Added hydra proxy

modules/nixos/security/acme/default.nix

@@ -23,6 +23,11 @@ in {
       type = str;
       description = "The domain to request a wildcard cert for.";
     };
+    isWildcard = mkOption {
+      type = bool;
+      default = true;
+      description = "Whether or not to request a wildcard cert.";
+    };
     dnsCredentialsFile = mkOption {
       type = path;
       description = "The path to the credentials file for the DNS provider.";
@@ -49,7 +54,7 @@ in {
         # own DNS to make `lego` happy (will resolve names to a public IP).
         dnsResolver = "1.1.1.1:53";
         credentialsFile = cfg.dnsCredentialsFile;
-        extraDomainNames = [("*." + cfg.domainName)];
+        extraDomainNames = mkIf cfg.isWildcard [("*." + cfg.domainName)];
       };
     };
   };

secrets/nextcloud_admin.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg AnK3fZAMaiuHUwPHAI0061l8KBzmjSgZBMjk3UIPJwHd
-1iwaFAOz0zIx6B41JtcG2DK2N069hYQ4Vnqg4fedpjo
--> ssh-ed25519 Yk7ehg IyyI4ryCFtm+chFhUKfwa4xolCvEvNhxNjkNZgK18X8
-VaSato0zX/b39z+Gg+7e249RUxNMHeEmRBs+42jIu0Q
--> ssh-ed25519 SYNSNQ fmj8P+lL02Yul83iYLBgUsEjGvqhmhY9cX9v/MNTORk
-WiwoKI9T6NJG7W5LvD+uyNuQMNRTDoCJ1G1SAEtv8Lo
---- miVPF2w5xzQgwPwqt66QSR/Cu8/yyZK2W+MJgd2VcMM
-%WŐŰHŐŕ<C590>‘h|_WçťIů7'|=J@ůPĚhŞ!ę;jĘVjđąóö„$cůś¶±v<08>«]d´|Ăô‰
+-> piv-p256 UIEGzg AlVgFIs0fcxvCxhQpvJy0zoxyDG/jjdH3tanlh6g03Hb
+h0BWlUFf6thkOhL7C7p4a+y6pcSyxNcaQRqJB+t5MPI
+-> ssh-ed25519 Yk7ehg FISeG4j0GnisFHqaKG3EQlHVwvyMgNaB/azd+K406mE
+Hls/fpeD7Y8ijA4i8PVkLOUKIe7G9TGaUegwVBTLV/c
+-> ssh-ed25519 SYNSNQ iNNqmZu6C7L5encU/oLYXQswn2DtuW/hvtSLGJft8gQ
+EjwJRLMuqezJ427LC9pfR0VibL+IL/idlAJE9WupD9k
+--- v3VGseXZtHJeTOxhRIp2fSGAJ8rr/dWQpJP1p12To/I
+¿T%yôFÒ½
ÿfÙ:_9
¤8zÚM{¨Me¶´˜þyºFLɵ×wüx¸gsþ¹zwÊÙ:òŒŽ§n(U>Bì

secrets/secrets.nix

@@ -6,9 +6,10 @@ let
     gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ";
     node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
     pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As";
+    proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAf6Z7SZEOH3H51T/GPIc/B0OpbaydM5l2PP3nMnwpFl";
   };
 in {
-  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
+  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4 machines.proxy];
   "nextcloud_admin.age".publicKeys = [users.me machines.node machines.gospel];
   "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4 machines.gospel];
   "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];

secrets/teslamate_db.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A8ilJuoE2n5sF0XF6PhErjsJ1/EttBm4tn5Sv51WATLr
-KtXedCvKhAyM7cNaHNqMsiNBgRDb6N1ZO/nj0+NFLQY
--> ssh-ed25519 Yk7ehg yA2ilbzpLOSs2D3pDXu3p6kpUwkdr7gK9et5mf5iuhs
-ON1C1BCQRwQTavOfqGq0byy5elO7EWTkuOi+h5BLa6Y
--> ssh-ed25519 SYNSNQ ywdfhuW5cs1aSDPo+JL2b6APhiTijZ892yQk0GA/hlI
-m3UBcMG6riihCV1ZNkn11nU+TOfMUyixbC3vnEpvLao
---- CiF9tD78NMgnvy788sBkFti4LdMPx8kQ9DKWphIW8Fo
-<EFBFBD>^9Íá¢À=]}ÉŽ—‘(önâGÎ<ó·¦C:$BeG©ÓXü
+-> piv-p256 UIEGzg A7y0aAtgUDLMypaXczhKrN0YTi82Ebmj3YTQ1WZTHU+U
+SsotYlcsVQN/O8DTUXIxFmeISElpTF5nxYzsrhVCABE
+-> ssh-ed25519 Yk7ehg epI85HdXuSYs7C/01CT7Y8XaTRrw+HkVo6wOa0fz2Bo
+mf5q0kcWeElyNAShdVY7MLGSun0cL0ixK5QzQu1NEOk
+-> ssh-ed25519 SYNSNQ YgAvuTGFh6hpkaAHIBda4uqmzFEJQkNj2HPenWRoz3o
+QjIZqvcqMo4rI+diLDgffrW65qWGnGqrhTR/5Gx8B+4
+--- 2co6b8q6Yg+J4SyPY56r9HGl/gfvEF5Ad010PaftIR0
+ｱLA!ｵｯxﾉ<78>
+]$Fｺﾑ<EFBDBA>ﾑZ<EFBE91>a|m<>ﾊiq&ﾗｻ:=ed撮
ﾈ

secrets/theengs_ble_mqtt.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A+4ueAfFezO+SbFTU2WVj37mD4CccdnordVpwye7j+6g
-FMiMoUqfyNgw/uhhBxuKyx6yUPiZZ1pPt6iIxe0DZHM
--> ssh-ed25519 t5XIGA zRq/bzdlJZy9ll2MqKrFuoqSW4oeJ5UxhSkJ+3qlaG8
-y4EFhlpHL6zivpDZW35Fa3vNkbwTmcAOmtvE3HMtfIo
--> ssh-ed25519 SYNSNQ LAgvsPWPPz6cn1n3Ygu8HgT8NUyuhDn4xY9APX6T0D8
-sEX8cCiwf/poOeKEox279MCEGMyIUHnMHbiYZdwR/xU
---- nIO+s3lXRheBzqq9AZgNmg6rs8+HoF1sQOYzWy0wfds
-EÕ0¥ ™&åkß'/·<>9iÕÕg9F
FZ
4w1¥ D×<*IXq‹³?=ép"zÍ4hKþ	v·¶Ž
+-> piv-p256 UIEGzg Asl/n0iFj2Swc/Nf1bcMFxgFu64etnimDaw0oC74BbZT
+jHCir4VWyhxVGlLkdFYL/pH141ZczE9CRZ9ubWynaEQ
+-> ssh-ed25519 t5XIGA QiipiJkDoXn9Vsfwvs2bwvUDygdCaBbm2hPXCmSkpBA
+u6PipiF2jSvdt8ydx69UCEjYnMHGAkqOLqGNn78fo3I
+-> ssh-ed25519 SYNSNQ NMTuIYkgsxKEcwk7egjbzwlOmmKbrvvPOuUYtjUtjQM
+vpyVsReEuAPrcxqkXBWmyWFhx01o67fRznW3UG8R8qk
+--- zCzWtcgc8Cnu0XLFXZ9Rlk2u3h1ubZ2K+WqKl7qCaA8
+怳-f碙<66>誘|膫/.€>燉溪o}yW<07>O涒G圸牚摨磁鴶耨兢繦顼嬣旌蚡

systems/x86_64-do/proxy/README.md

@@ -0,0 +1,5 @@
+- Log in (SSH key should already be configured)
+- Change password with `passwd`
+- Set up tailscale with `sudo tailscale up --accept-routes --ssh`
+- Write cloudflare creds to `/var/acme/creds`
+  - Ensure permissions `sudo chmod -R 700 /var/acme/creds`

systems/x86_64-do/proxy/default.nix

@@ -0,0 +1,105 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  aa = {
+    nix.enable = true;
+    nix.useSelfhostedCache = true;
+
+    security.acme = {
+      enable = true;
+      domainName = "proxy.kilonull.com";
+      isWildcard = false;
+      # TODO: Use a different cert with more targetted permissions (this one
+      # can make wildcard certs)
+      # TODO: Add machine public key in secrets/secrets.nix
+      dnsCredentialsFile = "/var/acme/creds";
+    };
+
+    services = {
+      openssh.enable = true;
+      # NOTE: Need to run `tailscale login` on first boot
+      tailscale = {
+        enable = true;
+        configureClientRouting = true;
+      };
+    };
+
+    tools.zsh.enable = true;
+  };
+
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
+      access_log  /var/log/nginx/access.log upstreamlog;
+    '';
+    virtualHosts."proxy.kilonull.com" = let
+      commonConfig = pkgs.writeText "common_config.conf" ''
+        proxy_redirect off;
+        proxy_set_header Host "hydra.kilonull.com";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+
+        allow 127.0.0.1;
+        allow 100.0.0.0/8;
+        allow 192.168.113.0/24;
+      '';
+    in {
+      forceSSL = true;
+      useACMEHost = "proxy.kilonull.com";
+      locations = {
+        "/" = {
+          extraConfig = ''
+            deny all;
+          '';
+        };
+        "/hydra" = {
+          proxyPass = "https://hydra.kilonull.com";
+          extraConfig = ''
+            rewrite /hydra(.*) /$1 break;
+            include ${commonConfig};
+            deny all;
+          '';
+        };
+        "/hydra/api/push-github" = {
+          proxyPass = "https://hydra.kilonull.com/api/push-github";
+          extraConfig = ''
+            include ${commonConfig};
+            # GitHub webhook IPs
+            allow 192.30.252.0/22;
+            allow 185.199.108.0/22;
+            allow 140.82.112.0/20;
+            allow 143.55.64.0/20;
+            allow 2a0a:a440::/29;
+            allow 2606:50c0::/3;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+
+  users.users.${config.aa.user.name} = {
+    initialHashedPassword = "$y$j9T$/AuWXo5argOeEi1hwlu161$bvB.V5tfB.acWAvr6mV9lVucdGzQc16UVffMdPbqWD0";
+  };
+  networking.firewall.allowedTCPPorts = [
+    # SSH
+    22
+
+    # HTTP(S)
+    80
+    443
+  ];
+
+  virtualisation.digitalOcean = {
+    setRootPassword = true;
+    setSshKeys = true;
+  };
+
+  system.stateVersion = "24.05";
+}