diff --git a/nix/modules/nixos/services/nginx/default.nix b/nix/modules/nixos/services/nginx/default.nix index 916ece9..b0ba971 100644 --- a/nix/modules/nixos/services/nginx/default.nix +++ b/nix/modules/nixos/services/nginx/default.nix @@ -226,7 +226,7 @@ in serviceConfig = { ExecStartPre = [ ''${pkgs.uutils-coreutils-noprefix}/bin/touch /var/log/nginx/access.fail2ban.log'' - ''${pkgs.uutils-coreutils-noprefix}/bin/chmod 064 /var/log/nginx/access.fail2ban.log'' + ''${pkgs.uutils-coreutils-noprefix}/bin/chmod 0640 /var/log/nginx/access.fail2ban.log'' ]; }; }; @@ -352,7 +352,8 @@ in "=/robots.txt" = { alias = value.robotsTxt; }; - } // value.locations; + } + // value.locations; forceSSL = true; enableACME = value.acme == null && !dns01Enabled; useACMEHost = diff --git a/nix/systems/aarch64-linux/kas.codes/default.nix b/nix/systems/aarch64-linux/kas.codes/default.nix index c0082e9..13f7ea5 100644 --- a/nix/systems/aarch64-linux/kas.codes/default.nix +++ b/nix/systems/aarch64-linux/kas.codes/default.nix @@ -5,7 +5,6 @@ { imports = [ "${inputs.self}/nix/profiles/nixos/hetzner-server.nix" - ./mailserver ./forgejo ]; khscodes.infrastructure.hetzner-instance = { diff --git a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix index 3395289..b1f257c 100644 --- a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix +++ b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix @@ -40,28 +40,10 @@ let ''; in { - imports = [ ./oauth.nix ]; - khscodes.services.vault-agent.templates = [ - { - contents = '' - {{- with secret "forgejo/data/mailserver/users/forgejo" -}} - {{ .Data.data.password }} - {{- end -}} - ''; - destination = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd"; - perms = "0600"; - owner = "git"; - group = "git"; - restartUnits = [ - "forgejo.service" - ]; - } + imports = [ + ./oauth.nix + ./smtp.nix ]; - systemd.services.forgejo = { - unitConfig = { - ConditionPathExists = [ "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd" ]; - }; - }; services.forgejo = { enable = true; user = "git"; @@ -87,12 +69,6 @@ in repository = { DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.packages,repo.actions"; }; - mailer = { - ENABLED = true; - SMTP_ADDR = "kas.codes"; - FROM = "forgejo@kas.codes"; - USER = "forgejo@kas.codes"; - }; "ui.meta" = { AUTHOR = "Kaare Hoff Skovgaard "; DESCRIPTION = "A self-hosted software forge for KAS/KHS"; @@ -108,7 +84,6 @@ in REGISTER_EMAIL_CONFIRM = false; }; }; - secrets.mailer.PASSWD = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd"; lfs = { enable = true; }; diff --git a/nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix b/nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix new file mode 100644 index 0000000..17f7c2a --- /dev/null +++ b/nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix @@ -0,0 +1,54 @@ +let + secretFile = "/run/secret/mx.kaareskovgaard.net/forgejo.passwd"; +in +{ + khscodes.infrastructure.vault-server-approle.policy = { + "mx.kaareskovgaard.net/data/users/forgejo" = { + capabilities = [ "read" ]; + }; + }; + khscodes.services.vault-agent.templates = [ + { + contents = '' + {{- with secret "mx.kaareskovgaard.net/data/users/forgejo" -}} + {{ .Data.data.password }} + {{- end -}} + ''; + destination = secretFile; + perms = "0600"; + owner = "git"; + group = "git"; + restartUnits = [ + "forgejo.service" + ]; + } + ]; + khscodes.infrastructure.hetzner-instance.extraFirewallRules = [ + { + direction = "out"; + protocol = "tcp"; + port = 465; + destination_ips = [ + "0.0.0.0/0" + "::/0" + ]; + description = "smtp"; + } + ]; + services.forgejo = { + settings.mailer = { + ENABLED = true; + SMTP_ADDR = "mx.kaareskovgaard.net"; + SMTP_PORT = 465; + PROTOCOL = "smtps"; + FROM = "git@kas.codes"; + USER = "forgejo"; + }; + secrets.mailer.PASSWD = secretFile; + }; + systemd.services.forgejo = { + unitConfig = { + ConditionPathExists = [ secretFile ]; + }; + }; +} diff --git a/nix/systems/aarch64-linux/kas.codes/mailserver/default.nix b/nix/systems/aarch64-linux/kas.codes/mailserver/default.nix deleted file mode 100644 index 4298c40..0000000 --- a/nix/systems/aarch64-linux/kas.codes/mailserver/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ ... }: -{ - imports = [ - ./forgejo-user.nix - ]; - khscodes.infrastructure.provisioning.pre.modules = [ - { - khscodes.vault = { - enable = true; - mount.forgejo = { - path = "forgejo"; - type = "kv"; - options = { - version = "2"; - }; - description = "Secrets used for forgejo"; - }; - }; - } - ]; - khscodes.infrastructure.mailserver = { - enable = true; - domains = [ "kas.codes" ]; - dkim = { - vault = { - mount = "forgejo"; - prefixPath = "mailserver/dkim"; - }; - }; - }; - mailserver = { - loginAccounts = { - "forgejo@kas.codes" = { - hashedPasswordFile = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash"; - sendOnly = true; - }; - }; - }; -} diff --git a/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix b/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix deleted file mode 100644 index c29ce51..0000000 --- a/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - khscodes.infrastructure.vault-server-approle.policy = { - "forgejo/data/mailserver/users/*" = { - capabilities = [ "read" ]; - }; - }; - khscodes.services.vault-agent.templates = [ - { - contents = '' - {{- with secret "forgejo/data/mailserver/users/forgejo" -}} - {{ .Data.data.hashed_password }} - {{- end -}} - ''; - destination = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash"; - perms = "0600"; - owner = "rspamd"; - group = "rspamd"; - restartUnits = [ - "rspamd.service" - "postfix.service" - ]; - } - ]; - khscodes.infrastructure.provisioning.pre.modules = [ - ( - { config, ... }: - { - terraform.required_providers.random = { - source = "hashicorp/random"; - version = "3.7.2"; - }; - provider.random = { }; - - resource.random_password.forgejo_mail_passwd = { - length = 48; - numeric = true; - lower = true; - upper = true; - special = false; - }; - - resource.vault_kv_secret_v2.forgejo_email_user_password = { - mount = config.khscodes.vault.output.mount.forgejo.path; - name = "mailserver/users/forgejo"; - data_json = '' - { - "hashed_password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.bcrypt_hash) }, - "password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.result) } - } - ''; - }; - } - ) - ]; -} diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix index 7f21f0f..509e557 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix @@ -41,6 +41,7 @@ "agerlinskovgaard.dk" "k.agerlin-skovgaard.dk" "k.agerlinskovgaard.dk" + "kas.codes" ]; accounts = import ./users.nix; }; diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix index eb7c1a2..9e7179a 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix @@ -134,7 +134,7 @@ let lib.concatStringsSep "\n" ( lib.lists.map (account: '' {{- with secret "mx.kaareskovgaard.net/data/users/${account}" -}} - "${account}:{{ .Data.data.hashed_password }}::::::" + ${account}:{{ .Data.data.hashed_password }}:::::: {{- end -}} '') systemAccounts ) @@ -205,6 +205,7 @@ in let tfName = lib.khscodes.sanitize-terraform-name account; in + { config, ... }: { resource.random_password."${tfName}" = { length = 48; diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix index 44e0b70..e5ef876 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix @@ -10,4 +10,9 @@ ]; quota = "10G"; }; + "forgejo" = { + name = "KAS: Codes"; + addresses = [ "git@kas.codes" ]; + sendOnly = true; + }; }