From c9d0d3c8346ac5a576f4de4af8739796584222ee Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm): block missing nginx host connections Change-Id: lppnnvqpmowyzpslvqtklqswqmypwryw We previously returned One Of The Websites when nginx was accessed from a host that we didn't know about. That included direct IP address access as well as things which have been CNAMEd to us (either through a starred record or due to past services) but which aren't actually hosted by us. This leads to a number of undesireable effects: - User confusion ("why does the aux docs website have Stalwart?") - Incorrect SSL certificates ("your blog seems to have an invalid certificate") - SSL being offered via direct IPs, which isn't possible to sign on the public internet We can block this by making a default server to take control whenever nothing matches, and setting that default server to block all connections and reject all SSL handshakes We need to have a certificate for this, but it needn't actually be valid for anything so let's self sign stuff... --- packetmix/systems/common/nginx.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 packetmix/systems/common/nginx.nix diff --git a/packetmix/systems/common/nginx.nix b/packetmix/systems/common/nginx.nix new file mode 100644 index 00000000..3d467259 --- /dev/null +++ b/packetmix/systems/common/nginx.nix @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ lib, ... }: { + # By default, nginx will serve a "best-effort" site even if there is no matching vhost + # We can disable this by making a matching vhost and returning 444... + # Notice how we don't enable nginx here: that makes this safe to deploy even on places that don't currently run nginx. We're effectively changing the default behavior + services.nginx.virtualHosts."missinghost.invalid" = { + default = true; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/".return = "444"; + + extraConfig = '' + ssl_reject_handshake on; + ''; + }; + + systemd.services."acme-missinghost.invalid".enable = false; + systemd.timers."acme-missinghost.invalid".enable = false; + + systemd.targets."acme-finished-missinghost.invalid" = { + requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + }; +} -- 2.43.0 From 3ffaa6a06fc174312698b8695c2cf723bc8f3751 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm/umber): clean up silverbullet SSL Change-Id: ukuomtnrpmmqlmvmxktwtuwqmmpsxvyw There's no need for us to be listening for silverbullet on our clicks.domains host, nor should we be listening for plain HTTP anymore --- packetmix/systems/umber/silverbullet.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packetmix/systems/umber/silverbullet.nix b/packetmix/systems/umber/silverbullet.nix index 6c4849f2..72edf7be 100644 --- a/packetmix/systems/umber/silverbullet.nix +++ b/packetmix/systems/umber/silverbullet.nix @@ -28,12 +28,10 @@ services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { listenAddresses = [ "localhost.tailscale" ]; - addSSL = true; + onlySSL = true; enableACME = true; acmeRoot = null; - serverAliases = [ "umber.clicks.domains" ]; - locations."/" = { proxyPass = "http://$silverbullet_upstream_minion_only"; recommendedProxySettings = true; -- 2.43.0 From c0b59f561f1bb3dc718d821ed6cd09044342f22e Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm/umber): init grocy Change-Id: zoqyltwplryxqptuulosrpxplxlpzssk Grocy is a stock tracking application for groceries. I'd like to use it to keep track of some of my stuff, so let's host it on umber! --- packetmix/systems/umber/grocy.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 packetmix/systems/umber/grocy.nix diff --git a/packetmix/systems/umber/grocy.nix b/packetmix/systems/umber/grocy.nix new file mode 100644 index 00000000..755af22c --- /dev/null +++ b/packetmix/systems/umber/grocy.nix @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ lib, ... }: { + services.grocy = { + enable = true; + hostName = "grocy.starrysky.fyi"; + + settings.currency = "GBP"; + }; + + services.nginx.virtualHosts."grocy.starrysky.fyi" = { + acmeRoot = null; + forceSSL = lib.mkForce false; + onlySSL = true; + }; + + clicks.storage.impermanence.persist.directories = [ "/var/lib/grocy" ]; +} -- 2.43.0