rolling update in 20240205

Signed-off-by: iosmanthus <[email protected]>
iosmanthus · Feb 5, 2024 · 998be00 · 998be00
1 parent ad2df6f
commit 998be00
Show file tree

Hide file tree

Showing 17 changed files with 200 additions and 98 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -20,11 +20,6 @@
     };
 
     jetbrains.url = "github:NixOS/nixpkgs/master";
-
-    nix-ld = {
-      url = "github:Mic92/nix-ld";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
   outputs =
     { self
@@ -34,7 +29,6 @@
     , home-manager
     , sops-nix
     , berberman
-    , nix-ld
     , ...
     }@inputs:
     let
@@ -50,7 +44,6 @@
 
           sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager
-          nix-ld.nixosModules.nix-ld
 
           ({ config, ... }: {
             home-manager = {

diff --git a/infra/terraform.tfvars b/infra/terraform.tfvars
@@ -7,5 +7,13 @@ websites = [
   {
     name = "www"
     zone = "72d18453e5277555259d8fee6c65b016"
+  },
+  {
+    name = "vault"
+    zone = "72d18453e5277555259d8fee6c65b016"
+  },
+  {
+    name = "atuin"
+    zone = "72d18453e5277555259d8fee6c65b016"
   }
 ]
diff --git a/modules/atuin/default.nix b/modules/atuin/default.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+let
+  inherit (lib) mkOption types mdDoc mkIf;
+  cfg = config.iosmanthus.atuin;
+in
+{
+  options = {
+    iosmanthus.atuin = {
+      enable = lib.mkEnableOption (mdDoc "Atuin server for shell history sync");
+
+      environmentFile = mkOption {
+        type = types.path;
+        description = "Path to a file containing environment variables to be loaded by the atuin service";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.atuin = {
+      description = "atuin server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.atuin}/bin/atuin server start";
+        RuntimeDirectory = "atuin";
+        RuntimeDirectoryMode = "0700";
+        DynamicUser = true;
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          # Required for connecting to database sockets,
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+
+        EnvironmentFile = cfg.environmentFile;
+      };
+
+      environment = {
+        ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables
+      };
+    };
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
@@ -4,6 +4,7 @@
       ./gtk-theme
       ./wallpaper
       ./sing-box
+      ./caddy
 
       ./monitors.nix
     ];
@@ -26,6 +27,7 @@
       ./sing-box
       ./caddy
       ./subgen
+      ./atuin
     ];
   };
 }
diff --git a/nixos/aws-lightsail-0/atuin/default.nix b/nixos/aws-lightsail-0/atuin/default.nix
@@ -0,0 +1,24 @@
+{ config
+, ...
+}:
+{
+  sops.templates."atuin.env".content = ''
+    ATUIN_HOST="127.0.0.1"
+    ATUIN_MAX_HISTORY_LENGTH=131072
+    ATUIN_OPEN_REGISTRATION=false
+    ATUIN_PAGE_SIZE=2048
+    ATUIN_PORT=8888
+    RUST_LOG="info,atuin_server=debug"
+
+    ATUIN_DB_URI="${config.sops.placeholder."atuin/db-uri"}"
+  '';
+
+  systemd.services.atuin.restartTriggers = [
+    config.sops.templates."atuin.env".content
+  ];
+
+  iosmanthus.atuin = {
+    enable = true;
+    environmentFile = config.sops.templates."atuin.env".path;
+  };
+}
diff --git a/nixos/aws-lightsail-0/caddy/default.nix b/nixos/aws-lightsail-0/caddy/default.nix
@@ -15,7 +15,7 @@
   sops.templates."Caddyfile" = {
     owner = config.iosmanthus.caddy.user;
     content = ''
-      ${config.sops.placeholder."caddy/virtual-host-a"} {
+      www.iosmanthus.com {
         tls {
           dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
         }
@@ -24,43 +24,45 @@
         }
         reverse_proxy 127.0.0.1:8080
       }
-      ${config.sops.placeholder."caddy/virtual-host-b"} {
+      vault.iosmanthus.com {
         tls {
           dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
         }
         log {
           level INFO
         }
-        reverse_proxy 127.0.0.1:8080
+        header / {
+        	-Last-Modified
+        	-Server
+        	-X-Powered-By
+        	Strict-Transport-Security "max-age=31536000;"
+        	X-Content-Type-Options "nosniff"
+        	X-Frame-Options "DENY"
+        	X-Robots-Tag "noindex, nofollow"
+        	X-XSS-Protection "0"
+        }
+        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+          header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
+        }
       }
-      ${config.sops.placeholder."caddy/virtual-host-c"} {
+      atuin.iosmanthus.com {
         tls {
           dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
         }
         log {
           level INFO
         }
-        # Uncomment to improve security (WARNING: only use if you understand the implications!)
-        # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
         header / {
-        	# Enable HTTP Strict Transport Security (HSTS)
+        	-Last-Modified
+        	-Server
+        	-X-Powered-By
         	Strict-Transport-Security "max-age=31536000;"
-        	# Disable cross-site filter (XSS)
-        	X-XSS-Protection "0"
-        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Content-Type-Options "nosniff"
         	X-Frame-Options "DENY"
-        	# Prevent search engines from indexing (optional)
         	X-Robots-Tag "noindex, nofollow"
-        	# Disallow sniffing of X-Content-Type-Options
-        	X-Content-Type-Options "nosniff"
-        	# Server name removing
-        	-Server
-        	# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
-        	-X-Powered-By
-        	# Remove Last-Modified because etag is the same and is as effective
-        	-Last-Modified
+        	X-XSS-Protection "0"
         }
-        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        reverse_proxy 127.0.0.1:8888 {
           header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
         }
       }

diff --git a/nixos/aws-lightsail-0/default.nix b/nixos/aws-lightsail-0/default.nix
@@ -14,6 +14,7 @@
     ./promtail
     ./prometheus
     ./vaultwarden
+    ./atuin
   ];
 
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";