diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index aff95a3..a331fc7 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -33,7 +33,13 @@ ]; }; - networking.hostName = "${hostName}"; + networking = { + hostName = "${hostName}"; + firewall.interfaces."enp2s0".allowedTCPPorts = [ + 80 + 443 + ]; + }; # hardened openssh services.openssh = { diff --git a/modules/nixos/features/borgmatic.nix b/modules/nixos/features/borgmatic.nix index bd45777..6628f8e 100644 --- a/modules/nixos/features/borgmatic.nix +++ b/modules/nixos/features/borgmatic.nix @@ -20,6 +20,8 @@ ntfy = { topic = "backups"; server = config.services.ntfy-sh.settings.base-url; + username = "borgmatic"; + password = "{credential file ${config.age.secrets.borgmatic-ntfy.path}}"; finish = { title = "Ping!"; message = "Your backups have succeeded :)"; @@ -78,6 +80,7 @@ # secrets age.secrets = { "borgmatic".file = ../../../secrets/borgmatic.age; + "borgmatic-ntfy".file = ../../../secrets/borgmatic-ntfy.age; "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age; }; } diff --git a/modules/nixos/features/caddy.nix b/modules/nixos/features/caddy.nix index ca45981..4c8978a 100644 --- a/modules/nixos/features/caddy.nix +++ b/modules/nixos/features/caddy.nix @@ -9,6 +9,7 @@ globalConfig = '' auto_https disable_redirects ''; + openFirewall = true; }; security.acme = { diff --git a/modules/nixos/features/copyparty.nix b/modules/nixos/features/copyparty.nix index 73006f6..ac21d2c 100644 --- a/modules/nixos/features/copyparty.nix +++ b/modules/nixos/features/copyparty.nix @@ -25,12 +25,12 @@ in rproxy = 1; }; - accounts.will.passwordFile = config.age.secrets.copyparty-will.path; + accounts.Impatient7119.passwordFile = config.age.secrets.copyparty.path; volumes."/" = { path = "/srv/copyparty"; access = { - A = [ "will" ]; + A = [ "Impatient7119" ]; }; }; }; @@ -44,8 +44,8 @@ in }; # secrets - age.secrets."copyparty-will" = { - file = ../../../secrets/copyparty-will.age; + age.secrets."copyparty" = { + file = ../../../secrets/copyparty.age; owner = "copyparty"; }; diff --git a/modules/nixos/features/ntfy-sh.nix b/modules/nixos/features/ntfy-sh.nix index e53a792..b82a4f0 100644 --- a/modules/nixos/features/ntfy-sh.nix +++ b/modules/nixos/features/ntfy-sh.nix @@ -10,9 +10,21 @@ in base-url = "https://ntfy-sh.fi33.buzz"; listen-http = ":${toString port}"; behind-proxy = true; + auth-default-access = "deny-all"; + auth-users = [ + "Debit3885:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:admin" + "borgmatic:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:user" + ]; + auth-access = [ "borgmatic:backups:wo" ]; }; }; + borgmatic.settings = { + source_directories = [ + "/var/lib/ntfy-sh/user.db" + ]; + }; + caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = '' reverse_proxy localhost:${toString port} tls ${certloc}/cert.pem ${certloc}/key.pem { diff --git a/secrets/borgmatic-ntfy.age b/secrets/borgmatic-ntfy.age new file mode 100644 index 0000000..86e7ba8 --- /dev/null +++ b/secrets/borgmatic-ntfy.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 qLT+DQ GTuLiTsgOVunKC+DyalVPV3gKm3WiKoSIQXg/0ElJF8 +UiOLJdTn4Q5oTkqAtZ6K0uxW+EsrpfA156uC1ncrIY0 +-> ssh-ed25519 7+xRyQ k2ta2Gl7zCvHiv4DwzgRK5REDYayIoTfC32BF5yHxgg +n7sqfJ6fx/3VnQCD+H4n92ekGdoFCdk/SeXdSU8FZHc +-> ssh-ed25519 LtK9yQ BQ9U3//Lzx7dX+iDyP2lqx6K860kFTu/iB5uMAskKhA +xiV+QxL8ffx9n9gIUr5wwQ5zGvZlFsf2DclayQh8SJI +--- k06SInBOn82DqWfIf4t62pjAZ1R0uWAyQTi5ELDD/6U +fú _$®T5–6"T­Hô;4}ù