feat: prepare for exposure to the internet

* open ports 80 and 443 * password-protect copyparty and ntfy-sh * randomise usernames for radicale and copyparty
2026-02-22 16:49:11 +11:00 · 2026-02-22 16:49:11 +11:00 · 3c46d9e066
commit 3c46d9e066
parent fbd4da91c0
9 changed files with 38 additions and 6 deletions
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@ -20,6 +20,8 @@
      ntfy = {
        topic = "backups";
        server = config.services.ntfy-sh.settings.base-url;
+        username = "borgmatic";
+        password = "{credential file ${config.age.secrets.borgmatic-ntfy.path}}";
        finish = {
          title = "Ping!";
          message = "Your backups have succeeded :)";
@ -78,6 +80,7 @@
  # secrets
  age.secrets = {
    "borgmatic".file = ../../../secrets/borgmatic.age;
+    "borgmatic-ntfy".file = ../../../secrets/borgmatic-ntfy.age;
    "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age;
  };
 }
--- a/modules/nixos/features/caddy.nix
+++ b/modules/nixos/features/caddy.nix
@ -9,6 +9,7 @@
    globalConfig = ''
      auto_https disable_redirects
    '';
+    openFirewall = true;
  };

  security.acme = {
--- a/modules/nixos/features/copyparty.nix
+++ b/modules/nixos/features/copyparty.nix
@ -25,12 +25,12 @@ in
        rproxy = 1;
      };

-      accounts.will.passwordFile = config.age.secrets.copyparty-will.path;
+      accounts.Impatient7119.passwordFile = config.age.secrets.copyparty.path;

      volumes."/" = {
        path = "/srv/copyparty";
        access = {
-          A = [ "will" ];
+          A = [ "Impatient7119" ];
        };
      };
    };
@ -44,8 +44,8 @@ in
  };

  # secrets
-  age.secrets."copyparty-will" = {
-    file = ../../../secrets/copyparty-will.age;
+  age.secrets."copyparty" = {
+    file = ../../../secrets/copyparty.age;
    owner = "copyparty";
  };

--- a/modules/nixos/features/ntfy-sh.nix
+++ b/modules/nixos/features/ntfy-sh.nix
@ -10,9 +10,21 @@ in
        base-url = "https://ntfy-sh.fi33.buzz";
        listen-http = ":${toString port}";
        behind-proxy = true;
+        auth-default-access = "deny-all";
+        auth-users = [
+          "Debit3885:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:admin"
+          "borgmatic:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:user"
+        ];
+        auth-access = [ "borgmatic:backups:wo" ];
      };
    };

+    borgmatic.settings = {
+      source_directories = [
+        "/var/lib/ntfy-sh/user.db"
+      ];
+    };
+
    caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {