nixos/sing-box: fix exposed secrets

nixos: impermanence -> perservation
tyo0/redlib: block search indexing
2024-09-07 14:50:06 +08:00 · 2024-09-07 14:49:47 +08:00 · 2024-09-06 21:21:02 +08:00 · 2024-09-06 21:21:02 +08:00 · 2024-09-06 21:21:02 +08:00
17 changed files with 128 additions and 65 deletions
--- a/flake.lock
+++ b/flake.lock
@ -159,21 +159,6 @@
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1724489415,
        "narHash": "sha256-ey8vhwY/6XCKoh7fyTn3aIQs7WeYSYtLbYEG87VCzX4=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "c7f5b394397398c023000cf843986ee2571a1fd7",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "lanzaboote": {
      "inputs": {
        "crane": [
@ -298,6 +283,21 @@
        "type": "github"
      }
    },
    "preservation": {
      "locked": {
        "lastModified": 1725460242,
        "narHash": "sha256-9n9Ygta1MCfpbF9D88tG2B4EL5nuSz4eIOAofGSlxoE=",
        "owner": "WilliButz",
        "repo": "preservation",
        "rev": "02e731a820d05107bc648460f8630d0d80a5ffd4",
        "type": "github"
      },
      "original": {
        "owner": "WilliButz",
        "repo": "preservation",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "colmena": "colmena",
@ -308,12 +308,12 @@
        "flake-utils": "flake-utils",
        "gitignore": "gitignore",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "lanzaboote": "lanzaboote",
        "neovim": "neovim",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "preservation": "preservation",
        "rust-overlay": "rust-overlay",
        "sops-nix": "sops-nix",
        "systems": "systems",
--- a/flake.nix
+++ b/flake.nix
@ -28,9 +28,6 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence = {
      url = "github:nix-community/impermanence";
    };
    lanzaboote = {
      url = "github:nix-community/lanzaboote";
      inputs.nixpkgs.follows = "nixpkgs";
@ -50,6 +47,9 @@
    nixos-hardware = {
      url = "github:NixOS/nixos-hardware";
    };
    preservation = {
      url = "github:WilliButz/preservation";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@ -6,16 +6,23 @@
  ...
 }:
 {
-  imports = [
+  imports =
-    ../../nixos/profiles/sing-box
+    [
-    ../../nixos/profiles/wireless
+      ../../nixos/profiles/sing-box
      ../../nixos/profiles/wireless
-    ./anti-feature.nix
+      ./anti-feature.nix
-    ./disko.nix
+      ./disko.nix
-    ./hardware-configuration.nix
+      ./hardware-configuration.nix
-    ./impermanence.nix
+      ./lanzaboote.nix
-    ./lanzaboote.nix
+      ./preservation.nix
-  ];
+    ]
    ++ (with inputs; [
      disko.nixosModules.disko
      home-manager.nixosModules.home-manager
      lanzaboote.nixosModules.lanzaboote
      preservation.nixosModules.preservation
    ]);
  networking.hostName = "dust";
  time.timeZone = "Asia/Shanghai";
--- a/hosts/dust/preservation.nix
+++ b/hosts/dust/preservation.nix
@ -2,8 +2,8 @@
 {
  sops.age.sshKeyPaths = lib.mkForce [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
  fileSystems."/persist".neededForBoot = true;
-  environment.persistence."/persist" = {
+  preservation.enable = true;
-    hideMounts = true;
+  preservation.preserveAt."/persist" = {
    directories = [
      "/var/log"
      "/var/lib"
@ -15,6 +15,7 @@
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
    users.guanranwang = {
      directories = [
        "Desktop"
@ -43,4 +44,19 @@
      ];
    };
  };
  systemd.tmpfiles.settings.preservation =
    let
      mkTmpfile = {
        user = "guanranwang";
        group = "users";
        mode = "0755";
      };
    in
    {
      "/home/guanranwang/.config".d = mkTmpfile;
      "/home/guanranwang/.mozilla".d = mkTmpfile;
      "/home/guanranwang/.local/share".d = mkTmpfile;
      "/home/guanranwang/.local/state".d = mkTmpfile;
    };
 }
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -9,6 +9,7 @@
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    ./anti-feature.nix
    ./ports.nix
    ./services/forgejo.nix
    ./services/keycloak.nix
--- a/hosts/tyo0/ports.nix
+++ b/hosts/tyo0/ports.nix
@ -0,0 +1,13 @@
 {
  lib.ports = {
    keycloak = 8010;
    miniflux = 8020;
    redlib = 8030;
    vaultwarden = 8040;
    wastebin = 8050;
    prometheus = 9010;
    blackbox = 9020;
    alertmanager = 9030;
  };
 }
--- a/hosts/tyo0/secrets.yaml
+++ b/hosts/tyo0/secrets.yaml
@ -1,5 +1,5 @@
 sing-box:
-    auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
+    auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str]
 miniflux:
    environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
 vaultwarden:
@ -30,8 +30,8 @@ sops:
            UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
            n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-29T16:26:25Z"
+    lastmodified: "2024-09-07T05:32:46Z"
-    mac: ENC[AES256_GCM,data:jpm+TBCtdFcgfRvzg+mTgWtu20/rm6nF/OdxUGbufkC1Y0Z8+eb8nIBe1TJhodt6kT/NdPRVI0N1JLD5XOwduvqL/QoZGzGkBfEVqFvnTxQYVVXp4sWdqji26XPb1sn+gbmobR4qlZPxdmvKZWEQxO2VJpKA3Bfalwa9fy0ajHE=,iv:XDRDEP/+rs2DLLkrftSxlxDMbdz7W9nHBEs0QWIDK88=,tag:UVmyD5FOev9LPRBvMcmJyw==,type:str]
+    mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/hosts/tyo0/services/keycloak.nix
+++ b/hosts/tyo0/services/keycloak.nix
@ -1,4 +1,12 @@
-{ lib, pkgs, ... }:
+{
  lib,
  config,
  pkgs,
  ...
 }:
 let
  port = config.lib.ports.keycloak;
 in
 {
  services.keycloak = {
    enable = true;
@ -6,7 +14,7 @@
      cache = "local";
      hostname = "id.ny4.dev";
      http-host = "127.0.0.1";
-      http-port = 8800;
+      http-port = port;
      proxy = "edge";
    };
    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
@ -18,7 +26,7 @@
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:8800"; } ];
+      upstreams = [ { dial = "localhost:${toString port}"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/miniflux.nix
+++ b/hosts/tyo0/services/miniflux.nix
@ -1,10 +1,13 @@
 { lib, config, ... }:
 let
  port = config.lib.ports.miniflux;
 in
 {
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
    config = {
-      LISTEN_ADDR = "127.0.0.1:9300";
+      LISTEN_ADDR = "127.0.0.1:${toString port}";
      BASE_URL = "https://rss.ny4.dev";
      OAUTH2_PROVIDER = "oidc";
@ -21,7 +24,7 @@
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:9300"; } ];
+      upstreams = [ { dial = "localhost:${toString port}"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/prometheus.nix
+++ b/hosts/tyo0/services/prometheus.nix
@ -4,17 +4,20 @@
  config,
  ...
 }:
 let
  inherit (config.lib) ports;
 in
 {
  services.prometheus = {
    enable = true;
    listenAddress = "127.0.0.1";
-    port = 9090;
+    port = ports.prometheus;
    webExternalUrl = "https://prom.ny4.dev";
    exporters.blackbox = {
      enable = true;
      listenAddress = "127.0.0.1";
-      port = 9093;
+      port = ports.blackbox;
      configFile = (pkgs.formats.yaml { }).generate "config.yaml" {
        modules = {
          http_2xx = {
@ -73,7 +76,7 @@
          }
          {
            target_label = "__address__";
-            replacement = "127.0.0.1:9093";
+            replacement = "127.0.0.1:${toString ports.blackbox}";
          }
        ];
      }
@ -116,7 +119,7 @@
    alertmanagers = lib.singleton {
      static_configs = lib.singleton {
        targets = [
-          "127.0.0.1:9092"
+          "127.0.0.1:${toString ports.alertmanager}"
        ];
      };
    };
@ -124,7 +127,7 @@
    alertmanager = {
      enable = true;
      listenAddress = "127.0.0.1";
-      port = 9092;
+      port = ports.alertmanager;
      configuration = {
        receivers = lib.singleton {
@ -146,7 +149,7 @@
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
-      upstreams = [ { dial = "127.0.0.1:9090"; } ];
+      upstreams = [ { dial = "127.0.0.1:${toString ports.prometheus}"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/redlib.nix
+++ b/hosts/tyo0/services/redlib.nix
@ -1,18 +1,29 @@
-{ lib, ... }:
+{ lib, config, ... }:
 let
  port = config.lib.ports.redlib;
 in
 {
  services.redlib = {
    inherit port;
    enable = true;
    address = "127.0.0.1";
    port = 9400;
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
    match = lib.singleton {
      host = [ "reddit.ny4.dev" ];
    };
-    handle = lib.singleton {
+    handle = [
-      handler = "reverse_proxy";
+      {
-      upstreams = [ { dial = "localhost:9400"; } ];
+        # Google's indexing caused a DoS with 800k requests...
-    };
+        # https://developers.google.com/search/docs/crawling-indexing/block-indexing
        handler = "headers";
        response.set."X-Robots-Tag" = [ "noindex" ];
      }
      {
        handler = "reverse_proxy";
        upstreams = [ { dial = "localhost:${toString port}"; } ];
      }
    ];
  };
 }
--- a/hosts/tyo0/services/sing-box.nix
+++ b/hosts/tyo0/services/sing-box.nix
@ -18,7 +18,7 @@
          listen = "0.0.0.0";
          listen_port = 27253;
          users = {
-            _secret = "/run/credentials/sing-box.service/auth";
+            _secret = config.sops.secrets."sing-box/auth".path;
            quote = false;
          };
          tls = {
@ -47,7 +47,6 @@
      path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
    in
    [
      "auth:${config.sops.secrets."sing-box/auth".path}"
      "cert:${path}/tyo0.ny4.dev.crt"
      "key:${path}/tyo0.ny4.dev.key"
    ];
--- a/hosts/tyo0/services/vaultwarden.nix
+++ b/hosts/tyo0/services/vaultwarden.nix
@ -1,4 +1,7 @@
 { lib, config, ... }:
 let
  port = config.lib.ports.vaultwarden;
 in
 {
  services.vaultwarden = {
    enable = true;
@ -7,7 +10,7 @@
      DOMAIN = "https://vault.ny4.dev";
      IP_HEADER = "X-Forwarded-For";
      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = 9500;
+      ROCKET_PORT = port;
      EMERGENCY_ACCESS_ALLOWED = false;
      SENDS_ALLOWED = false;
@ -22,7 +25,7 @@
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:9500"; } ];
+      upstreams = [ { dial = "localhost:${toString port}"; } ];
    };
  };
 }
--- a/hosts/tyo0/services/wastebin.nix
+++ b/hosts/tyo0/services/wastebin.nix
@ -1,8 +1,11 @@
-{ lib, ... }:
+{ lib, config, ... }:
 let
  port = config.lib.ports.wastebin;
 in
 {
  services.wastebin = {
    enable = true;
-    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
+    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:${toString port}";
  };
  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
@ -11,7 +14,7 @@
    };
    handle = lib.singleton {
      handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:8200"; } ];
+      upstreams = [ { dial = "localhost:${toString port}"; } ];
    };
  };
 }
--- a/nixos/profiles/core/default.nix
+++ b/nixos/profiles/core/default.nix
@ -12,10 +12,6 @@
      ./zram.nix
    ]
    ++ (with inputs; [
      disko.nixosModules.disko
      home-manager.nixosModules.home-manager
      impermanence.nixosModules.impermanence
      lanzaboote.nixosModules.lanzaboote
      self.nixosModules.default
      sops-nix.nixosModules.sops
    ]);
--- a/nixos/profiles/sing-box/default.nix
+++ b/nixos/profiles/sing-box/default.nix
@ -27,7 +27,7 @@
          tag = "tyo0";
          server = "tyo0.ny4.dev";
          server_port = 27253;
-          uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
+          uuid._secret = config.sops.secrets."sing-box/tyo0".path;
          flow = "xtls-rprx-vision";
          tls.enabled = true;
        }
--- a/nixos/profiles/sing-box/secrets.yaml
+++ b/nixos/profiles/sing-box/secrets.yaml
@ -1,5 +1,5 @@
 sing-box:
-    tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
+    tyo0: ENC[AES256_GCM,data:GDMc7U+e60UzGkkl2uvRfhyAdGKE4WCrcQSvwENXjV0yKhVa,iv:uobBavFcQZ/8JmJrZHtL11Tjhs2Aaq/ZBBhrW+o97JQ=,tag:/qME2YQCw6Lrt47gu7UAgg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -33,8 +33,8 @@ sops:
            NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
            JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-27T20:29:35Z"
+    lastmodified: "2024-09-07T05:32:11Z"
-    mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
+    mac: ENC[AES256_GCM,data:wWWjkP5ADCStznOy+REs4ZqjTXVW6BW3Xl2o+OU8PtgBrZWHLJ2eVumVlf3aHZWXlCFOZQ7C8e/bmdSdHJh3vTeZ8tgT54+4d5aXgMc+stj2Cz3EHjAON0nnvO5EeFUsFvdSbQfTz871Wyl9BUlJsDnf+4m3Rl/kUanidOioqxM=,iv:L5vHKzWJ+MVNLsUiJsNh1d6X+It3MkIETi6gqyieYQE=,tag:wJqm4cr2G4j26BDlXnHOUg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
Author	SHA1	Message	Date
Guanran Wang	48a3c2cebe	nixos/sing-box: fix exposed secrets	2024-09-07 14:50:06 +08:00
Guanran Wang	54fdbc1f38	nixos: impermanence -> perservation	2024-09-07 14:49:47 +08:00
Guanran Wang	b3377dab48	tyo0/redlib: block search indexing	2024-09-06 21:21:02 +08:00
Guanran Wang	36288c8958	tyo0/sing-box: use sops path directly	2024-09-06 21:21:02 +08:00
Guanran Wang	b2cd2920d8	pek0: allocate ports centrally	2024-09-06 21:21:02 +08:00