Semi working setup: Terraform and LetsEncrypt working

author: EuAndreh <eu@euandre.org> 2020-08-10 17:16:22 -0300
committer: EuAndreh <eu@euandre.org> 2020-08-10 17:16:22 -0300
commit: 1ec6471eb4dcb4671ee125113a529adbfb2e10a3 (patch)
tree: cdf83293d6682a3f832cea71977d8fd7bc7005ba
parent: Interactive Terraform plan -> apply cycle (diff)
download: toph-1ec6471eb4dcb4671ee125113a529adbfb2e10a3.tar.gz
toph-1ec6471eb4dcb4671ee125113a529adbfb2e10a3.tar.xz
27 files changed, 110 insertions, 69 deletions
diff --git a/README.md b/README.md
index 897dce3..06c4933 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # VPS
 
-## Re-creating everything from scratch
+## Workflow
+### Re-creating everything from scratch
 
 ```shell
 git crypt unlock
@@ -10,10 +11,62 @@ direnv allow
 ./nixos-update.sh
 ```
 
-## After an update on `vps.tf`
+### After an update on `vps.tf`
 
 Same as above.
 
-## After editing `vps-configuration.nix` or other OS files
+### After editing `vps-configuration.nix` or other OS files
 
 Just run the `./nixos-update.sh` script.
+
+## Base image
+The basic `configuration.nix` file in the current snapshots looks just like this:
+
+```nix
+{ config, pkgs, ... }:
+
+{
+  imports = [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  environment.systemPackages = with pkgs; [ vim ];
+
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = "no";
+
+  users.extraUsers.andreh = {
+    uid = 1000;
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    password = "...password...";
+    openssh.authorizedKeys.keys = [
+      "...ssh public key..."
+    ];
+  };
+
+  system.stateVersion = "19.09";
+}
+```
+
+This basic setup allows it to boot, starts the OpenSSH server agent and allows
+the listed `openssh.authorizedKeys.keys` to login.
+
+I've also changed the nix-channel to the `nixos-unstable` imperatively before
+creating the image snapshot:
+
+```shell
+sudo nix-channel --remove nixos
+sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+```
+
+So the first run of `./nixos-update.sh` will already get the latest channel from
+unstable, which makes this image not tied to the particular original 19.09 NixOS
+distribution.
diff --git a/TODOs.org b/TODOs.org
index bd38b22..655a294 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -1,15 +1,31 @@
 * Tasks - v4
 ** TODO nginx magic =sslCiphers= value
 Why not the default? What do those mean?
-** TODO cron: borg and nixos update
+** TODO cron: borg, postgresql backup and nixos update
 ** TODO Harden the server
 *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
 *** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]]
 *** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]]
 *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]]
 *** TODO Move secrets outside the Nix store
-** TODO Add volume to fstab
-Can I use Terraform form this?
+*** TODO Properly configure PostgreSQL
+** TODO Add volume
+And put in to fstab
+Can I use Terraform to automate the mounting?
+#+BEGIN_SRC hcl
+variable "storage_name" {
+  type        = string
+  description = "Name of the block storage volume, which will also be the name of it's mount point."
+}
+
+resource "vultr_block_storage" "vps_storage" {
+  size_gb     = 10
+  region_id   = 9
+  attached_id = vultr_server.vps_server.id
+  label       = var.storage_name
+  live        = "yes"
+}
+#+END_SRC
 * Services - v2
 ** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk
 ** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server
diff --git a/secrets/nix/c565f318e4aea-snapshot-configuration.nix b/secrets/nix/c565f318e4aea-snapshot-configuration.nix
new file mode 120000
index 0000000..c59f37b
--- /dev/null
+++ b/secrets/nix/c565f318e4aea-snapshot-configuration.nix
@@ -0,0 +1 @@
+e1d5f317b0f7a-snapshot-configuration.nix
+\ No newline at end of file
diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh
index 2a750f4..764a96c 100644
--- a/secrets/secret-envrc.sh
+++ b/secrets/secret-envrc.sh
diff --git a/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00 b/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00
new file mode 100644
index 0000000..4e3f0ea
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T14:53:00-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00 b/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00
new file mode 100644
index 0000000..ecea360
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T14:53:48-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00 b/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00
new file mode 100644
index 0000000..3befdb0
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T15:07:47-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00 b/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00
new file mode 100644
index 0000000..bc054b6
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T15:08:08-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00 b/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00
new file mode 100644
index 0000000..7fb470e
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T15:20:37-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00 b/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00
new file mode 100644
index 0000000..02c9af0
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T15:20:57-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00 b/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00
new file mode 100644
index 0000000..81da247
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:10:33-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00 b/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00
new file mode 100644
index 0000000..da70b18
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:28:50-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00 b/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00
new file mode 100644
index 0000000..c810262
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:29:29-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00 b/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00
new file mode 100644
index 0000000..b61020b
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:30:57-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00 b/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00
new file mode 100644
index 0000000..2f38acd
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:32:07-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00 b/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00
new file mode 100644
index 0000000..4cf1006
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:32:18-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00 b/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00
new file mode 100644
index 0000000..fccff6b
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:33:49-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00 b/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00
new file mode 100644
index 0000000..4883378
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:34:02-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00 b/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00
new file mode 100644
index 0000000..01a4a50
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:34:45-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00 b/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00
new file mode 100644
index 0000000..bf21f95
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:35:34-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00 b/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00
new file mode 100644
index 0000000..d53ad12
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:37:08-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00 b/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00
new file mode 100644
index 0000000..1e09744
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:39:09-03:00
diff --git a/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00 b/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00
new file mode 100644
index 0000000..23ccfe1
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-10T16:39:31-03:00
diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate
index 230d339..0401d8d 100644
--- a/secrets/terraform/terraform.tfstate
+++ b/secrets/terraform/terraform.tfstate
diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup
index caf405f..ea83e36 100644
--- a/secrets/terraform/terraform.tfstate.backup
+++ b/secrets/terraform/terraform.tfstate.backup
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index 8afa57d..6ffd900 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -6,6 +6,10 @@ let
     gitTLD = "$GIT_TLD";
     letsencryptEmail = "$LETSENCRYPT_EMAIL";
     authorizedKey = "$AUTHORIZED_KEY";
+    userPassword = "$USER_PASSWORD";
+    nextcloudDatabasePassword = "$NEXTCLOUD_DATABASE_PASSWORD";
+    nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD";
+    gitRoot = "$GIT_ROOT";
   };
 in {
   imports = [ ./hardware-configuration.nix ];
@@ -21,7 +25,10 @@ in {
     interfaces.ens3.useDHCP = true;
   };
 
-  environment.systemPackages = with pkgs; [ vim ];
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
 
   networking.firewall.allowedTCPPorts = [ 80 443 22 ];
 
@@ -43,24 +50,20 @@ in {
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
-      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-      virtualHosts = let
-        customConfigTLDs = { };
-        defaultConfigTLDs =
-          [ envsubstConfiguration.nextcloudTLD envsubstConfiguration.gitTLD ];
-        buildDefaultConfiguration = tld: {
-          "${tld}" = {
-            forceSSL = true;
-            enableACME = true;
-          };
+      virtualHosts = {
+        "${envsubstConfiguration.nextcloudTLD}" = {
+          forceSSL = true;
+          enableACME = true;
         };
-      in pkgs.lib.fold
-      (tldString: acc: acc // buildDefaultConfiguration tldString)
-      customConfigTLDs defaultConfigTLDs;
+        "${envsubstConfiguration.gitTLD}" = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
 
       gitweb = {
         enable = true;
-        location = "/";
+        location = "";
         virtualHost = envsubstConfiguration.gitTLD;
       };
     };
@@ -68,37 +71,35 @@ in {
     nextcloud = {
       enable = true;
       hostName = envsubstConfiguration.nextcloudTLD;
-      nginx.enable = true;
       https = true;
       autoUpdateApps.enable = true;
       autoUpdateApps.startAt = "05:00:00";
       config = {
         overwriteProtocol = "https";
-
         dbtype = "pgsql";
         dbuser = "nextcloud";
-        dbhost =
-          "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+        dbhost = "/run/postgresql";
         dbname = "nextcloud";
-        dbpassFile = "/var/nextcloud-db-pass";
-
-        adminpassFile = "/var/nextcloud-admin-pass";
+        dbpass = envsubstConfiguration.nextcloudDatabasePassword;
         adminuser = "admin";
+        adminpass = envsubstConfiguration.nextcloudAdminPassword;
       };
     };
 
     postgresql = {
       enable = true;
       ensureDatabases = [ "nextcloud" ];
-      ensureUsers = [{
-        name = "nextcloud";
-        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
-      }];
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+        }
+      ];
     };
 
     gitweb = {
       gitwebTheme = true;
-      projectroot = "/srv/git";
+      projectroot = envsubstConfiguration.gitRoot;
     };
   };
 
@@ -107,12 +108,13 @@ in {
     after = [ "postgresql.service" ];
   };
 
-  users.users.nixos = {
+  users.extraUsers.andreh = {
     uid = 1000;
+    isNormalUser = true;
     extraGroups = [ "wheel" ];
-    useDefaultShell = true;
+    password = envsubstConfiguration.userPassword;
     openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ];
   };
 
-  system.stateVersion = "19.09";
+  system.stateVersion = "20.03";
 }
diff --git a/vps.tf b/vps.tf
index 5c03529..3fa9e12 100644
--- a/vps.tf
+++ b/vps.tf
@@ -10,21 +10,11 @@ variable "tld" {
   description = "Root Top-Level Domain. Subdomains will be derived from it."
 }
 
-variable "nextcloud_tld_prefix" {
-  type        = string
-  description = "DNS prefix used for the Nextcloud installation. Does not contain a dot at the end."
-}
-
 variable "hostname" {
   type        = string
   description = "Human name of the host. This is a pet name, not cattle name :)"
 }
 
-variable "storage_name" {
-  type        = string
-  description = "Name of the block storage volume, which will also be the name of it's mount point."
-}
-
 
 # Vultr
 
@@ -46,39 +36,18 @@ resource "vultr_server" "vps_server" {
   # $ curl https://api.vultr.com/v1/plans/list?type=vc2 | jq '.["201"]'
   plan_id = 201
   # $ curl -H "API-Key: $TF_VAR_vultr_api_key" https://api.vultr.com/v1/snapshot/list | jq
-  snapshot_id = "e1d5f317b0f7a"
+  snapshot_id = "c565f318e4aea"
 }
 
 output "public_ip" {
   value = vultr_server.vps_server.main_ip
 }
 
-resource "vultr_block_storage" "vps_storage" {
-  size_gb     = 10
-  region_id   = 9
-  attached_id = vultr_server.vps_server.id
-  label       = var.storage_name
-  live        = "yes"
-}
-
 
 # DNS and IP configuration
 
 resource "vultr_dns_domain" "vps_tld" {
+  # The CNAME record is already generated by Vultr
   domain    = var.tld
   server_ip = vultr_server.vps_server.main_ip
 }
-
-resource "vultr_dns_record" "at_sign" {
-  domain = var.tld
-  type   = "A"
-  name   = "@"
-  data   = vultr_server.vps_server.main_ip
-}
-
-resource "vultr_dns_record" "nextcloud" {
-  domain = var.tld
-  type   = "CNAME"
-  name   = var.nextcloud_tld_prefix
-  data   = vultr_server.vps_server.main_ip
-}
author	EuAndreh <eu@euandre.org>	2020-08-10 17:16:22 -0300
committer	EuAndreh <eu@euandre.org>	2020-08-10 17:16:22 -0300
commit	1ec6471eb4dcb4671ee125113a529adbfb2e10a3 (patch)
tree	cdf83293d6682a3f832cea71977d8fd7bc7005ba
parent	Interactive Terraform plan -> apply cycle (diff)
download	toph-1ec6471eb4dcb4671ee125113a529adbfb2e10a3.tar.gz toph-1ec6471eb4dcb4671ee125113a529adbfb2e10a3.tar.xz