invoiceplane: make publicly available

flake.lock

@@ -423,11 +423,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1711485334,
-        "narHash": "sha256-qOHrFSfo6W5J5RkkJy7xLSECKaK/NITQXfeh715fD7s=",
+        "lastModified": 1711717242,
+        "narHash": "sha256-PW9J9sFw5DA4Fo3Cq4Soc+an6tjTS4VV2NxG6G0UMqw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e19e9bceda53148e8dd6e8f54bf19375e5e60af9",
+        "rev": "824952ff6b32b0019465b139b5c76d915ec074ea",
         "type": "github"
       },
       "original": {
@@ -439,11 +439,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1711333969,
-        "narHash": "sha256-5PiWGn10DQjMZee5NXzeA6ccsv60iLu+Xtw+mfvkUAs=",
+        "lastModified": 1711523803,
+        "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "57e6b3a9e4ebec5aa121188301f04a6b8c354c9b",
+        "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
         "type": "github"
       },
       "original": {
@@ -487,11 +487,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1711124224,
-        "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
+        "lastModified": 1711460390,
+        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
+        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
         "type": "github"
       },
       "original": {

hosts/droppie/networking.nix

@@ -15,7 +15,6 @@
 
   # Allow pub.solar restic backups
   services.openssh.allowSFTP = true;
-  services.openssh.openFirewall = true;
 
   age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
 

hosts/frikandel/configuration.nix

@@ -44,7 +44,6 @@ in {
   };
 
   boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = pkgs.linuxPackages_6_1;
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you

hosts/frikandel/default.nix

@@ -6,6 +6,7 @@
     ./networking.nix
     ./unbound.nix
     ./nginx.nix
+    ./invoiceplane-proxy.nix
     ./wireguard.nix
     ./email.nix
     ./website.nix

hosts/frikandel/invoiceplane-proxy.nix

@@ -0,0 +1,20 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  security.acme.certs = {
+    "invoicing.b12f.io" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "invoicing.b12f.io" = {
+      forceSSL = true;
+      useACMEHost = "invoicing.b12f.io";
+      # This redirects to invoiceplane on pie
+      locations."/".proxyPass = "https://invoicing.b12f.io";
+    };
+  };
+}

hosts/frikandel/networking.nix

@@ -14,8 +14,6 @@
     "2a0f:fc81::" #dns0.eu
   ];
 
-  services.openssh.openFirewall = true;
-
   # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
   networking.useDHCP = false;
   networking.interfaces.enp1s0 = {

hosts/frikandel/unbound.nix

@@ -58,6 +58,9 @@
           "\"b12f.io\" transparent"
         ];
         local-data = [
+          "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
+          "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
+
           "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
           "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
           "\"backup.b12f.io. 10800 IN A 10.13.12.3\""

hosts/pie/configuration.nix

@@ -21,7 +21,7 @@ in {
   boot.loader.generic-extlinux-compatible.enable = false;
 
   boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = pkgs.linuxPackages_6_1;
+  boot.kernelPackages = pkgs.linuxPackages_6_1_hardened;
 
   boot.kernelParams = [
     "boot.shell_on_fail=1"

hosts/pie/invoiceplane.nix

@@ -33,7 +33,6 @@ in {
 
   services.invoiceplane.webserver = "nginx";
   services.invoiceplane.sites."invoicing.b12f.io" = {
-    # nginx is not supported
     enable = true;
 
     database = {

hosts/pie/networking.nix

@@ -27,7 +27,6 @@
     "192.168.178.3" = [ "droppie-initrd.b12f.io" ];
   };
 
-  services.openssh.openFirewall = true;
   services.openssh.allowSFTP = true;
 
   age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";

modules/acme/default.nix

@@ -19,6 +19,8 @@
       # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       dnsProvider = "hostingde";
       dnsPropagationCheck = true;
+      # We check via dns0 directly or unbound will be in our way
+      dnsResolver = "193.110.81.0";
       credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
       group = "nginx";
       webroot = null;

modules/core/boot.nix

@@ -12,7 +12,7 @@ in {
       loader.systemd-boot.enable = lib.mkDefault true;
 
       # Use latest LTS linux kernel by default
-      kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+      kernelPackages = lib.mkDefault pkgs.linuxPackages_6_7_hardened;
 
       # Support ntfs drives
       supportedFilesystems = ["ntfs"];

modules/core/default.nix

@@ -13,26 +13,9 @@ in {
     ./i18n.nix
     ./networking.nix
     ./packages.nix
+    ./hardening.nix
   ];
 
   # Service that makes Out of Memory Killer more effective
   services.earlyoom.enable = true;
-
-  services.logind.lidSwitch = "hibernate";
-
-  services.tor.settings = {
-    UseBridges = true;
-  };
-
-  # The options below are directly taken from or inspired by
-  # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
-
-  # Limit the use of sudo to the group wheel
-  security.sudo.execWheelOnly = true;
-
-  # Remove the complete default environment of packages like
-  # nano, perl and rsync
-  environment.defaultPackages = lib.mkForce [];
-
-  # fileSystems."/".options = [ "noexec" ];
 }

modules/core/hardening.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.pub-solar.core;
+  psCfg = config.pub-solar;
+in {
+  services.tor.settings = {
+    UseBridges = true;
+  };
+
+  # Always go to encrypted hibernation instead of sleep
+  services.logind.lidSwitch = "hibernate";
+
+  # The options below are directly taken from or inspired by
+  # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+  # Limit the use of sudo to the group wheel
+  security.sudo.execWheelOnly = true;
+
+  # Remove the complete default environment of packages like
+  # nano, perl and rsync
+  environment.defaultPackages = lib.mkForce [];
+
+  # fileSystems."/".options = [ "noexec" ];
+
+  # disable coredump that could be exploited later
+  # and also slow down the system when something crash
+  systemd.coredump.enable = false;
+
+  # required to run chromium
+  security.chromiumSuidSandbox.enable = true;
+
+  # create system-wide executables firefox and chromium
+  # that will wrap the real binaries so everything
+  # work out of the box.
+  programs.firejail.enable = true;
+
+  # enable antivirus clamav and
+  # keep the signatures' database updated
+  services.clamav.daemon.enable = true;
+  services.clamav.updater.enable = true;
+}

modules/core/networking.nix

@@ -37,6 +37,9 @@
     '';
   };
 
+  # Don't expose SSH via public interfaces
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 22 ];
+
   # For rage encryption, all hosts need a ssh key pair
   services.openssh = {
     enable = true;

modules/desktop-extended/default.nix

@@ -11,14 +11,12 @@ in {
   hardware.logitech.wireless.enable = true;
 
   users.users."${psCfg.user.name}".packages = with pkgs; [
-    ungoogled-chromium
     wine
 
     gimp
     present-md
     inkscape
     gpxsee
-    digikam
     nix-output-monitor
     tigervnc
     nodejs
@@ -28,8 +26,6 @@ in {
     signal-desktop
     tdesktop
     element-desktop
-    cinny-desktop
-    irssi
 
     # Nix specific utilities
     alejandra
@@ -39,6 +35,25 @@ in {
     nvd
   ];
 
+  programs.firejail.wrappedBinaries = {
+    chromium = {
+      executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+    # signal-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.signal-desktop}/bin/signal-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+    # };
+    # telegram-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.tdesktop}/bin/telegram-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/telegram-desktop.profile";
+    # };
+    # element-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.element-desktop}/bin/element-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/element-desktop.profile";
+    # };
+  };
+
   fonts = {
     packages = with pkgs; [
       dejavu_fonts

modules/graphical/default.nix

@@ -88,7 +88,6 @@ in {
 
     users.users."${psCfg.user.name}".packages = with pkgs; [
       alacritty
-      firefox-wayland
       flameshot
       gnome.adwaita-icon-theme
       gnome.eog
@@ -103,6 +102,13 @@ in {
       wcwd
     ];
 
+    programs.firejail.wrappedBinaries = {
+      firefox = {
+        executable = "${pkgs.lib.getBin pkgs.firefox-wayland}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+      };
+    };
+
     home-manager.users."${psCfg.user.name}" = {
       home.file."xinitrc".source = ./.xinitrc;
       xdg.configFile."alacritty/alacritty.yml".source = yamlFormat.generate "alacritty.yml" (import ./alacritty.nix);

terraform/b12f.io.tf

@@ -160,7 +160,7 @@ resource "hostingde_record" "b12f-invoicing" {
   zone_id = hostingde_zone.b12f.id
   name = "invoicing.b12f.io"
   type = "CNAME"
-  content = "pie.b12f.io"
+  content = "frikandel.b12f.io"
   ttl = 300
 }