diff --git a/configurations/host/valkyrie/default.nix b/configurations/host/valkyrie/default.nix index 85f2262..fb20448 100644 --- a/configurations/host/valkyrie/default.nix +++ b/configurations/host/valkyrie/default.nix @@ -144,7 +144,8 @@ security.acme.acceptTerms = true; security.acme.defaults.email = "materus+acme@podkos.pl"; - security.acme.defaults.credentialsFile = config.sops.secrets.certs.path ; + security.acme.defaults.credentialsFile = config.sops.secrets.certs.path; + security.acme.defaults.dnsResolver = "9.9.9.9:53"; security.acme.certs."materus.pl" = { domain = "materus.pl"; group = "nginx"; @@ -166,5 +167,14 @@ dnsProvider = "ovh"; }; + + security.acme.certs."${materusArg.waffentrager.samba.domain}" = { + domain = materusArg.waffentrager.samba.domain; + extraDomainNames = [ + "${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}" + ]; + dnsProvider = "ovh"; + }; + } diff --git a/configurations/host/waffentrager/secrets/default.nix b/configurations/host/waffentrager/secrets/default.nix index 774f324..54862ee 100644 --- a/configurations/host/waffentrager/secrets/default.nix +++ b/configurations/host/waffentrager/secrets/default.nix @@ -23,6 +23,7 @@ ]; sops.secrets.wireguard = { }; sops.secrets."users/materus" = { neededForUsers = true; }; + sops.secrets.certs = { }; sops.secrets.elements = { }; sops.secrets.nextcloud-adminpass = { }; } diff --git a/configurations/host/waffentrager/secrets/private/default.nix b/configurations/host/waffentrager/secrets/private/default.nix index 94402b1..b369ccd 100644 Binary files a/configurations/host/waffentrager/secrets/private/default.nix and b/configurations/host/waffentrager/secrets/private/default.nix differ diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml index ed6c7fe..0ac38f1 100644 --- a/configurations/host/waffentrager/secrets/secrets.yaml +++ b/configurations/host/waffentrager/secrets/secrets.yaml @@ -3,6 +3,7 @@ nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdP elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] users: materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] +certs: ENC[AES256_GCM,data:3Wzl23y3CDXRe6SlWKXcKBrYz/l3Y0fuif4HTs2UzjnqQ1z36IataIV11vnXbrERtGPtr6NOS66ebTLrVpsCyGTt0Lmucxmirleetqw2JI9/2Z0Y4M32FmQDHFjMltcOqNNT0q3QlSwU7rAeFzkgdayhbSIhxA5Hr/pn236KiSGHlauOniATIs9sBKjWhaa/facH5I4N1Vx5SMlurlefzaLFOQ==,iv:VFgbpyLsbalOnOA/7IgB8pUZ/U7JAswiCNeWEpjscMo=,tag:BIDj655QorEwPez7trCzkw==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +19,8 @@ sops: eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-28T18:40:01Z" - mac: ENC[AES256_GCM,data:gHZRjD8y8u90S9yKgeI8zD0mIOd75tecNoXwVgykJ1XlkQyNJQRQJ9D1mWcwl88lQBtud/7AVp5Lv3mibiw6GfqFdIIm8elNHKAVo32l2qFAaBUJ3NHwoYbtmC83YPhuSS3cvCEkmsuBW4Os8UARgbOtR0EvG+GzA4Z+DB4PPLQ=,iv:vMfSCZHDvV2z7ccbV4RqU1HF1oqDU2G/9xKqG7tbdGs=,tag:LTu9jZPYcUNJaPn8wkd4lg==,type:str] + lastmodified: "2024-04-12T06:59:28Z" + mac: ENC[AES256_GCM,data:JA2hcgsXvmhmF4pUv7pk7zaDwqza7e3zVbHNnWGcoRb/rrgJgsDlJL76RWuSGciAolmmJ6flou6IrGGoV9tq9A/tceepPyw3+CJ8+8zfFBltrDKnclzz4mhuw14rec1wFYziuqf719XTut0IY0hCTPd27W74irMJVP9hQ3YZtC0=,iv:NIn8abwLqhkY1eMkEGxCVdcXc+Ick1up4vuQZ/IfdA0=,tag:MWnmAPVclrUg6IXtRoD7vg==,type:str] pgp: - created_at: "2024-03-21T18:15:00Z" enc: |- diff --git a/configurations/host/waffentrager/services/auth/default.nix b/configurations/host/waffentrager/services/auth/default.nix new file mode 100644 index 0000000..616a9a2 --- /dev/null +++ b/configurations/host/waffentrager/services/auth/default.nix @@ -0,0 +1,63 @@ +{ config, materusArg, lib, pkgs, ... }: +let + cfg = config.waffentragerService.auth; +in +{ + options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth"; + imports = + [ + ./samba.nix + ]; + config = lib.mkIf cfg.enable + { + waffentragerService.elements.enable = true; + waffentragerService.nginx.enable = true; + + + security.acme.defaults.credentialsFile = config.sops.secrets.certs.path; + + systemd.services.resolvconf.enable = false; + networking.hosts = { + "${materusArg.ips.wireguard.waffentrager}" = [ + materusArg.waffentrager.samba.domain + "${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}" + materusArg.waffentrager.samba.netbiosName + ]; + }; + environment.etc = { + resolvconf = { + text = '' + search ${materusArg.waffentrager.samba.domain} + nameserver ${materusArg.waffentrager.samba.dnsIp} + nameserver 9.9.9.9 + ''; + }; + }; + + systemd.timers.rsync-acme = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "1h"; + Unit = "rsync-acme.service"; + }; + }; + + systemd.services.rsync-acme = { + description = "Sync acme for samba"; + path = [ pkgs.rsync ]; + requires = [ "var-lib-mnt_acme.mount" ]; + after = [ "var-lib-mnt_acme.mount" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = false; + script = '' + rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/ + rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/ + rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/ + ''; + }; + + + + }; +} diff --git a/configurations/host/waffentrager/services/auth.nix b/configurations/host/waffentrager/services/auth/samba.nix similarity index 79% rename from configurations/host/waffentrager/services/auth.nix rename to configurations/host/waffentrager/services/auth/samba.nix index 3774145..6c4bf43 100644 --- a/configurations/host/waffentrager/services/auth.nix +++ b/configurations/host/waffentrager/services/auth/samba.nix @@ -1,12 +1,12 @@ { materusArg, config, lib, pkgs, ... }: { - options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth"; + config = let cfg = config.waffentragerService.auth; sambaCfg = config.services.samba; - servicePath = "/var/lib/elements/services/samba"; + servicePath = materusArg.waffentrager.samba.servicePath; smbToString = x: if builtins.typeOf x == "bool" then lib.boolToString x @@ -20,25 +20,12 @@ )); in lib.mkIf cfg.enable { - waffentragerService.elements.enable = true; - waffentragerService.nginx.enable = true; - - - - systemd.services.resolvconf.enable = false; - environment.etc = { - resolvconf = { - text = '' - search ${materusArg.waffentrager.samba.domain} - nameserver ${materusArg.waffentrager.samba.dnsIp} - nameserver 9.9.9.9 - ''; - }; - }; + systemd.services.samba-smbd.enable = false; systemd.services.samba = { description = "Samba Service Daemon"; - + requires = [ "rsync-acme.service" ]; + after = [ "rsync-acme.service" ]; requiredBy = [ "samba.target" ]; partOf = [ "samba.target" ]; @@ -55,7 +42,9 @@ # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268]; networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464]; - + systemd.tmpfiles.rules = [ + "d ${servicePath}/tls/ 0600 root 3000000 -" + ]; services.samba = { enable = true; enableNmbd = false; @@ -70,7 +59,11 @@ server role = active directory domain controller workgroup = ${materusArg.waffentrager.samba.workgroup} idmap_ldb:use rfc2307 = yes - ldap server require strong auth = no + ldap server require strong auth = yes + tls enabled = yes + tls keyfile = ${servicePath}/tls/key.pem + tls certfile = ${servicePath}/tls/fullchain.pem + tls cafile = ${servicePath}/tls/chain.pem [sysvol] path = ${servicePath}/sysvol diff --git a/configurations/host/waffentrager/services/default.nix b/configurations/host/waffentrager/services/default.nix index cd7372e..e1e5fa7 100644 --- a/configurations/host/waffentrager/services/default.nix +++ b/configurations/host/waffentrager/services/default.nix @@ -8,7 +8,7 @@ ./gitea.nix ./nginx.nix ./nextcloud.nix - ./auth.nix + ./auth ]; waffentragerService.elements.enable = true; waffentragerService.postgresql.enable = true; diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix index ac48154..405e240 100644 Binary files a/configurations/profile/common/private/default.nix and b/configurations/profile/common/private/default.nix differ