feat: skynet user stuff is now segregated to a server that is untrusted

2023-09-16 00:04:39 +01:00 · 2023-09-16 00:04:39 +01:00 · ef6096e6e0
commit ef6096e6e0
parent 7d7f402b6d
2 changed files with 79 additions and 19 deletions
--- a/applications/skynet_users.nix
+++ b/applications/skynet_users.nix
@ -0,0 +1,72 @@
+{ config, pkgs, lib, inputs, ... }:
+  with lib;
+  let
+    cfg = config.services.skynet_users;
+  in {
+
+  imports = [
+    ./acme.nix
+    ./dns.nix
+    ./nginx.nix
+  ];
+
+  options.services.skynet_users = {
+    host = {
+      ip = mkOption {
+        type = types.str;
+      };
+      name = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  config = {
+    # ssh access
+
+    # allow more than admins access
+    services.skynet_ldap_client = {
+      groups = [
+        "skynet-admins-linux"
+        "skynet-users-linux"
+      ];
+    };
+
+
+    # Website config
+    skynet_acme.domains = [
+        "users.skynet.ie"
+      "*.users.skynet.ie"
+    ];
+
+    skynet_dns.records = [
+      {record  ="users"; r_type="CNAME"; value=cfg.host.name;}
+      {record="*.users"; r_type="CNAME"; value=cfg.host.name;}
+    ];
+
+    networking.firewall.allowedTCPPorts = [80 443];
+
+    # normally services cannot read home dirs
+    systemd.services.nginx.serviceConfig.ProtectHome="read-only";
+
+    services.nginx.virtualHosts = {
+      # main site
+      "*.users.skynet.ie" = {
+        forceSSL = true;
+        useACMEHost = "skynet";
+        serverName = "~^(?<user>.+)\.users\.skynet\.ie";
+
+        # username.users.skynet.ie/
+        # user goes:
+        #   chmod 711 ~
+        #   chmod -R 755 ~/public_html
+
+        locations."/" = {
+          alias = "/home/$user/public_html/";
+          index = "index.html";
+          extraConfig = "autoindex on;";
+        };
+      };
+    };
+  };
+}
--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@ -20,7 +20,7 @@ let

 in {
  imports = [
-    #../applications/skynet.ie.nix
+    ../applications/skynet_users.nix
  ];

  deployment = {
@ -31,7 +31,6 @@ in {
    tags = [ "active-core" ];
  };

-  # it has two network devices so two
  skynet_dns.records = [
    {record=name;   r_type="A";   value=ip_pub;  server=true;}
    {record=ip_pub; r_type="PTR"; value=hostname;}
@ -42,21 +41,12 @@ in {
    name = name;
  };

-  # allow more than admins access
-  services.skynet_ldap_client = {
-    groups = [
-      "skynet-admins-linux"
-      "skynet-users-linux"
-    ];
-  };
-
  proxmoxLXC.manageNetwork = true;
  networking = {
    hostName = name;
    # needed to use the dmz first
    defaultGateway = lib.mkForce "193.1.96.161";

-
    interfaces = {
      # need it for dns validation for letsencrypt
      eth0.ipv4 = {
@ -75,7 +65,6 @@ in {
        ];
      };

-
      # primary ip for logging in
      eth1.ipv4.addresses = [
        {
@ -86,11 +75,10 @@ in {
    };
  };

-#  services.skynet = {
-#    host = {
-#      # website is still hosted on the internal IP
-#      ip = ip_priv;
-#      name = name;
-#    };
-#  };
+  services.skynet_users = {
+    host = {
+      ip = ip_pub;
+      name = name;
+    };
+  };
 }