diff --git a/system/dev/dn-server/boot.nix b/system/dev/dn-server/boot.nix index 7c878e8..0d304f4 100644 --- a/system/dev/dn-server/boot.nix +++ b/system/dev/dn-server/boot.nix @@ -37,4 +37,21 @@ ARRAY /dev/md126 metadata=1.2 name=stuff:0 UUID=b75dc506-8f7c-4557-8b2f-adb5f1358dbc ''; + + fileSystems."/mnt/ssd" = { + device = "/dev/disk/by-uuid/4E21-0000"; + fsType = "exfat"; + options = [ + "x-systemd.automount" + "noauto" + "x-systemd.idle-timeout=600" + "nofail" + "user" + "x-gvfs-show" + "gid=1000" + "uid=1000" + "dmask=000" + "fmask=000" + ]; + }; } diff --git a/system/dev/dn-server/cerbot.nix b/system/dev/dn-server/cerbot.nix new file mode 100644 index 0000000..8556f8a --- /dev/null +++ b/system/dev/dn-server/cerbot.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: +{ + systemd.timers."certbot-renew" = { + enable = true; + description = "certbot renew"; + timerConfig = { + OnCalendar = "*-*-* 03:00:00"; + Persistent = true; + OnUnitActiveSec = "1d"; + Unit = "certbot-renew.service"; + }; + wantedBy = [ "timers.target" ]; + }; + + systemd.services."certbot-renew" = { + enable = true; + after = [ + "nginx.service" + "network.target" + ]; + wantedBy = [ "multi-user.target" ]; + environment = { + "REQUESTS_CA_BUNDLE" = "/var/lib/step-ca/certs/root_ca.crt"; + }; + serviceConfig = { + ExecStart = "${pkgs.certbot}/bin/certbot renew"; + }; + }; +} diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix index 7acf7f1..469b711 100644 --- a/system/dev/dn-server/default.nix +++ b/system/dev/dn-server/default.nix @@ -18,7 +18,8 @@ ./services.nix ./nginx.nix ./nextcloud.nix - # ./step-ca.nix + ./step-ca.nix + ./cerbot.nix ../../modules/presets/minimal.nix ../../modules/bluetooth.nix ../../modules/cuda.nix diff --git a/system/dev/dn-server/nextcloud.nix b/system/dev/dn-server/nextcloud.nix index 69a197d..71c7b58 100644 --- a/system/dev/dn-server/nextcloud.nix +++ b/system/dev/dn-server/nextcloud.nix @@ -4,6 +4,19 @@ lib, ... }: +let + acmeWebRoot = "/var/www/nextcloud.net.dn/html/"; + + certScript = pkgs.writeShellScriptBin "certbot-nextcloud" '' + ${pkgs.certbot}/bin/certbot certonly --webroot \ + --webroot-path ${acmeWebRoot} -v \ + -d nextcloud.net.dn \ + --server https://ca.net.dn:8443/acme/acme/directory \ + -m admin@mail.net.dn + + chown nginx:nginx -R /etc/letsencrypt + ''; +in { imports = [ "${ @@ -97,6 +110,41 @@ exiftool ]; + services.nginx = { + virtualHosts = { + ${config.services.nextcloud.hostName} = { + listen = lib.mkForce [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 80; + } + ]; + + locations."^~ /.well-known/acme-challenge/" = { + root = "/var/www/nextcloud.net.dn/html"; + extraConfig = '' + default_type "text/plain"; + ''; + }; + + forceSSL = true; + sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem"; + sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem"; + + extraConfig = '' + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; + ''; + }; + }; + }; + systemd.timers."nextcloud-backup" = { enable = true; description = "Nextcloud backup"; @@ -148,4 +196,5 @@ "${script}/bin/backup"; }; }; + } diff --git a/system/dev/dn-server/nginx.nix b/system/dev/dn-server/nginx.nix index edd0905..5810372 100644 --- a/system/dev/dn-server/nginx.nix +++ b/system/dev/dn-server/nginx.nix @@ -1,30 +1,8 @@ { - config, - lib, ... }: { services.nginx = { enable = true; - virtualHosts = { - ${config.services.nextcloud.hostName} = { - listen = lib.mkForce [ - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - forceSSL = true; - sslCertificate = "/var/lib/acme/net.dn.crt"; - sslCertificateKey = "/var/lib/acme/net.dn.key"; - sslTrustedCertificate = "/var/lib/acme/net.dn.crt"; - extraConfig = '' - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers on; - ''; - }; - }; }; } diff --git a/system/dev/dn-server/step-ca.nix b/system/dev/dn-server/step-ca.nix index 341abd9..46ed31e 100644 --- a/system/dev/dn-server/step-ca.nix +++ b/system/dev/dn-server/step-ca.nix @@ -28,8 +28,7 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB kty = "EC"; use = "sig"; x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI"; - y = "y5OFjciRMVg8ePaEsjSPWbKp_ -NjQ6U4CtbplRx7z3Bw"; + y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw"; }; name = "danny@smallstep.net.dn"; type = "JWK"; @@ -46,8 +45,7 @@ NjQ6U4CtbplRx7z3Bw"; } ]; }; - crt = "/var/lib/s -tep-ca/certs/intermediate_ca.crt"; + crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; db = { badgerFileLoadingMode = ""; dataSource = "/var/lib/step-ca/db"; @@ -67,8 +65,7 @@ tep-ca/certs/intermediate_ca.crt"; tls = { cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_EC -DHE_ECDSA_WITH_AES_128_GCM_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ]; maxVersion = 1.3; minVersion = 1.2; diff --git a/system/modules/ca.nix b/system/modules/ca.nix index 37fd42c..b6aab16 100644 --- a/system/modules/ca.nix +++ b/system/modules/ca.nix @@ -1,23 +1,17 @@ { security.pki.certificates = [ + # Step CA Root '' -----BEGIN CERTIFICATE----- - MIIC5TCCAc2gAwIBAgIUCxaWRHkKr2mQOW2cBzw+Ov9xJaQwDQYJKoZIhvcNAQEL - BQAwGzEZMBcGA1UEAwwQbmV4dGNsb3VkLm5ldC5kbjAeFw0yNTA0MjAxMDQ2MTVa - Fw0zNTA0MTgxMDQ2MTVaMBsxGTAXBgNVBAMMEG5leHRjbG91ZC5uZXQuZG4wggEi - MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY9TBCJoMJ0EREbiGdjLp2odJy - bpKqOyET1J8T/6nBwkgMDpTuAi2Pzp9gJ5lDdzmhhIN2B7f0XWnCNPHsUaHWKfZQ - gEX3LtDSOQrYt4ChMIuzioasJLhGqNyV+4XooIl6R/+2ycQ88I3FoamFDJ0sDkz9 - 2YtKM+UTKyEKSqThF3+W7SbFtHiohT79L5u6pRL2TE6zcqdcOOkqPTOnwbtuRP4+ - bDbFKowBhWTwFSZPpkf010ol6tr5RS8+MqdldmB7NTv9NmyRj2JTNDiQWv7Koq67 - UuDiL1ja+6TFNke47BwKEP1ykz6Ity59V364FljAol477urXNWgppRhOK/1tAgMB - AAGjITAfMB0GA1UdDgQWBBSJtl7lnYwXpMOz6PHjIx7QR9ra6DANBgkqhkiG9w0B - AQsFAAOCAQEAi6M16fhOWS3zi5SDV2KHxa9fJuZcqbgt7ITSr2ex7BpdbMQ17RDT - PyVOQsCVQGF6zY3KqP/+fRYoZzLxnXwPmO/4OXYZoR5UQmoc0VZ9vMTaALIYooYS - t5I/Q8xnH/CmVkt6cIRU4Ysjy4zp9+sobZM7u+Agl0yd2LExzMREjiNpK832hCyz - RZmCrkyekEG3MREuRAqk0vxO7yNTzHMNOG0SzKh49t8WCWWXHyUdxbTzaqXic+R+ - E7dWCFQY5m8ExiqPrKusIMxeerPbs7cXew1mJDEtFqJxpSSa7Jz1XBaMPS3KfcbK - Vhgysawxfe0gSPXwIuOcB+DF8vz6ZdhQYQ== + MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw + EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew + HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw + LWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0EwWTATBgcqhkjOPQIB + BggqhkjOPQMBBwNCAAQT0Q5Zt9yRE6LGDGzMqxyzxDHH6yMcpRHxeam5QWNyBLT2 + TLhQvH/xJSFxeolKbf+kQGlE1armOqOxVUuy1kbho0UwQzAOBgNVHQ8BAf8EBAMC + AQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU2Cr1FiPu24tU5Asobi0Z + t3R9HvUwCgYIKoZIzj0EAwIDSQAwRgIhAINLdkW3wqMSzIZro3JbYbX+T7MYVQFM + Weu1hXe28LWsAiEA371C55I6Dooe2hRZ1KaUAdZ5jh4hk63o7m0/B2xgFSc= -----END CERTIFICATE----- '' ];