOGMK+JcLyiSCfhVPnhqpqTzB7flFWTff3GcK + 9779AvKVnhsDb5LDPOi4Ah5gAJfq+JZ/+IiTUqk0a4AWuN9PiyTMGA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnVRVi91OWsxejJiS0Y0 + L2licWRJQ1pGTlZOMEM0VHdyOWlFbEgyRENVCmwxSndQamRZM2NKbW14TTI4aFBV + MHQ3YkJwNUhkWlJNSTB2RFBpZEswT28KLS0tIC9EVUxvYk04ek5xc1d4TXl5RFVD + MkFyQkxCWDdWQjUxQ0QwcjlScGxPWWMKtzYvXoSSPGhVFlwzdtZylu3eTE5EKxqO + OIq9IOOujV3K1dzj5uwmCI+EoEasOMLy7Sa4++1WZmRVmVxFa91/gw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T17:41:20Z" + mac: ENC[AES256_GCM,data:f94ubkkhUDMkvEPEYYGVg1mahaMmXqAdMcF9Vl16jj7FQTvJy9GCg+1F7eBOu0endpcTQo2a/apd2u7tnzA0IE3CfXo2U8d8aun6yTxxn9qopnxypP2v6mGDHsGbaUI3r+/ZgLXtGDDN+gS/zyu06CPFq/TdLnmcO9zuXAeBmWc=,iv:5VEsRV20A56FKNRQlgojY5TQLhW+kgotQBPgElZY+uQ=,tag:K13Owxl3MDwf5n9soXxiXA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/wiki/default.nix b/hosts/wiki/default.nix index 179780d..bd8bbb6 100644 --- a/hosts/wiki/default.nix +++ b/hosts/wiki/default.nix @@ -99,17 +99,6 @@ services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword"; - services.httpd = { - extraModules = [ "remoteip" ]; - - extraConfig = '' - # Trust HAProxy's address (adjust to your HAProxy IP/subnet) - RemoteIPProxyProtocol On - # RemoteIPProxyProtocolExceptions 127.0.0.1 ::1 - - RemoteIPTrustedProxy 141.56.51.1/32 - ''; - }; #### 2024-02-17 vater: #### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'. # services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de"; @@ -161,8 +150,8 @@ Lockdown = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz"; # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/CategoryLockdown-REL1_45-a715472.tar.gz"; - sha256 = "sha256-1gl5m9xkmLrdjoR0M13gcQHLtZt4Bt0PUXDiDEqjpvk="; + url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_45-a46dbea.tar.gz"; + sha256 = "sha256-zTTpbQiqudLILPSzmKGjKr6wZjh0YUttGmqwjPpAToc="; }; #### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen @@ -179,8 +168,8 @@ #### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden #### https://www.mediawiki.org/wiki/Extension:ContributionScores ContributionScores = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/ContributionCredits-REL1_45-22c28de.tar.gz"; - sha256 = "sha256-9T67jCEYQyU7P9sN7tYbnevU5+FX6Y1nydXGEdzQS9k="; + url = "https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_45-cd4c94b.tar.gz"; + sha256 = "sha256-8ClNtEQ66deKM1DsRYaaZ3KlRl4yCt6UhpXcozRQzQ8="; }; #### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise @@ -201,8 +190,8 @@ #### https://www.mediawiki.org/wiki/Extension:UserMerge UserMerge = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-433f6c2.tar.gz"; - sha256 = "sha256-JyY4pJNBKQ9bOKrilPWCheZ5ihWwPM6ZJ0qHsZ3coPk="; + url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-446566b.tar.gz"; + sha256 = "sha256-DTDKlzet3lThh/sRLucyb8b9lhK5FYZ+dMgwrThFFBM="; }; }; diff --git a/modules/monitoring.nix b/modules/monitoring.nix deleted file mode 100644 index 30cba16..0000000 --- a/modules/monitoring.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ pkgs, lib, config, ... }: -let - cfg = config.stura.monitoring; -in { - options.stura.monitoring = { - extraLogFiles = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Additional log file paths for vector to scrape and forward to Loki."; - example = [ "/var/log/nginx/access.log" "/var/log/nginx/error.log" ]; - }; - - extraGroups = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Supplementary groups added to the vector systemd service to allow reading protected log files."; - example = [ "nginx" "postfix" ]; - }; - - extraMetricInputs = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Additional vector component IDs to feed into the mimir sink alongside host_metrics."; - example = [ "proxmox_normalize_metrics" ]; - }; - - extraLogInputs = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Additional vector component IDs to feed into the loki sink alongside journald_logs."; - example = [ "proxmox_normalize_logs" ]; - }; - }; - - config = { - networking.hosts = { - # rewrite these host entries on each system, this does not go through proxy - "141.56.51.20" = [ - "mon.adm.htw.stura-dresden.de" - "log.adm.htw.stura-dresden.de" - "met.adm.htw.stura-dresden.de" - ]; - }; - services.vector = { - enable = true; - settings = { - sources = { - host_metrics = { - type = "host_metrics"; - collectors = [ - "cpu" - "disk" - "filesystem" - "load" - "host" - "memory" - "network" - "process" - ]; - }; - - journald_logs = { - type = "journald"; - include_units = []; # empty = collect all units - }; - } // lib.optionalAttrs (cfg.extraLogFiles != [] || config.services.nginx.enable) { - extra_log_files = { - type = "file"; - include = lib.optional config.services.nginx.enable "/var/log/nginx/access.log" - ++ cfg.extraLogFiles; - }; - }; - - transforms = { - add_host_label_metrics = { - type = "remap"; - inputs = [ "host_metrics" ]; - source = '' - .tags.host = get_hostname!() - del(.tags.command) - ''; - }; - - add_host_label_logs = { - type = "remap"; - inputs = [ "journald_logs" ] ++ lib.optional (cfg.extraLogFiles != [] || config.services.nginx.enable) "extra_log_files"; - source = '' - .host = get_hostname!() - .unit = string(."_SYSTEMD_UNIT") ?? "file" - ''; - }; - }; - - sinks = { - mimir = { - type = "prometheus_remote_write"; - inputs = [ "add_host_label_metrics" ] ++ cfg.extraMetricInputs; - endpoint = "https://met.adm.htw.stura-dresden.de/api/v1/push"; - tls.verify_certificate = false; - healthcheck.enabled = false; - }; - - loki = { - type = "loki"; - inputs = [ "add_host_label_logs" ] ++ cfg.extraLogInputs; - endpoint = "https://log.adm.htw.stura-dresden.de"; - labels = { - host = "{{ host }}"; - unit = "{{ unit }}"; - }; - tls.verify_certificate = false; - encoding.codec = "json"; - }; - }; - }; - }; - - systemd.services.vector.serviceConfig.SupplementaryGroups = - [ "systemd-journal" ] - ++ lib.optional config.services.nginx.enable "nginx" - ++ cfg.extraGroups; - }; -}