[perso/Immae/Config/Nix.git] / systems / eldiron / base.nix

{ config, pkgs, lib, ports, name, secrets, ... }:
{
  # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age
  secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ];
  boot = {
    kernelModules = [ "kvm-intel" ];
    blacklistedKernelModules = [ "nvidiafb" ];
    loader.timeout = 1;
    loader.grub.devices = [ "/dev/sda" "/dev/sdc" ];
    kernel.sysctl = {
      # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
      "net.ipv4.tcp_sack" = 0;
    };
    supportedFilesystems = [ "zfs" ];
    kernelParams = ["zfs.zfs_arc_max=6442450944"];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    initrd.availableKernelModules = [ "ahci" "sd_mod" ];
    initrd.secrets = {
      "/boot/pass.key" = "/boot/pass.key";
    };
  };
  services.udev.extraRules = ''
    ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
  '';
  nix.settings.max-jobs = 8;
  nixpkgs.config.permittedInsecurePackages = [
    "python-2.7.18.6" # for nagios-cli
    "nodejs-16.20.2" # for landing page building
  ];

  nixpkgs.overlays = builtins.attrValues ports.overlays;
  powerManagement.cpuFreqGovernor = "powersave";

  security.acme.certs."${name}".postRun = builtins.concatStringsSep "\n" [
    (lib.optionalString config.services.websites.env.production.enable "/run/current-system/sw/bin/machinectl shell httpd-production /usr/bin/env systemctl reload httpd.service")
    (lib.optionalString config.services.websites.env.integration.enable "/run/current-system/sw/bin/machinectl shell httpd-integration /usr/bin/env systemctl reload httpd.service")
  ];

  fileSystems = {
    # pools:
    #     zpool: ashift=12
    #     zfast: ashift=12
    # zfs:
    #     zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
    #     zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
    #     zpool/root/var: atime=on
    #     zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
    #     zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
    #     zfast/root/etc: ø
    #     zfast/root/nix: ø
    #     zfast/root/tmp: async=disabled
    #     zfast/root/var: atime=on
    #     zfast/root/var/lib: ø
    #     zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata
    #     zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput
    #     zfast/root/var/lib/postgresql/11.0: ø
    #     zfast/root/var/lib/postgresql/11.0/pg_wal: ø
    "/"     = { fsType = "zfs"; device = "zpool/root"; };
    "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
    "/etc"  = { fsType = "zfs"; device = "zpool/root/etc"; };
    "/nix"  = { fsType = "zfs"; device = "zfast/root/nix"; };
    "/tmp"  = { fsType = "zfs"; device = "zfast/root/tmp"; };
    "/var"  = { fsType = "zfs"; device = "zpool/root/var"; };
    "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; };
    "/var/lib/postgresql"             = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; };
    "/var/lib/postgresql/11.0"        = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; };
    "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; };
  };
  swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
  hardware.enableRedistributableFirmware = true;

  services.zfs = {
    autoScrub = {
      enable = false;
    };
  };
  networking = {
    hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4
    firewall.enable = true;
    firewall.allowedTCPPorts = [ config.myEnv.ports.zrepl_flony ];
    # FIXME: on next reboot, remove the /27 and the localCommands
    interfaces."eth0".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips))
      ++ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.hostEnv.ips);
    defaultGateway = "176.9.151.65";
    localCommands = ''
      # FIXME: Those commands were added by nixops and may not be
      # actually needed
      ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true
      ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true
      ip -6 route add default via 'fe80::1' dev eth0 || true
    '';
    nameservers = [
      "213.133.98.98"
      "213.133.99.99"
      "213.133.100.100"
      "2a01:4f8:0:a0a1::add:1010"
      "2a01:4f8:0:a102::add:9999"
      "2a01:4f8:0:a111::add:9898"
    ];
  };

  imports = [
    secrets.nixosModules.users-config-eldiron
    ./databases
    ./databases/mariadb.nix
    ./databases/openldap
    ./databases/postgresql.nix
    ./databases/redis.nix


    ./monitoring.nix
    ./ejabberd
    ./buildbot
    ./coturn.nix
    ./dns.nix
    ./borg_backup.nix
    ./duply_backup.nix
    ./gemini
    ./gitolite
    ./mail
    ./websites
    ./webstats
    ./irc.nix
    ./pub
    ./tasks
    ./ftp.nix
    ./mpd.nix
    ./vpn
  ];

  services.borgBackup.enable = true;
  services.borgBackup.profiles.global = {
    bucket = "global";
    hash = false;
    remotes = [ "attilax" ];
    ignoredPaths = [
      "udev"
      "portables"
      "machines"
      "nixos"
      "nixos-containers"
    ];
  };
  myServices.buildbot.enable = true;
  myServices.databases.enable = true;
  myServices.gitolite.enable = true;
  myServices.monitoring.enable = true;
  myServices.irc.enable = true;
  myServices.pub.enable = true;
  myServices.tasks.enable = true;
  myServices.mpd.enable = true;
  myServices.dns.enable = true;
  myServices.websites.enable = true;
  myServices.gemini.enable = true;
  myServices.mail.enable = true;
  myServices.ejabberd.enable = true;
  myServices.vpn.enable = true;
  myServices.ftp.enable = true;

  myServices.chatonsProperties.hostings.infogerance = {
    file.datetime = "2022-08-27T18:50:00";
    hosting = {
      name = "Infogérance";
      description = "Administration de serveurs";
      website = "https://www.immae.eu/";
      logo = "https://assets.immae.eu/logo.jpg";
      type = "HOSTEDSERVER";
      status.level = "OK";
      status.description = "OK";
      registration.load = "OPEN";
      install.type = "PACKAGE";
    };
  };

  secrets.keys = {
    "ldap/pam_pgsql" = {
      user = "root";
      group = "root";
      permissions = "0400";
      text = ''
        database = immae
        user = immae_auth_read
        password = {{ .postgresql.immae_auth_read }}
        table = ldap_users
        user_column = login
        pw_type = function
        auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u
        #pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p || (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login || '@' || realm = %u
      '';
    };

    "zrepl_backup/identity" = {
      user = "root";
      group = "root";
      permissions = "0400";
      text = config.myEnv.zrepl_backup.ssh_key.private;
    };
    "zrepl/${name}.key" = {
      permissions = "0400";
      text = config.myEnv.zrepl_backup.certs."${name}".key;
      user = "root";
      group = "root";
    };
  } // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
    permissions = "0400";
    text = config.myEnv.zrepl_backup.certs."${x}".certificate;
    user = "root";
    group = "root";
  }) (builtins.attrNames config.myEnv.zrepl_backup.certs));

  programs.ssh.knownHosts.dilion = {
    extraHostNames = ["dilion.immae.eu"];
    publicKey = config.myEnv.servers.dilion.hostKey;
  };

  services.cron = {
    enable = true;
    mailto = "cron@immae.eu";
    systemCronJobs = [
      ''
        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
        # Need a way to blacklist properly
        # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
        0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced"
      ''
    ];
  };

  environment.systemPackages = [ pkgs.bindfs ];

  environment.etc."mdadm.conf" = {
    enable = true;
    mode = "0644";
    user = "root";
    text = "MAILADDR ${config.myEnv.monitoring.email}";
  };

  systemd.services.zrepl.path = [ pkgs.openssh ];
  services.zrepl = {
    enable = true;
    settings = {
      jobs = [
        {
          type = "push";
          # must not change
          name = "backup-to-dilion";
          filesystems."zpool/root" = true;
          filesystems."zpool/root/etc" = true;
          filesystems."zpool/root/var<" = true;
          connect = {
            address = "dilion.immae.eu:19000";
            type = "tls";
            server_cn = "dilion";
            ca = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
            cert = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
            key = config.secrets.fullPaths."zrepl/eldiron.key";
          };
          snapshotting = {
            type = "periodic";
            prefix = "zrepl_";
            interval = "1h";
            # hooks = [
            #   {
            #     type = "mysql-lock-tables";
            #     dsn = "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/";
            #     filesystems."zpool/root/var" = true;
            #   }
            #   {
            #     type = "command";
            #     path = pkgs.writeScript "redis-dump" ''
            #       #!${pkgs.stdenv.shell}
            #       ${pkgs.redis}/bin/redis-cli bgsave
            #     '';
            #     err_is_fatal = false;
            #     filesystems."zpool/root/var" = true;
            #   }
            # ];
          };
          send.encrypted = true;
          pruning.keep_sender = [
            { type = "regex"; regex = "^manual_.*"; }
            { type = "grid"; grid = "24x1h | 7x1d | 4x7d | 6x30d"; regex = "^zrepl_.*"; }
          ];
          pruning.keep_receiver = [
            { type = "regex"; regex = "^manual_.*"; }
            { type = "grid"; grid = "6x4h | 7x1d | 4x7d | 6x30d"; regex = "^zrepl_.*"; }
          ];
        }
        {
          type = "source";
          # must not change
          name = "backup-to-wd-zpool";
          serve.type = "tls";
          serve.listen = ":${builtins.toString config.myEnv.ports.zrepl_flony}";
          serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
          serve.cert = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
          serve.key = config.secrets.fullPaths."zrepl/eldiron.key";
          serve.client_cns = [ "flony" ];
          filesystems."zpool/root" = true;
          filesystems."zpool/root/etc" = true;
          filesystems."zpool/root/var<" = true;
          filesystems."zfast/root/var<" = true;
          send.encrypted = true;
          snapshotting.type = "manual";
        }
      ];
    };
  };

  environment.etc."fail2ban/filter.d/postgresql.conf".text = ''
    [Definition]
    failregex = <HOST> \S+ FATAL:  password authentication failed for user .+$
                <HOST> \S+ FATAL:  PAM authentication failed for user.+$
                <HOST> \S+ FATAL:  no pg_hba.conf entry for host.+$
  '';
  environment.etc."fail2ban/filter.d/mysqld-auth.local".text = ''
    [Definition]
    _daemon = mysql[-\w]*
  '';
  services.fail2ban.jails.dovecot = ''
    enabled = true
  '';
  services.fail2ban.jails.postfix-sasl = ''
    enabled = true
  '';
  services.fail2ban.jails.proftpd = ''
    enabled = true
  '';
  services.fail2ban.jails.postgresql = ''
    enabled = true
    port = 5432
    logpath  = %(syslog_daemon)s
    backend  = %(default_backend)s
    journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
  '';
  services.fail2ban.jails.mysqld-auth = ''
    enabled = true
    journalmatch = _SYSTEMD_UNIT=mysql.service + _COMM=mysqld
  '';
  # This value determines the NixOS release with which your system is
  # to be compatible, in order to avoid breaking some software such as
  # database servers. You should change this only after NixOS release
  # notes say you should.
  # https://nixos.org/nixos/manual/release-notes.html
  system.stateVersion = "23.05"; # Did you read the comment?

  security.pam.services.ldap.text = ''
    # Authentication from ldap for pgsql
    auth      required   ${pkgs.pam_pgsql}/lib/security/pam_pgsql.so config_file=/var/secrets/ldap/pam_pgsql
    account   required   ${pkgs.pam_pgsql}/lib/security/pam_pgsql.so config_file=/var/secrets/ldap/pam_pgsql
  '';
  services.saslauthd = {
    enable = true;
    mechanism = "pam";
  };
  environment.etc."sasl2/slapd.conf".text = ''
    mech_list: plain
    pwcheck_method: saslauthd
    saslauthd_path: /run/saslauthd/mux
  '';
}
Commit	Line	Data
b48bbe83	1	{ config, pkgs, lib, ports, name, secrets, ... }:
1a64deeb IB	2	{
	3	# ssh-keyscan eldiron \| nix-shell -p ssh-to-age --run ssh-to-age
	4	secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ];
	5	boot = {
	6	kernelModules = [ "kvm-intel" ];
	7	blacklistedKernelModules = [ "nvidiafb" ];
	8	loader.timeout = 1;
	9	loader.grub.devices = [ "/dev/sda" "/dev/sdc" ];
	10	kernel.sysctl = {
	11	# https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
	12	"net.ipv4.tcp_sack" = 0;
	13	};
	14	supportedFilesystems = [ "zfs" ];
	15	kernelParams = ["zfs.zfs_arc_max=6442450944"];
	16	kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
	17	initrd.availableKernelModules = [ "ahci" "sd_mod" ];
	18	initrd.secrets = {
	19	"/boot/pass.key" = "/boot/pass.key";
	20	};
	21	};
	22	services.udev.extraRules = ''
	23	ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
	24	'';
	25	nix.settings.max-jobs = 8;
	26	nixpkgs.config.permittedInsecurePackages = [
	27	"python-2.7.18.6" # for nagios-cli
	28	"nodejs-16.20.2" # for landing page building
	29	];
	30
b48bbe83	31	nixpkgs.overlays = builtins.attrValues ports.overlays;
1a64deeb IB	32	powerManagement.cpuFreqGovernor = "powersave";
	33
	34	security.acme.certs."${name}".postRun = builtins.concatStringsSep "\n" [
	35	(lib.optionalString config.services.websites.env.production.enable "/run/current-system/sw/bin/machinectl shell httpd-production /usr/bin/env systemctl reload httpd.service")
	36	(lib.optionalString config.services.websites.env.integration.enable "/run/current-system/sw/bin/machinectl shell httpd-integration /usr/bin/env systemctl reload httpd.service")
	37	];
	38
	39	fileSystems = {
	40	# pools:
	41	# zpool: ashift=12
	42	# zfast: ashift=12
	43	# zfs:
	44	# zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
	45	# zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
	46	# zpool/root/var: atime=on
	47	# zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy
	48	# zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key
	49	# zfast/root/etc: ø
	50	# zfast/root/nix: ø
	51	# zfast/root/tmp: async=disabled
	52	# zfast/root/var: atime=on
	53	# zfast/root/var/lib: ø
	54	# zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata
	55	# zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput
	56	# zfast/root/var/lib/postgresql/11.0: ø
	57	# zfast/root/var/lib/postgresql/11.0/pg_wal: ø
	58	"/" = { fsType = "zfs"; device = "zpool/root"; };
	59	"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; };
	60	"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
	61	"/nix" = { fsType = "zfs"; device = "zfast/root/nix"; };
	62	"/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; };
	63	"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
	64	"/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; };
	65	"/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; };
	66	"/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; };
	67	"/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; };
	68	};
	69	swapDevices = [ { label = "swap1"; } { label = "swap2"; } ];
	70	hardware.enableRedistributableFirmware = true;
	71
	72	services.zfs = {
	73	autoScrub = {
	74	enable = false;
	75	};
	76	};
	77	networking = {
	78	hostId = "8262ca33"; # generated with head -c4 /dev/urandom \| od -A none -t x4
	79	firewall.enable = true;
	80	firewall.allowedTCPPorts = [ config.myEnv.ports.zrepl_flony ];
	81	# FIXME: on next reboot, remove the /27 and the localCommands
	82	interfaces."eth0".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	83	(n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
	84	(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips))
	85	++ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ];
	86	interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	87	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
	88	config.hostEnv.ips);
	89	defaultGateway = "176.9.151.65";
	90	localCommands = ''
	91	# FIXME: Those commands were added by nixops and may not be
	92	# actually needed
	93	ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' \|\| true
	94	ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' \|\| true
	95	ip -6 route add default via 'fe80::1' dev eth0 \|\| true
96	'';
97	nameservers = [
98	"213.133.98.98"
99	"213.133.99.99"
100	"213.133.100.100"
101	"2a01:4f8:0:a0a1::add:1010"
102	"2a01:4f8:0:a102::add:9999"
103	"2a01:4f8:0:a111::add:9898"
104	];
105	};
106
107	imports = [
108	secrets.nixosModules.users-config-eldiron
109	./databases
110	./databases/mariadb.nix
111	./databases/openldap
112	./databases/postgresql.nix
113	./databases/redis.nix
114
115
116	./monitoring.nix
117	./ejabberd
118	./buildbot
119	./coturn.nix
120	./dns.nix
1c90c0dd	121	./borg_backup.nix
1a64deeb IB	122	./duply_backup.nix
	123	./gemini
	124	./gitolite
	125	./mail
	126	./websites
	127	./webstats
	128	./irc.nix
	129	./pub
	130	./tasks
	131	./ftp.nix
	132	./mpd.nix
	133	./vpn
	134	];
	135
1c90c0dd IB	136	services.borgBackup.enable = true;
	137	services.borgBackup.profiles.global = {
	138	bucket = "global";
	139	hash = false;
	140	remotes = [ "attilax" ];
	141	ignoredPaths = [
	142	"udev"
	143	"portables"
	144	"machines"
	145	"nixos"
	146	"nixos-containers"
	147	];
	148	};
1a64deeb IB	149	myServices.buildbot.enable = true;
	150	myServices.databases.enable = true;
	151	myServices.gitolite.enable = true;
	152	myServices.monitoring.enable = true;
	153	myServices.irc.enable = true;
	154	myServices.pub.enable = true;
	155	myServices.tasks.enable = true;
	156	myServices.mpd.enable = true;
	157	myServices.dns.enable = true;
	158	myServices.websites.enable = true;
	159	myServices.gemini.enable = true;
	160	myServices.mail.enable = true;
	161	myServices.ejabberd.enable = true;
	162	myServices.vpn.enable = true;
	163	myServices.ftp.enable = true;
	164
	165	myServices.chatonsProperties.hostings.infogerance = {
	166	file.datetime = "2022-08-27T18:50:00";
	167	hosting = {
	168	name = "Infogérance";
	169	description = "Administration de serveurs";
	170	website = "https://www.immae.eu/";
	171	logo = "https://assets.immae.eu/logo.jpg";
	172	type = "HOSTEDSERVER";
	173	status.level = "OK";
	174	status.description = "OK";
	175	registration.load = "OPEN";
	176	install.type = "PACKAGE";
	177	};
	178	};
	179
1a64deeb IB	180	secrets.keys = {
	181	"ldap/pam_pgsql" = {
	182	user = "root";
	183	group = "root";
	184	permissions = "0400";
	185	text = ''
	186	database = immae
	187	user = immae_auth_read
	188	password = {{ .postgresql.immae_auth_read }}
	189	table = ldap_users
	190	user_column = login
	191	pw_type = function
ce983e8b	192	auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p \|\| salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login \|\| '@' \|\| realm = %u
1a64deeb IB	193	#pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p \|\| (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login \|\| '@' \|\| realm = %u
	194	'';
	195	};
	196
1a64deeb IB	197	"zrepl_backup/identity" = {
	198	user = "root";
	199	group = "root";
	200	permissions = "0400";
	201	text = config.myEnv.zrepl_backup.ssh_key.private;
	202	};
	203	"zrepl/${name}.key" = {
	204	permissions = "0400";
	205	text = config.myEnv.zrepl_backup.certs."${name}".key;
	206	user = "root";
	207	group = "root";
	208	};
	209	} // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
	210	permissions = "0400";
	211	text = config.myEnv.zrepl_backup.certs."${x}".certificate;
	212	user = "root";
	213	group = "root";
	214	}) (builtins.attrNames config.myEnv.zrepl_backup.certs));
	215
	216	programs.ssh.knownHosts.dilion = {
	217	extraHostNames = ["dilion.immae.eu"];
	218	publicKey = config.myEnv.servers.dilion.hostKey;
	219	};
	220
	221	services.cron = {
	222	enable = true;
	223	mailto = "cron@immae.eu";
	224	systemCronJobs = [
	225	''
	226	0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected"
	227	# Need a way to blacklist properly
	228	# 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:"
	229	0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced"
	230	''
	231	];
	232	};
	233
	234	environment.systemPackages = [ pkgs.bindfs ];
	235
	236	environment.etc."mdadm.conf" = {
	237	enable = true;
	238	mode = "0644";
	239	user = "root";
	240	text = "MAILADDR ${config.myEnv.monitoring.email}";
	241	};
	242
	243	systemd.services.zrepl.path = [ pkgs.openssh ];
	244	services.zrepl = {
	245	enable = true;
	246	settings = {
	247	jobs = [
	248	{
	249	type = "push";
	250	# must not change
	251	name = "backup-to-dilion";
	252	filesystems."zpool/root" = true;
	253	filesystems."zpool/root/etc" = true;
	254	filesystems."zpool/root/var<" = true;
	255	connect = {
	256	address = "dilion.immae.eu:19000";
	257	type = "tls";
	258	server_cn = "dilion";
	259	ca = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
	260	cert = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
261	key = config.secrets.fullPaths."zrepl/eldiron.key";
262	};
263	snapshotting = {
264	type = "periodic";
265	prefix = "zrepl_";
266	interval = "1h";
267	# hooks = [
268	# {
269	# type = "mysql-lock-tables";
270	# dsn = "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/";
271	# filesystems."zpool/root/var" = true;
272	# }
273	# {
274	# type = "command";
275	# path = pkgs.writeScript "redis-dump" ''
276	# #!${pkgs.stdenv.shell}
277	# ${pkgs.redis}/bin/redis-cli bgsave
278	# '';
279	# err_is_fatal = false;
280	# filesystems."zpool/root/var" = true;
281	# }
282	# ];
283	};
284	send.encrypted = true;
285	pruning.keep_sender = [
286	{ type = "regex"; regex = "^manual_.*"; }
287	{ type = "grid"; grid = "24x1h \| 7x1d \| 4x7d \| 6x30d"; regex = "^zrepl_.*"; }
288	];
289	pruning.keep_receiver = [
290	{ type = "regex"; regex = "^manual_.*"; }
291	{ type = "grid"; grid = "6x4h \| 7x1d \| 4x7d \| 6x30d"; regex = "^zrepl_.*"; }
292	];
293	}
294	{
295	type = "source";
296	# must not change
297	name = "backup-to-wd-zpool";
298	serve.type = "tls";
299	serve.listen = ":${builtins.toString config.myEnv.ports.zrepl_flony}";
300	serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
301	serve.cert = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
302	serve.key = config.secrets.fullPaths."zrepl/eldiron.key";
303	serve.client_cns = [ "flony" ];
304	filesystems."zpool/root" = true;
305	filesystems."zpool/root/etc" = true;
306	filesystems."zpool/root/var<" = true;
307	filesystems."zfast/root/var<" = true;
308	send.encrypted = true;
309	snapshotting.type = "manual";
310	}
311	];
312	};
313	};
314
315	environment.etc."fail2ban/filter.d/postgresql.conf".text = ''
316	[Definition]
317	failregex = <HOST> \S+ FATAL: password authentication failed for user .+$
318	<HOST> \S+ FATAL: PAM authentication failed for user.+$
319	<HOST> \S+ FATAL: no pg_hba.conf entry for host.+$
320	'';
321	environment.etc."fail2ban/filter.d/mysqld-auth.local".text = ''
322	[Definition]
323	_daemon = mysql[-\w]*
324	'';
325	services.fail2ban.jails.dovecot = ''
326	enabled = true
327	'';
328	services.fail2ban.jails.postfix-sasl = ''
329	enabled = true
330	'';
331	services.fail2ban.jails.proftpd = ''
332	enabled = true
333	'';
334	services.fail2ban.jails.postgresql = ''
335	enabled = true
336	port = 5432
337	logpath = %(syslog_daemon)s
338	backend = %(default_backend)s
339	journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
340	'';
341	services.fail2ban.jails.mysqld-auth = ''
342	enabled = true
343	journalmatch = _SYSTEMD_UNIT=mysql.service + _COMM=mysqld
344	'';
345	# This value determines the NixOS release with which your system is
346	# to be compatible, in order to avoid breaking some software such as
347	# database servers. You should change this only after NixOS release
348	# notes say you should.
349	# https://nixos.org/nixos/manual/release-notes.html
350	system.stateVersion = "23.05"; # Did you read the comment?
351
352	security.pam.services.ldap.text = ''
353	# Authentication from ldap for pgsql
354	auth required ${pkgs.pam_pgsql}/lib/security/pam_pgsql.so config_file=/var/secrets/ldap/pam_pgsql
355	account required ${pkgs.pam_pgsql}/lib/security/pam_pgsql.so config_file=/var/secrets/ldap/pam_pgsql
356	'';
357	services.saslauthd = {
358	enable = true;
359	mechanism = "pam";
360	};
361	environment.etc."sasl2/slapd.conf".text = ''
362	mech_list: plain
363	pwcheck_method: saslauthd
364	saslauthd_path: /run/saslauthd/mux
365	'';
366	}