almost ready. now to harden

2025-11-04 11:30:34 +00:00 · 2025-11-04 11:30:34 +00:00 · e856c0dfb1
commit e856c0dfb1
parent 29cbf8b2d8
20 changed files with 539 additions and 58 deletions
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@ -5,6 +5,7 @@
  ...
 }: let
  fediPort = 8083;
+  onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
  inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
 in {
  services.akkoma = {
@ -39,14 +40,11 @@ in {
    };
  };

-  services.caddy.virtualHosts."social.distrust.network".extraConfig = ''
+  services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
    reverse_proxy localhost:${toString fediPort}
  '';

  services.tor.relay.onionServices."akkoma".map = [
-    {
-      port = 80;
-      target = {port = fediPort;};
-    }
+    80
  ];
 }
--- a/services/dante.nix
+++ b/services/dante.nix
@ -0,0 +1,14 @@
+{
+  services.dante = {
+    enable = true;
+    config = ''
+      internal: 0.0.0.0 port=1080
+      external: eth0
+      clientmethod: none
+      socksmethod: none
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 1080 ];
+  networking.firewall.allowedUDPPorts = [ 1080 ];
+}
--- a/services/default.nix
+++ b/services/default.nix
@ -1,12 +1,14 @@
 {
  imports = [
    ./caddy.nix
-    ./tor.nix
    ./site.nix
    ./nextcloud.nix
    ./forgejo.nix
    ./akkoma.nix
    ./prosody.nix
    ./lldap.nix
+    ./dante.nix
+    ./vaultwarden.nix
+    ./mailserver.nix
  ];
 }
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -1,5 +1,6 @@
 let
  forgejoPort = 8082;
+  onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
 in {
  services.forgejo = {
    enable = true;
@ -8,17 +9,15 @@ in {
      DOMAIN = "git.distrust.network";
      HTTP_PORT = forgejoPort;
      ROOT_URL = "https://git.distrust.network/";
+      SSH_PORT = 292;
    };
  };

-  services.caddy.virtualHosts."git.distrust.network".extraConfig = ''
+  services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
    reverse_proxy localhost:${toString forgejoPort}
  '';

  services.tor.relay.onionServices."forgejo".map = [
-    {
-      port = 80;
-      target = {port = forgejoPort;};
-    }
+    80
  ];
 }
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  mailserver = {
+    enable = true;
+    fqdn = "distrust.network";
+    domains = [ "distrust.network" ];
+    certificateScheme = "acme";
+    ldap = {
+      enable = true;
+      bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
+      bind.passwordFile = config.age.secrets."bind_pw".path;
+      searchBase = "ou=people,dc=distrust,dc=network";
+      uris = [ "ldap://localhost:3890" ];
+    };
+  };
+}
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -1,17 +1,23 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }: let
-  nextcloudPort = 8081;
+  onionUrl = "http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion";
 in {
-  environment.etc."nextcloud-admin-pass".text = "PWD";
+  age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
+  
  services.nextcloud = {
    enable = true;
    hostName = "cloud.distrust.network";
-    settings.trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
+    settings = {
+      trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
+      trusted_proxies = ["127.0.0.1"];
+      maintenance_window_start = 1;
+    };
    config = {
-      adminpassFile = "/etc/nextcloud-admin-pass";
+      adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
      dbtype = "pgsql";
    };
    package = pkgs.nextcloud32;
@ -21,14 +27,77 @@ in {
    database.createLocally = true;
  };

-  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
-    {
-      addr = "127.0.0.1";
-      port = nextcloudPort;
-    }
-  ];
+  users.groups.nextcloud.members = [ "nextcloud" "caddy" ];
+  services.nginx.enable = lib.mkForce false;
+  services.phpfpm.pools.nextcloud.settings = {
+    "listen.owner" = "caddy";
+    "listen.group" = "caddy";
+  };
+  services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
+    # encode zstd gzip
+    
+    root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}

-  services.caddy.virtualHosts."https://cloud.distrust.network".extraConfig = ''
-    reverse_proxy localhost:${toString nextcloudPort}
+    redir /.well-known/carddav /remote.php/dav 301
+    redir /.well-known/caldav /remote.php/dav 301
+    redir /.well-known/* /index.php{uri} 301
+    redir /remote/* /remote.php{uri} 301
+
+
+    header {
+      Strict-Transport-Security max-age=31536000
+      Permissions-Policy interest-cohort=()
+      X-Content-Type-Options nosniff
+      X-Frame-Options SAMEORIGIN
+      Referrer-Policy no-referrer
+      X-XSS-Protection "1; mode=block"
+      X-Permitted-Cross-Domain-Policies none
+      X-Robots-Tag "noindex, nofollow"
+      -X-Powered-By
+      Host {host}
+      X-Real-IP {remote_host}
+      X-Forwarded-For {remote_host}
+      X-Forwarded-Proto {scheme}
+      X-Forwarded-Host {host}
+    }
+
+    
+    php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+      root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+      env front_controller_active true
+      env modHeadersAvailable true
+    }
+
+    @forbidden {
+      path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+      path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+      not path /.well-known/*
+    }
+    error @forbidden 404
+
+    @immutable {
+      path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+      query v=*
+    }
+    header @immutable Cache-Control "max-age=15778463, immutable"
+
+    @static {
+      path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+      not query v=*
+    }
+    header @static Cache-Control "max-age=15778463"
+
+    @woff2 path *.woff2
+    header @woff2 Cache-Control "max-age=604800"
+
+    file_server
  '';
+
+  services.nextcloud.phpOptions = {
+    "opcache.interned_strings_buffer" = 64;
+  };
+
+  services.tor.relay.onionServices."nextcloud".map = [
+    80
+  ];
 }
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -1,8 +1,11 @@
 {
  pkgs,
  lib,
+  config,
  ...
 }: {
+  age.secrets."bind_pw".file = ../secrets/bind_pw;
+
  services.prosody = {
    package = pkgs.prosody.override {
      withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
@ -27,7 +30,7 @@
      ldap_base = "ou=people,dc=distrust,dc=network"
      ldap_server = "localhost:3890"
      ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
-      ldap_password = "bindpassword"
+      ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
    '';
  };

--- a/services/site.nix
+++ b/services/site.nix
@ -4,29 +4,16 @@
  ...
 }: let
  sitePort = 8080;
+  onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
 in {
-  systemd.services.python-http-server = {
-    description = "Simple Python HTTP Server";
-    after = ["network.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      ExecStart = "${pkgs.python3}/bin/python3 -m http.server ${toString sitePort} --directory /var/www/distrust.network";
-      Restart = "on-failure";
-      User = "nobody";
-      WorkingDirectory = "/var/www/distrust.network";
-    };
-  };
-
-  services.caddy.virtualHosts."distrust.network" = {
-    extraConfig = ''
-      reverse_proxy localhost:${toString sitePort}
+  services.caddy.virtualHosts = {
+    "https://distrust.network ${onionUrl}".extraConfig = ''
+      root * /etc/nixos/site
+      file_server
    '';
  };

  services.tor.relay.onionServices."site".map = [
-    {
-      port = 80;
-      target = {port = sitePort;};
-    }
+    80
  ];
 }
--- a/services/tor.nix
+++ b/services/tor.nix
@ -1,9 +0,0 @@
-{lib, ...}: {
-  services.tor = {
-    settings.HiddenServiceNonAnonymousMode = false;
-    client = {
-      enable = true;
-      dns.enable = true;
-    };
-  };
-}
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+let 
+  vaultPort = 8222;
+  onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
+in
+{
+  age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
+ 
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://vault.distrust.network";
+      ROCKET_PORT = vaultPort;
+    };
+    environmentFile = config.age.secrets."vaultwarden.env".path;
+  };
+
+  services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
+    reverse_proxy localhost:${toString vaultPort}
+  '';
+
+  services.tor.relay.onionServices."vaultwarden".map = [
+    80
+  ];
+}