From 2f108e708ffa99e1e210cc7ac2566554a144465a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 Feb 2025 18:46:25 +0800
Subject: [PATCH 1/3] WIP: chore(coturn): Switch to letsencrypt certificate
Fixes #107
---
configuration/nginx.nix | 8 ++++++-
configuration/services/conduit/default.nix | 11 +++++----
configuration/services/metrics/exporters.nix | 10 ++++++++
.../services/metrics/victoriametrics.nix | 24 +++++++++++++++++++
4 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 0b72cc1..3ec3bd9 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -53,7 +53,7 @@
"*.tlater.com"
];
dnsProvider = "porkbun";
- group = "nginx";
+ group = "ssl-cert";
credentialFiles = {
PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
@@ -61,6 +61,12 @@
};
};
+ users.groups.ssl-cert = { };
+
+ systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.backups.acme = {
user = "acme";
paths = lib.mapAttrsToList (
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index c3803f4..c7e4ab4 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -50,6 +50,10 @@ in
# See also https://gitlab.com/famedly/conduit/-/issues/314
systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
+ systemd.services.coturn.serviceConfig.SupplementaryGroups = [
+ config.security.acme.certs."tlater.net".group
+ ];
+
services.coturn = {
enable = true;
no-cli = true;
@@ -59,11 +63,8 @@ in
relay-ips = [ "116.202.158.55" ];
# SSL config
- #
- # TODO(tlater): Switch to letsencrypt once google fix:
- # https://github.com/vector-im/element-android/issues/1533
- pkey = config.sops.secrets."turn/ssl-key".path;
- cert = config.sops.secrets."turn/ssl-cert".path;
+ pkey = "${config.security.acme.certs."tlater.net".directory}/key.pem";
+ cert = "${config.security.acme.certs."tlater.net".directory}/fullchain.pem";
# Based on suggestions from
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index a47a701..78ba684 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -20,6 +20,16 @@ in
timeout = "5s";
http.preferred_ip_protocol = "ip4";
};
+
+ turn_server = {
+ prober = "tcp";
+ timeout = "5s";
+ tcp = {
+ preferred_ip_protocol = "ip4";
+ source_ip_address = "116.202.158.55";
+ tls = true;
+ };
+ };
};
};
};
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index eca65d0..4a78d46 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -40,6 +40,30 @@ in
};
};
+ blackbox_turn = {
+ targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];
+
+ extraSettings = {
+ metrics_path = "/probe";
+ params.module = [ "turn_server" ];
+
+ relabel_configs = [
+ {
+ source_labels = [ "__address__" ];
+ target_label = "__param_target";
+ }
+ {
+ source_labels = [ "__param_target" ];
+ target_label = "instance";
+ }
+ {
+ target_label = "__address__";
+ replacement = "${blackbox_host}:${toString blackbox_port}";
+ }
+ ];
+ };
+ };
+
blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];
coturn.targets = [ "127.0.0.1:9641" ];
From 778818a359237dbaa0e5270167e0b64dd3fc93f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 23 Feb 2025 00:42:13 +0800
Subject: [PATCH 2/3] WIP: fix(crowdsec): Make the whitelists actually work
---
configuration/services/crowdsec.nix | 44 +++++++----------------
modules/crowdsec/default.nix | 56 +++++++++++++++--------------
2 files changed, 41 insertions(+), 59 deletions(-)
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..6860354 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -12,6 +12,18 @@
"10.45.249.2"
];
+ extraConfig."postoverflows/s01-whitelist/matrix-whitelist.yaml" = {
+ name = "tetsumaki/matrix";
+ description = "custom matrix whitelist";
+ whitelist = {
+ reason = "whitelist false positive for matrix";
+ expression = [
+ "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
+ "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
+ ];
+ };
+ };
+
extraGroups = [
"systemd-journal"
"nginx"
@@ -55,36 +67,4 @@
};
};
};
-
- # Add whitelists for matrix
- systemd.tmpfiles.settings."10-matrix" =
- let
- stateDir = config.security.crowdsec.stateDirectory;
- in
- {
- "${stateDir}/config/postoverflows".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist".d = {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument =
- ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" {
- name = "tetsumaki/matrix";
- description = "custom matrix whitelist";
- whitelist = {
- reason = "whitelist false positive for matrix";
- expression = [
- "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'"
- "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']"
- ];
- };
- }).outPath;
- };
}
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..cc14939 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -31,6 +31,22 @@ let
${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions}
---
'';
+
+ extraConfigs = pkgs.symlinkJoin {
+ name = "crowdsec-extra-configs";
+ paths = lib.mapAttrsToList (
+ path: settings:
+ (settingsFormat.generate path settings).overrideAttrs (old: {
+ patchPhase = ''
+ mkdir -p "$out/${dirOf path}/"
+ out="$out/${dirOf path}/"
+
+ echo $out
+ exit 1
+ '';
+ })
+ ) cfg.extraConfig;
+ };
in
{
imports = [ ./remediations ];
@@ -38,6 +54,7 @@ in
options.security.crowdsec =
let
inherit (lib.types)
+ attrsOf
nullOr
listOf
package
@@ -85,6 +102,16 @@ in
'';
};
+ extraConfig = lib.mkOption {
+ type = attrsOf (settingsFormat.type);
+ default = {
+ "parsers/s02-enrich/nixos-whitelist.yaml" = cfg.parserWhitelist;
+ };
+ description = ''
+ Set of additional configurations to install.
+ '';
+ };
+
acquisitions = lib.mkOption {
type = listOf settingsFormat.type;
default = [ ];
@@ -300,33 +327,6 @@ in
group = "crowdsec";
mode = "0700";
};
-
- "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
- user = "crowdsec";
- group = "crowdsec";
- mode = "0700";
- };
-
- "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
- lib.mkIf (cfg.parserWhitelist != [ ])
- {
- "L+".argument =
- (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
- name = "nixos/parser-whitelist";
- description = "Parser whitelist generated by the crowdsec NixOS module";
- whitelist = {
- reason = "Filtered by NixOS whitelist";
- ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
- cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
- };
- }).outPath;
- };
};
services = {
@@ -336,6 +336,8 @@ in
description = "Crowdsec database and config preparation";
script = ''
+ cp --copy-contents --recursive ${extraConfigs}/. ${cfg.stateDirectory}/config
+
if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
fi
From 664c87adadc44bfb00fe071bcf7e63dced590cdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Thu, 7 Nov 2024 20:26:43 +0100
Subject: [PATCH 3/3] WIP: feat: Add minecraft server
---
configuration/default.nix | 6 +-
configuration/services/minecraft.nix | 83 ++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
create mode 100644 configuration/services/minecraft.nix
diff --git a/configuration/default.nix b/configuration/default.nix
index 239f9f6..f874733 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -22,6 +22,7 @@
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
+ ./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@@ -70,8 +71,6 @@
8448
# starbound
21025
- # Minecraft
- 25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@@ -80,9 +79,6 @@
];
allowedUDPPorts = [
- # More minecraft
- 25565
-
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
new file mode 100644
index 0000000..0477f44
--- /dev/null
+++ b/configuration/services/minecraft.nix
@@ -0,0 +1,83 @@
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
+{
+ services.minecraft-server = {
+ enable = true;
+ eula = true;
+ # jvmOpts are set using a file for forge
+ # jvmOpts = "-Xmx8G -Xms8G";
+ openFirewall = true;
+
+ declarative = true;
+
+ whitelist = {
+ tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
+ romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
+ lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
+ };
+
+ serverProperties = {
+ allow-flight = true;
+ difficulty = "hard";
+ motd = "tlater.net";
+ spawn-protection = 1;
+ white-list = true;
+ enable-query = true;
+ enable-status = true;
+
+ # Allows the server to write chunks without hogging the main
+ # thread...
+ sync-chunk-writes = false;
+ # Disables chat reporting, because we don't need any of that
+ # drama on a lil' friends-only server.
+ enforce-secure-profile = false;
+ };
+
+ package = pkgs.writeShellApplication {
+ name = "minecraft-server";
+ runtimeInputs = with pkgs; [ jdk17_headless ];
+
+ text = ''
+ exec /var/lib/minecraft/run.sh $@
+ '';
+ };
+ };
+
+ systemd.services.minecraft-server = {
+ path = with pkgs; [ jdk17_headless ];
+
+ # Since we read from our own HTTP server, we need to wait for it
+ # to be up
+ after = [ "nginx.service" ];
+
+ serviceConfig = {
+ # Use packwiz to install mods
+ ExecStartPre = [
+ "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
+ ];
+ # Forge requires some bonus JVM options, which they include in a
+ # little `run.sh` script
+ ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
+ };
+ };
+
+ systemd.tmpfiles.settings."10-minecraft" = {
+ "/srv/minecraft".d = {
+ user = "nginx";
+ group = "minecraft";
+ mode = "0775";
+ };
+ };
+
+ services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
+ forceSSL = true;
+ useACMEHost = "tlater.net";
+ enableHSTS = true;
+
+ root = "/srv/minecraft";
+ };
+}