diff options
| -rw-r--r-- | .env | 6 | ||||
| -rw-r--r-- | .envrc | 26 | ||||
| -rw-r--r-- | .gitattributes | 1 | ||||
| -rw-r--r-- | .gitignore | 4 | ||||
| -rw-r--r-- | TODOs.md | 8 | ||||
| l--------- | opt/secrets/mail-user-password-hash.txt | 1 | ||||
| -rwxr-xr-x | scripts/deploy | 30 | ||||
| -rw-r--r-- | servers/active/nixvps/.terraform.lock.hcl | bin | 0 -> 1127 bytes | |||
| -rw-r--r-- | servers/active/nixvps/configuration.nix | 229 | ||||
| -rw-r--r-- | servers/active/nixvps/infrastructure.tf | 46 | ||||
| l--------- | servers/active/nixvps/opt/secrets | 1 | ||||
| -rw-r--r-- | servers/active/nixvps/terraform.tfstate | bin | 0 -> 178 bytes | |||
| -rw-r--r-- | servers/active/nixvps/terraform.tfstate.backup | bin | 0 -> 9255 bytes | |||
| -rw-r--r-- | servers/active/nixvps/tf-env.sh | 7 | ||||
| -rw-r--r-- | servers/active/nixvps/tld.txt | 2 |
15 files changed, 296 insertions, 65 deletions
@@ -0,0 +1,6 @@ +#!/bin/sh + +TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt ||:)" +if [ -n "$TF_VAR_vultr_api_key" ]; then + export TF_VAR_vultr_api_key +fi @@ -1,26 +0,0 @@ -#!/bin/sh -eu - -# -# shared -# -VPS_HOSTNAME="$(cat servers/vps/hostname.txt)" -VPS_TLD="$(cat servers/vps/tld.txt)" -export TLD - -# -# Terraform -# -export TF_VAR_vps_tld="$VPS_TLD" -export TF_VAR_vps_hostname="$VPS_HOSTNAME" -export TF_VAR_vps_storage_name="$VPS_HOSTNAME-storage" - -TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt ||:)" -if [ -n "$TF_VAR_vultr_api_key" ]; then - export TF_VAR_vultr_api_key -fi - -TF_VAR_vps_dkim_public_key="$(head -n -1 < ./secrets/vps/mail/dkim/tld.pub | tail -n +2 | tr -d '\n')" -export TF_VAR_vps_dkim_public_key - -# Selector: date when it was created -export TF_VAR_vps_dkim_selector='20201126' diff --git a/.gitattributes b/.gitattributes index 4239af9..a500efa 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ secrets/**/* filter=git-crypt diff=git-crypt +servers/**/*terraform* filter=git-crypt diff=git-crypt @@ -1,8 +1,8 @@ # Terraform -/.terraform/ +.terraform/ # HTML /tasks-and-bugs.html /tasks-and-bugs.html~ /tasks-and-bugs.org -/public/
\ No newline at end of file +/public/ @@ -273,3 +273,11 @@ client to talk with Telegram and WhatsApp chats. https://news.ycombinator.com/item?id=26005038 https://news.ycombinator.com/item?id=27450364 + +TURN STUN server + +parameterize SSH port + +public key is, at the same time, being generated by mailserver and via openssl + +Make VPS run on home server? diff --git a/opt/secrets/mail-user-password-hash.txt b/opt/secrets/mail-user-password-hash.txt deleted file mode 120000 index c739151..0000000 --- a/opt/secrets/mail-user-password-hash.txt +++ /dev/null @@ -1 +0,0 @@ -../../secrets/nixvps/mail-user-password-hash.txt
\ No newline at end of file diff --git a/scripts/deploy b/scripts/deploy index 1b37888..d4a0128 100755 --- a/scripts/deploy +++ b/scripts/deploy @@ -1,9 +1,20 @@ #!/bin/sh set -eu +usage() { + cat <<EOF +Usage: + $0 HOSTNAME + +Examples: + $0 kuvira +EOF +} + NAME="${1:-}" if [ -z "$NAME" ]; then - printf 'Missing hostname\n' >&2 + printf 'Missing HOSTNAME\n' >&2 + usage >&2 exit 2 fi @@ -15,17 +26,22 @@ fi DIR="$(dirname "$FILE")" -terraform apply "$DIR" +cd "$DIR" +. ./tf-env.sh +terraform init +terraform apply +cd - > /dev/null TLD="$(cat "$DIR"/tld.txt)" DIRS='/opt /srv' # shellcheck disable=2029 ssh "$TLD" "\ -sudo mkdir -p $DIRS && \ -sudo chown $USER:users -R $DIRS && \ -chmod -R 755 $DIRS" + sudo mkdir -p $DIRS && \ + sudo chown $USER:users -R $DIRS && \ + chmod -R 755 $DIRS +" -rsync -avzPL opt "$TLD":/ +rsync -avzPL opt "$DIR/opt" "$TLD":/ if [ -f "$DIR"/machines.scm ]; then guix deploy "$DIR"/machines.scm @@ -33,6 +49,6 @@ elif [ -f "$DIR"/configuration.nix ]; then scp "$DIR"/configuration.nix "$TLD":/etc/nixos/ ssh "$TLD" sudo nixos-rebuild switch else - printf 'Uknown OS type of "%s"\n' "$NAME" >&2 + printf 'Uknown deploy type for "%s"\n' "$NAME" >&2 exit 2 fi diff --git a/servers/active/nixvps/.terraform.lock.hcl b/servers/active/nixvps/.terraform.lock.hcl Binary files differnew file mode 100644 index 0000000..62406b0 --- /dev/null +++ b/servers/active/nixvps/.terraform.lock.hcl diff --git a/servers/active/nixvps/configuration.nix b/servers/active/nixvps/configuration.nix new file mode 100644 index 0000000..4d793db --- /dev/null +++ b/servers/active/nixvps/configuration.nix @@ -0,0 +1,229 @@ +{ config, pkgs, ... }: + +let + envsubstConfiguration = + pkgs.callPackage /opt/secrets/envsubst-configuration.nix { }; + config = rec { + TLD = envsubstConfiguration.TLD; + cgitPort = "81"; + openSSHPort = 23841; + }; +in { + imports = [ + ./hardware-configuration.nix + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz"; + }) + ]; + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + interfaces.ens3.useDHCP = true; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + # min-free 1G + extraOptions = '' + min-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + environment = { + systemPackages = let + c99 = pkgs.tinycc.overrideAttrs (oldAttrs: { + postInstall = '' + ln -s $out/bin/tcc $out/bin/c99 + ''; + }); + in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ]; + shellAliases = { l = "ls -lahF"; }; + }; + + networking.firewall.allowedTCPPorts = [ + # SSH: OpenSSH + config.openSSHPort + + # HTTP and HTPPS: NGINX + 80 + 443 + + # Git daemon + 9418 + ]; + + security = { + acme = { + acceptTerms = true; + email = "eu@euandre.org"; + }; + sudo.enable = false; + doas = { + enable = true; + extraConfig = '' + permit nopass setenv { NIX_PATH } :wheel + ''; + }; + }; + + services = { + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + ports = [ config.openSSHPort ]; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "${config.TLD}" = { + forceSSL = true; + enableACME = true; + root = "/srv/http/"; + extraConfig = '' + # Allow <script type="module" src="..."> 3rd-party HTML pages + add_header 'Access-Control-Allow-Origin' '*'; + autoindex on; + ''; + }; + "git.${config.TLD}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = /favicon.ico { + alias ${pkgs.cgit}/cgit/favicon.ico; + } + location / { + # Allow <script type="module" src="..."> 3rd-party HTML pages + add_header 'Access-Control-Allow-Origin' '*'; + proxy_pass http://localhost:${config.cgitPort}; + } + ''; + }; + }; + }; + + lighttpd = { + enable = true; + port = pkgs.lib.toInt config.cgitPort; + cgit = { + enable = true; + subdir = ""; + configText = '' + enable-blame=1 + enable-commit-graph=1 + enable-follow-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + enable-html-serving=1 + root-desc=Patches welcome! + readme=:README.en.md + readme=:README.md + readme=:README + max-repodesc-length=120 + max-repo-count=999 + remove-suffix=1 + root-title=EuAndreh's repositories + snapshots=tar.xz + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + scan-path=/srv/http + mimetype.mjs=text/javascript + ''; + }; + }; + + gitDaemon = { + enable = true; + basePath = "/srv/http"; + exportAll = true; + }; + + cron = { + enable = true; + systemCronJobs = [ + "30 1 * * 1 root /opt/bin/gc.sh" + "30 0 * * * root /opt/bin/backup.sh" + ]; + }; + }; + + users = { + # Improve: make mutable + mutableUsers = false; + extraUsers = let + andrehUser = { + andreh = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = envsubstConfiguration.hashedPassword; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" + ]; + }; + }; + buildUser = (i: { + "guixbuilder${i}" = { + group = "guixbuild"; + extraGroups = [ "guixbuild" ]; + home = "/var/empty"; + shell = pkgs.nologin; + description = "Guix build user ${i}"; + isSystemUser = true; + }; + }); + in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser + (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10)); + extraGroups.guixbuild = { name = "guixbuild"; }; + }; + + mailserver = { + enable = true; + fqdn = "mail.${config.TLD}"; + domains = [ config.TLD ]; + loginAccounts = { + "eu@${config.TLD}" = { + hashedPasswordFile = "/opt/secrets/mail-user-password-hash.txt"; + aliases = [ "@${config.TLD}" ]; + }; + }; + certificateScheme = 3; + }; + + systemd = { + services = { + guix-daemon = { + enable = true; + description = "Build daemon for GNU Guix"; + serviceConfig = { + ExecStart = + "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + system = { + stateVersion = "20.09"; + autoUpgrade = { + enable = true; + allowReboot = true; + }; + }; +} diff --git a/servers/active/nixvps/infrastructure.tf b/servers/active/nixvps/infrastructure.tf index 2721c56..ae37080 100644 --- a/servers/active/nixvps/infrastructure.tf +++ b/servers/active/nixvps/infrastructure.tf @@ -15,26 +15,16 @@ variable "vultr_api_key" { description = "Vultr API key." } -variable "vps_tld" { +variable "tld" { type = string description = "Root Top-Level Domain. Subdomains will be derived from it." } -variable "vps_hostname" { +variable "hostname" { type = string description = "Human name of the host. This is a pet name, not cattle name :)" } -variable "vps_dkim_public_key" { - type = string - description = "Public key for the DNS TXT DKIM record." -} - -variable "vps_dkim_selector" { - type = string - description = "The DKIM selector that prefixes the domain in the TXT record." -} - # Vultr provider "vultr" { @@ -46,9 +36,9 @@ provider "vultr" { resource "vultr_instance" "vps_server" { enable_ipv6 = true backups = "enabled" - hostname = var.vps_hostname + hostname = var.hostname activation_email = true - label = var.vps_hostname + label = var.hostname region = "cdg" plan = "vc2-1c-1gb" # $ curl -H "Authorization: Bearer $TF_VAR_vultr_api_key" https://api.vultr.com/v2/snapshots | jq @@ -66,17 +56,17 @@ output "vps_public_ipv6" { # DNS and IP configuration locals { - mail_domain = "mail.${var.vps_tld}" + mail_domain = "mail.${var.tld}" } -resource "vultr_dns_domain" "vps_tld" { +resource "vultr_dns_domain" "tld" { # The CNAME record is already generated by Vultr - domain = var.vps_tld + domain = var.tld ip = vultr_instance.vps_server.main_ip } resource "vultr_dns_record" "vps_mail_a_record" { - domain = vultr_dns_domain.vps_tld.id + domain = vultr_dns_domain.tld.id name = "mail" data = vultr_instance.vps_server.main_ip type = "A" @@ -89,7 +79,7 @@ resource "vultr_reverse_ipv4" "vps_mail_reverse_ipv4" { } resource "vultr_dns_record" "vps_mail_aaaa_record" { - domain = vultr_dns_domain.vps_tld.id + domain = vultr_dns_domain.tld.id name = "mail" data = vultr_instance.vps_server.v6_main_ip type = "AAAA" @@ -102,38 +92,38 @@ resource "vultr_reverse_ipv6" "vps_mail_reverse_ipv6" { } resource "vultr_dns_record" "vps_mx_record" { - domain = vultr_dns_domain.vps_tld.id + domain = vultr_dns_domain.tld.id name = "" data = local.mail_domain type = "MX" } resource "vultr_dns_record" "vps_spf_txt" { - domain = vultr_dns_domain.vps_tld.id + domain = vultr_dns_domain.tld.id name = "" data = "\"v=spf1 mx -all\"" type = "TXT" } resource "vultr_dns_record" "vps_dkim_txt" { - domain = vultr_dns_domain.vps_tld.id - name = "${var.vps_dkim_selector}._domainkey" - data = "\"v=DKIM1;k=rsa;p=${var.vps_dkim_public_key}\"" + domain = vultr_dns_domain.tld.id + name = "mail._domainkey" + data = "\"v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgxJoKIUUzm1/4b507UQnO2gzJU5haFUhjLK2Vsx3eEGZ83XNj1NkI40IstWsR1VXNUkYcnuCGYwwoDwu397PBRK3qi62MV85rtLQ3ZbUoCkEtPgdoLome/87TU1sziMgadGVwK5QeV4bfFQYCY8dinM9QzIpfUo3UyB6s9mrCbQIDAQAB\"" type = "TXT" } resource "vultr_dns_record" "vps_dmarc_txt" { - domain = vultr_dns_domain.vps_tld.id + domain = vultr_dns_domain.tld.id name = "_dmarc" - data = "\"v=DMARC1;p=none;pct=100;rua=mailto:postmaster@${var.vps_tld};\"" + data = "\"v=DMARC1; p=quarantine\"" type = "TXT" } # I think this DNS is configured by default # resource "vultr_dns_record" "vps_cname_start_alias" { -# domain = vultr_dns_domain.vps_tld.id +# domain = vultr_dns_domain.tld.id # name = "*" -# data = var.vps_tld +# data = var.tld # type = "CNAME" # } diff --git a/servers/active/nixvps/opt/secrets b/servers/active/nixvps/opt/secrets new file mode 120000 index 0000000..54184b4 --- /dev/null +++ b/servers/active/nixvps/opt/secrets @@ -0,0 +1 @@ +../../../../secrets/nixvps
\ No newline at end of file diff --git a/servers/active/nixvps/terraform.tfstate b/servers/active/nixvps/terraform.tfstate Binary files differnew file mode 100644 index 0000000..69d33a2 --- /dev/null +++ b/servers/active/nixvps/terraform.tfstate diff --git a/servers/active/nixvps/terraform.tfstate.backup b/servers/active/nixvps/terraform.tfstate.backup Binary files differnew file mode 100644 index 0000000..409f268 --- /dev/null +++ b/servers/active/nixvps/terraform.tfstate.backup diff --git a/servers/active/nixvps/tf-env.sh b/servers/active/nixvps/tf-env.sh new file mode 100644 index 0000000..1ad643e --- /dev/null +++ b/servers/active/nixvps/tf-env.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +TF_VAR_hostname="$(cat hostname.txt)" +export TF_VAR_hostname + +TF_VAR_tld="$(cat tld.txt)" +export TF_VAR_tld diff --git a/servers/active/nixvps/tld.txt b/servers/active/nixvps/tld.txt index 0cb8b8b..1aaed8d 100644 --- a/servers/active/nixvps/tld.txt +++ b/servers/active/nixvps/tld.txt @@ -1 +1 @@ -euandreh.xyz +arrobaponto.org |