soopy.moe / gensokyo
nixos config
fork atom

host(ryo): forget about dns-01, use http-01 instead

Cassie Cheung b5273e19 bd8d5aa8

options
unified split
Changed files
+29 -13
systems
ryo
certificates
default.nix
ryo.nix
configuration.nix
services
novnc.nix
-5
systems/ryo/certificates/default.nix 
···

       
1

       

       
-

       
{...}: {


     

       
2

       

       
-

       
  imports = [


     

       
3

       

       
-

       
    ./ryo.nix


     

       
4

       

       
-

       
  ];


     

       
5

       

       
-

       
}
-5
systems/ryo/certificates/ryo.nix 
···

       
1

       

       
-

       
{...}: {


     

       
2

       

       
-

       
  security.acme.certs."ryo.soopy.moe" = {


     

       
3

       

       
-

       
    group = "nginx";


     

       
4

       

       
-

       
  };


     

       
5

       

       
-

       
}
-1
systems/ryo/configuration.nix 
···

       
2

       
2

       
 

       
# DO NOT copy anything done on this host, it's insecure by design.


     

       
3

       
3

       
 

       
{...}: {


     

       
4

       
4

       
 

       
  imports = [


     

       
5

       

       
-

       
    ./certificates


     

       
6

       
5

       
 

       
    ./services


     

       
7

       
6

       
 

       
  ];


     

       
8

       
7
+29 -2
systems/ryo/services/novnc.nix 
···

       
1

       

       
-

       
{_utils, pkgs, lib, ...}: {


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  _utils,


     

       

       
3

       
+

       
  pkgs,


     

       

       
4

       
+

       
  lib,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}: {


     

       
2

       
7

       
 

       
  services.nginx.virtualHosts."ryo.soopy.moe" = _utils.mkSimpleProxy {


     

       
3

       
8

       
 

       
    port = 6080;


     

       
4

       
9

       
 

       
    websockets = true;


     

       
5

       
10

       
 

       
    extraConfig = {


     

       
6

       
11

       
 

       
      locations."= /".return = "303 /vnc_lite.html";


     

       
7

       

       
-

       
      useACMEHost = "ryo.soopy.moe";


     

       

       
12

       
+

       
      enableACME = true; # don't bother with DNS-01


     

       

       
13

       
+

       
      useACMEHost = null;


     

       
8

       
14

       
 

       
    };


     

       
9

       
15

       
 

       
  };


     

       
10

       
16

       
 

       



     

       
11

       
17

       
 

       
  systemd.services."novnc" = {


     

       

       
18

       
+

       
    enable = true;


     

       

       
19

       
+

       
    wantedBy = ["multi-user.target"];


     

       

       
20

       
+

       
    path = with pkgs; [procps];


     

       
12

       
21

       
 

       
    serviceConfig = {


     

       
13

       
22

       
 

       
      DynamicUser = true;


     

       
14

       
23

       
 

       
      ExecStart = "${lib.getExe pkgs.novnc} --file-only";


     

       

       
24

       
+

       



     

       

       
25

       
+

       
      # hardening


     

       

       
26

       
+

       
      PrivateUsers = true;


     

       

       
27

       
+

       
      LockPersonality = true;


     

       

       
28

       
+

       
      ProtectHostname = true;


     

       

       
29

       
+

       
      ProtectKernelTunables = true;


     

       

       
30

       
+

       
      ProtectDevices = true;


     

       

       
31

       
+

       
      ProtectClock = true;


     

       

       
32

       
+

       
      SystemCallArchitectures = "native";


     

       

       
33

       
+

       
      CapabilityBoundingSet = null;


     

       

       
34

       
+

       
      RestrictAddressFamilies = [


     

       

       
35

       
+

       
        "AF_INET"


     

       

       
36

       
+

       
        "AF_INET6"


     

       

       
37

       
+

       
      ];


     

       

       
38

       
+

       
      SystemCallFilter = [


     

       

       
39

       
+

       
        "@system-service"


     

       

       
40

       
+

       
        "~@privileged"


     

       

       
41

       
+

       
      ];


     

       
15

       
42

       
 

       
    };


     

       
16

       
43

       
 

       
  };


     

       
17

       
44

       
 

       
}