From 9f40a68eb49922694ce01f17a297dd021b093ac6 Mon Sep 17 00:00:00 2001 From: Administrator Date: Tue, 4 Nov 2025 12:48:38 +0000 Subject: [PATCH] tweaks --- flake.nix | 3 +- services/akkoma.nix | 70 ++++++------ services/default.nix | 3 +- services/forgejo.nix | 34 +++--- services/nextcloud.nix | 181 +++++++++++++++--------------- services/prosody.nix | 74 ++++++------ services/site.nix | 7 +- services/vaultwarden.nix | 30 ++--- site/index.html | 2 +- system/configuration.nix | 22 ++-- system/default.nix | 1 - system/hardware-configuration.nix | 10 +- 12 files changed, 222 insertions(+), 215 deletions(-) diff --git a/flake.nix b/flake.nix index 2128c0c..79bc84c 100644 --- a/flake.nix +++ b/flake.nix @@ -15,13 +15,12 @@ }; outputs = { - self, nixpkgs, nixos-mailserver, agenix, ... }: let - lib = nixpkgs.lib; + inherit (nixpkgs) lib; in { nixosConfigurations = { distrust = lib.nixosSystem { diff --git a/services/akkoma.nix b/services/akkoma.nix index 3bc99d8..f353c74 100644 --- a/services/akkoma.nix +++ b/services/akkoma.nix @@ -8,43 +8,45 @@ onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"; inherit ((pkgs.formats.elixirConf {}).lib) mkAtom; in { - services.akkoma = { - enable = true; - config = { - ":pleroma" = { - ":instance" = { - name = "social.distrust.network"; - description = "Akkoma instance for distrust.network users"; - email = "root@distrust.network"; - registration_open = false; - }; - ":ldap" = { - enabled = true; - host = "localhost"; - port = 3890; - ssl = false; - tls = false; - base = "ou=people,dc=distrust,dc=network"; - uid = "uid"; - }; - "Pleroma.Upload".base_url = "https://social.distrust.network/media/"; - "Pleroma.Web.Endpoint" = { - url.host = "social.distrust.network"; - http = { - ip = "0.0.0.0"; - port = fediPort; + services = { + akkoma = { + enable = true; + config = { + ":pleroma" = { + ":instance" = { + name = "social.distrust.network"; + description = "Akkoma instance for distrust.network users"; + email = "root@distrust.network"; + registration_open = false; }; + ":ldap" = { + enabled = true; + host = "localhost"; + port = 3890; + ssl = false; + tls = false; + base = "ou=people,dc=distrust,dc=network"; + uid = "uid"; + }; + "Pleroma.Upload".base_url = "https://social.distrust.network/media/"; + "Pleroma.Web.Endpoint" = { + url.host = "social.distrust.network"; + http = { + ip = "0.0.0.0"; + port = fediPort; + }; + }; + "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator"; }; - "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator"; }; }; + + caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = '' + reverse_proxy localhost:${toString fediPort} + ''; + + tor.relay.onionServices."akkoma".map = [ + 80 + ]; }; - - services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:${toString fediPort} - ''; - - services.tor.relay.onionServices."akkoma".map = [ - 80 - ]; } diff --git a/services/default.nix b/services/default.nix index 49cc03e..3d1955a 100644 --- a/services/default.nix +++ b/services/default.nix @@ -7,7 +7,8 @@ ./akkoma.nix ./prosody.nix ./lldap.nix - ./dante.nix + # Dante not working right now, possibly misconfigured. + #./dante.nix ./vaultwarden.nix ./mailserver.nix ]; diff --git a/services/forgejo.nix b/services/forgejo.nix index ff3c826..025b38f 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -2,22 +2,24 @@ let forgejoPort = 8082; onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion"; in { - services.forgejo = { - enable = true; - lfs.enable = false; - settings.server = { - DOMAIN = "git.distrust.network"; - HTTP_PORT = forgejoPort; - ROOT_URL = "https://git.distrust.network/"; - SSH_PORT = 292; + services = { + forgejo = { + enable = true; + lfs.enable = false; + settings.server = { + DOMAIN = "git.distrust.network"; + HTTP_PORT = forgejoPort; + ROOT_URL = "https://git.distrust.network/"; + SSH_PORT = 292; + }; }; + + caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = '' + reverse_proxy localhost:${toString forgejoPort} + ''; + + tor.relay.onionServices."forgejo".map = [ + 80 + ]; }; - - services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:${toString forgejoPort} - ''; - - services.tor.relay.onionServices."forgejo".map = [ - 80 - ]; } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 4811d20..beb3ada 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -8,96 +8,97 @@ in { age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass; - services.nextcloud = { - enable = true; - hostName = "cloud.distrust.network"; - settings = { - trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"]; - trusted_proxies = ["127.0.0.1"]; - maintenance_window_start = 1; - }; - config = { - adminpassFile = config.age.secrets."nextcloud-admin-pass".path; - dbtype = "pgsql"; - }; - package = pkgs.nextcloud32; - https = true; - configureRedis = true; - caching.redis = true; - database.createLocally = true; - }; - users.groups.nextcloud.members = ["nextcloud" "caddy"]; - services.nginx.enable = lib.mkForce false; - services.phpfpm.pools.nextcloud.settings = { - "listen.owner" = "caddy"; - "listen.group" = "caddy"; + services = { + nextcloud = { + enable = true; + hostName = "cloud.distrust.network"; + settings = { + trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"]; + trusted_proxies = ["127.0.0.1"]; + maintenance_window_start = 1; + }; + config = { + adminpassFile = config.age.secrets."nextcloud-admin-pass".path; + dbtype = "pgsql"; + }; + package = pkgs.nextcloud32; + https = false; + configureRedis = true; + caching.redis = true; + database.createLocally = true; + phpOptions = { + "opcache.interned_strings_buffer" = 64; + }; + }; + + nginx.enable = lib.mkForce false; + phpfpm.pools.nextcloud.settings = { + "listen.owner" = "caddy"; + "listen.group" = "caddy"; + }; + caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = '' + # encode zstd gzip + + root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + Host {host} + X-Real-IP {remote_host} + X-Forwarded-For {remote_host} + X-Forwarded-Proto {scheme} + X-Forwarded-Host {host} + } + + + php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} { + root ${config.services.nginx.virtualHosts."cloud.distrust.network".root} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; + + tor.relay.onionServices."nextcloud".map = [ + 80 + ]; }; - services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = '' - # encode zstd gzip - - root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - - header { - Strict-Transport-Security max-age=31536000 - Permissions-Policy interest-cohort=() - X-Content-Type-Options nosniff - X-Frame-Options SAMEORIGIN - Referrer-Policy no-referrer - X-XSS-Protection "1; mode=block" - X-Permitted-Cross-Domain-Policies none - X-Robots-Tag "noindex, nofollow" - -X-Powered-By - Host {host} - X-Real-IP {remote_host} - X-Forwarded-For {remote_host} - X-Forwarded-Proto {scheme} - X-Forwarded-Host {host} - } - - - php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} { - root ${config.services.nginx.virtualHosts."cloud.distrust.network".root} - env front_controller_active true - env modHeadersAvailable true - } - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - error @forbidden 404 - - @immutable { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - query v=* - } - header @immutable Cache-Control "max-age=15778463, immutable" - - @static { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - not query v=* - } - header @static Cache-Control "max-age=15778463" - - @woff2 path *.woff2 - header @woff2 Cache-Control "max-age=604800" - - file_server - ''; - - services.nextcloud.phpOptions = { - "opcache.interned_strings_buffer" = 64; - }; - - services.tor.relay.onionServices."nextcloud".map = [ - 80 - ]; } diff --git a/services/prosody.nix b/services/prosody.nix index aa33eba..5981dad 100644 --- a/services/prosody.nix +++ b/services/prosody.nix @@ -1,36 +1,50 @@ { pkgs, - lib, config, ... }: { age.secrets."bind_pw".file = ../secrets/bind_pw; - services.prosody = { - package = pkgs.prosody.override { - withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; - }; - enable = true; - admins = ["root@distrust.network"]; - ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; - ssl.key = "/var/lib/acme/distrust.network/key.pem"; - virtualHosts."distrust.network" = { - enabled = true; - domain = "distrust.network"; + services = { + prosody = { + package = pkgs.prosody.override { + withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; + }; + enable = true; + admins = ["root@distrust.network"]; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem"; + virtualHosts."distrust.network" = { + enabled = true; + domain = "distrust.network"; + ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; + ssl.key = "/var/lib/acme/distrust.network/key.pem"; + }; + muc = [{domain = "conference.distrust.network";}]; + httpFileShare = { + domain = "upload.distrust.network"; + path = "/var/lib/prosody"; + }; + extraConfig = '' + authentication = "ldap" + ldap_base = "ou=people,dc=distrust,dc=network" + ldap_server = "localhost:3890" + ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" + ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}" + ''; }; - muc = [{domain = "conference.distrust.network";}]; - httpFileShare = { - domain = "upload.distrust.network"; - path = "/var/lib/prosody"; - }; - extraConfig = '' - authentication = "ldap" - ldap_base = "ou=people,dc=distrust,dc=network" - ldap_server = "localhost:3890" - ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" - ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}" + caddy.virtualHosts."distrust.network".extraConfig = '' + handle /.well-known/* { + root * /var/lib/acme/ + file_server + } + ''; + + caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = '' + handle /.well-known/* { + root * /var/lib/acme/ + file_server + } ''; }; @@ -63,18 +77,4 @@ # after = [ "acme-order-renew-chat.distrust.network.service" ]; serviceConfig.SupplementaryGroups = ["acme"]; }; - - services.caddy.virtualHosts."distrust.network".extraConfig = '' - handle /.well-known/* { - root * /var/lib/acme/ - file_server - } - ''; - - services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = '' - handle /.well-known/* { - root * /var/lib/acme/ - file_server - } - ''; } diff --git a/services/site.nix b/services/site.nix index de36ade..54bc239 100644 --- a/services/site.nix +++ b/services/site.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - ... -}: let - sitePort = 8080; +let onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion"; in { services.caddy.virtualHosts = { diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index c876e22..b386a8c 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -4,20 +4,22 @@ in { age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env; - services.vaultwarden = { - enable = true; - config = { - DOMAIN = "https://vault.distrust.network"; - ROCKET_PORT = vaultPort; + services = { + vaultwarden = { + enable = true; + config = { + DOMAIN = "https://vault.distrust.network"; + ROCKET_PORT = vaultPort; + }; + environmentFile = config.age.secrets."vaultwarden.env".path; }; - environmentFile = config.age.secrets."vaultwarden.env".path; + + caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = '' + reverse_proxy localhost:${toString vaultPort} + ''; + + tor.relay.onionServices."vaultwarden".map = [ + 80 + ]; }; - - services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = '' - reverse_proxy localhost:${toString vaultPort} - ''; - - services.tor.relay.onionServices."vaultwarden".map = [ - 80 - ]; } diff --git a/site/index.html b/site/index.html index 660cd00..580e959 100755 --- a/site/index.html +++ b/site/index.html @@ -55,7 +55,7 @@
  • Vaultwarden [tor] [clearnet] [hover]

    • All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to /dev/null.

    -

    The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.

    +

    The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over TOR and clearnet.

    If you are interested, email me with your desired username.

    ContactPrivacy Policy diff --git a/system/configuration.nix b/system/configuration.nix index 4c8656d..68bb0d3 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -12,16 +12,18 @@ in { zramSwap.enable = true; networking.hostName = "distrust"; - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - ports = [292]; - }; - services.fail2ban.enable = true; - services.endlessh = { - enable = true; - port = 22; - openFirewall = true; + services = { + openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + ports = [292]; + }; + fail2ban.enable = true; + endlessh = { + enable = true; + port = 22; + openFirewall = true; + }; }; users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"]; diff --git a/system/default.nix b/system/default.nix index 24c1e94..165c2fa 100644 --- a/system/default.nix +++ b/system/default.nix @@ -3,6 +3,5 @@ ./configuration.nix ./hardware-configuration.nix ./networking.nix - ]; } diff --git a/system/hardware-configuration.nix b/system/hardware-configuration.nix index 329ed8a..8b01d5e 100644 --- a/system/hardware-configuration.nix +++ b/system/hardware-configuration.nix @@ -1,8 +1,12 @@ {modulesPath, ...}: { imports = [(modulesPath + "/profiles/qemu-guest.nix")]; - boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme"]; + boot = { + loader.grub.device = "/dev/sda"; + initrd = { + availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + kernelModules = ["nvme"]; + }; + }; fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4";