diff options
27 files changed, 110 insertions, 69 deletions
@@ -1,6 +1,7 @@ # VPS -## Re-creating everything from scratch +## Workflow +### Re-creating everything from scratch ```shell git crypt unlock @@ -10,10 +11,62 @@ direnv allow ./nixos-update.sh ``` -## After an update on `vps.tf` +### After an update on `vps.tf` Same as above. -## After editing `vps-configuration.nix` or other OS files +### After editing `vps-configuration.nix` or other OS files Just run the `./nixos-update.sh` script. + +## Base image +The basic `configuration.nix` file in the current snapshots looks just like this: + +```nix +{ config, pkgs, ... }: + +{ + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + + environment.systemPackages = with pkgs; [ vim ]; + + services.openssh.enable = true; + services.openssh.permitRootLogin = "no"; + + users.extraUsers.andreh = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + password = "...password..."; + openssh.authorizedKeys.keys = [ + "...ssh public key..." + ]; + }; + + system.stateVersion = "19.09"; +} +``` + +This basic setup allows it to boot, starts the OpenSSH server agent and allows +the listed `openssh.authorizedKeys.keys` to login. + +I've also changed the nix-channel to the `nixos-unstable` imperatively before +creating the image snapshot: + +```shell +sudo nix-channel --remove nixos +sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos +``` + +So the first run of `./nixos-update.sh` will already get the latest channel from +unstable, which makes this image not tied to the particular original 19.09 NixOS +distribution. @@ -1,15 +1,31 @@ * Tasks - v4 ** TODO nginx magic =sslCiphers= value Why not the default? What do those mean? -** TODO cron: borg and nixos update +** TODO cron: borg, postgresql backup and nixos update ** TODO Harden the server *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]] *** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]] *** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]] *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]] *** TODO Move secrets outside the Nix store -** TODO Add volume to fstab -Can I use Terraform form this? +*** TODO Properly configure PostgreSQL +** TODO Add volume +And put in to fstab +Can I use Terraform to automate the mounting? +#+BEGIN_SRC hcl +variable "storage_name" { + type = string + description = "Name of the block storage volume, which will also be the name of it's mount point." +} + +resource "vultr_block_storage" "vps_storage" { + size_gb = 10 + region_id = 9 + attached_id = vultr_server.vps_server.id + label = var.storage_name + live = "yes" +} +#+END_SRC * Services - v2 ** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk ** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server diff --git a/secrets/nix/c565f318e4aea-snapshot-configuration.nix b/secrets/nix/c565f318e4aea-snapshot-configuration.nix new file mode 120000 index 0000000..c59f37b --- /dev/null +++ b/secrets/nix/c565f318e4aea-snapshot-configuration.nix @@ -0,0 +1 @@ +e1d5f317b0f7a-snapshot-configuration.nix
\ No newline at end of file diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex 2a750f4..764a96c 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00 b/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00 Binary files differnew file mode 100644 index 0000000..4e3f0ea --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00 b/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00 Binary files differnew file mode 100644 index 0000000..ecea360 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00 b/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00 Binary files differnew file mode 100644 index 0000000..3befdb0 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00 b/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00 Binary files differnew file mode 100644 index 0000000..bc054b6 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00 b/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00 Binary files differnew file mode 100644 index 0000000..7fb470e --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00 b/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00 Binary files differnew file mode 100644 index 0000000..02c9af0 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00 b/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00 Binary files differnew file mode 100644 index 0000000..81da247 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00 b/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00 Binary files differnew file mode 100644 index 0000000..da70b18 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00 b/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00 Binary files differnew file mode 100644 index 0000000..c810262 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00 b/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00 Binary files differnew file mode 100644 index 0000000..b61020b --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00 b/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00 Binary files differnew file mode 100644 index 0000000..2f38acd --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00 b/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00 Binary files differnew file mode 100644 index 0000000..4cf1006 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00 b/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00 Binary files differnew file mode 100644 index 0000000..fccff6b --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00 b/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00 Binary files differnew file mode 100644 index 0000000..4883378 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00 b/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00 Binary files differnew file mode 100644 index 0000000..01a4a50 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00 b/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00 Binary files differnew file mode 100644 index 0000000..bf21f95 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00 b/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00 Binary files differnew file mode 100644 index 0000000..d53ad12 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00 b/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00 Binary files differnew file mode 100644 index 0000000..1e09744 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00 diff --git a/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00 b/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00 Binary files differnew file mode 100644 index 0000000..23ccfe1 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00 diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate Binary files differindex 230d339..0401d8d 100644 --- a/secrets/terraform/terraform.tfstate +++ b/secrets/terraform/terraform.tfstate diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup Binary files differindex caf405f..ea83e36 100644 --- a/secrets/terraform/terraform.tfstate.backup +++ b/secrets/terraform/terraform.tfstate.backup diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index 8afa57d..6ffd900 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -6,6 +6,10 @@ let gitTLD = "$GIT_TLD"; letsencryptEmail = "$LETSENCRYPT_EMAIL"; authorizedKey = "$AUTHORIZED_KEY"; + userPassword = "$USER_PASSWORD"; + nextcloudDatabasePassword = "$NEXTCLOUD_DATABASE_PASSWORD"; + nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD"; + gitRoot = "$GIT_ROOT"; }; in { imports = [ ./hardware-configuration.nix ]; @@ -21,7 +25,10 @@ in { interfaces.ens3.useDHCP = true; }; - environment.systemPackages = with pkgs; [ vim ]; + environment.systemPackages = with pkgs; [ + vim + git + ]; networking.firewall.allowedTCPPorts = [ 80 443 22 ]; @@ -43,24 +50,20 @@ in { recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = let - customConfigTLDs = { }; - defaultConfigTLDs = - [ envsubstConfiguration.nextcloudTLD envsubstConfiguration.gitTLD ]; - buildDefaultConfiguration = tld: { - "${tld}" = { - forceSSL = true; - enableACME = true; - }; + virtualHosts = { + "${envsubstConfiguration.nextcloudTLD}" = { + forceSSL = true; + enableACME = true; }; - in pkgs.lib.fold - (tldString: acc: acc // buildDefaultConfiguration tldString) - customConfigTLDs defaultConfigTLDs; + "${envsubstConfiguration.gitTLD}" = { + forceSSL = true; + enableACME = true; + }; + }; gitweb = { enable = true; - location = "/"; + location = ""; virtualHost = envsubstConfiguration.gitTLD; }; }; @@ -68,37 +71,35 @@ in { nextcloud = { enable = true; hostName = envsubstConfiguration.nextcloudTLD; - nginx.enable = true; https = true; autoUpdateApps.enable = true; autoUpdateApps.startAt = "05:00:00"; config = { overwriteProtocol = "https"; - dbtype = "pgsql"; dbuser = "nextcloud"; - dbhost = - "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbhost = "/run/postgresql"; dbname = "nextcloud"; - dbpassFile = "/var/nextcloud-db-pass"; - - adminpassFile = "/var/nextcloud-admin-pass"; + dbpass = envsubstConfiguration.nextcloudDatabasePassword; adminuser = "admin"; + adminpass = envsubstConfiguration.nextcloudAdminPassword; }; }; postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - }]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; }; gitweb = { gitwebTheme = true; - projectroot = "/srv/git"; + projectroot = envsubstConfiguration.gitRoot; }; }; @@ -107,12 +108,13 @@ in { after = [ "postgresql.service" ]; }; - users.users.nixos = { + users.extraUsers.andreh = { uid = 1000; + isNormalUser = true; extraGroups = [ "wheel" ]; - useDefaultShell = true; + password = envsubstConfiguration.userPassword; openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ]; }; - system.stateVersion = "19.09"; + system.stateVersion = "20.03"; } @@ -10,21 +10,11 @@ variable "tld" { description = "Root Top-Level Domain. Subdomains will be derived from it." } -variable "nextcloud_tld_prefix" { - type = string - description = "DNS prefix used for the Nextcloud installation. Does not contain a dot at the end." -} - variable "hostname" { type = string description = "Human name of the host. This is a pet name, not cattle name :)" } -variable "storage_name" { - type = string - description = "Name of the block storage volume, which will also be the name of it's mount point." -} - # Vultr @@ -46,39 +36,18 @@ resource "vultr_server" "vps_server" { # $ curl https://api.vultr.com/v1/plans/list?type=vc2 | jq '.["201"]' plan_id = 201 # $ curl -H "API-Key: $TF_VAR_vultr_api_key" https://api.vultr.com/v1/snapshot/list | jq - snapshot_id = "e1d5f317b0f7a" + snapshot_id = "c565f318e4aea" } output "public_ip" { value = vultr_server.vps_server.main_ip } -resource "vultr_block_storage" "vps_storage" { - size_gb = 10 - region_id = 9 - attached_id = vultr_server.vps_server.id - label = var.storage_name - live = "yes" -} - # DNS and IP configuration resource "vultr_dns_domain" "vps_tld" { + # The CNAME record is already generated by Vultr domain = var.tld server_ip = vultr_server.vps_server.main_ip } - -resource "vultr_dns_record" "at_sign" { - domain = var.tld - type = "A" - name = "@" - data = vultr_server.vps_server.main_ip -} - -resource "vultr_dns_record" "nextcloud" { - domain = var.tld - type = "CNAME" - name = var.nextcloud_tld_prefix - data = vultr_server.vps_server.main_ip -} |