From f200026bd09de7c727d777ec1cfbcf61dd008f60 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm): block missing nginx host connections Change-Id: lppnnvqpmowyzpslvqtklqswqmypwryw We previously returned One Of The Websites when nginx was accessed from a host that we didn't know about. That included direct IP address access as well as things which have been CNAMEd to us (either through a starred record or due to past services) but which aren't actually hosted by us. This leads to a number of undesireable effects: - User confusion ("why does the aux docs website have Stalwart?") - Incorrect SSL certificates ("your blog seems to have an invalid certificate") - SSL being offered via direct IPs, which isn't possible to sign on the public internet We can block this by making a default server to take control whenever nothing matches, and setting that default server to block all connections and reject all SSL handshakes We need to have a certificate for this, but it needn't actually be valid for anything so let's self sign stuff... --- packetmix/systems/common/nginx.nix | 31 ++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 packetmix/systems/common/nginx.nix diff --git a/packetmix/systems/common/nginx.nix b/packetmix/systems/common/nginx.nix new file mode 100644 index 00000000..47bef52b --- /dev/null +++ b/packetmix/systems/common/nginx.nix @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ lib, ... }: +{ + # By default, nginx will serve a "best-effort" site even if there is no matching vhost + # We can disable this by making a matching vhost and returning 444... + # Notice how we don't enable nginx here: that makes this safe to deploy even on places that don't currently run nginx. We're effectively changing the default behavior + services.nginx.virtualHosts."missinghost.invalid" = { + default = true; + + addSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/".return = "444"; + + extraConfig = '' + ssl_reject_handshake on; + ''; + }; + + systemd.services."acme-missinghost.invalid".enable = false; + systemd.timers."acme-missinghost.invalid".enable = false; + + systemd.targets."acme-finished-missinghost.invalid" = { + requires = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + after = lib.mkForce [ "acme-selfsigned-missinghost.invalid.service" ]; + }; +} -- 2.43.0 From 4f9eb850f7e352be8a5661bedff05011125bd678 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm/umber): clean up silverbullet SSL Change-Id: ukuomtnrpmmqlmvmxktwtuwqmmpsxvyw There's no need for us to be listening for silverbullet on our clicks.domains host, nor should we be listening for plain HTTP anymore --- packetmix/systems/umber/silverbullet.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packetmix/systems/umber/silverbullet.nix b/packetmix/systems/umber/silverbullet.nix index 6c4849f2..72edf7be 100644 --- a/packetmix/systems/umber/silverbullet.nix +++ b/packetmix/systems/umber/silverbullet.nix @@ -28,12 +28,10 @@ services.nginx.virtualHosts."silverbullet.starrysky.fyi" = { listenAddresses = [ "localhost.tailscale" ]; - addSSL = true; + onlySSL = true; enableACME = true; acmeRoot = null; - serverAliases = [ "umber.clicks.domains" ]; - locations."/" = { proxyPass = "http://$silverbullet_upstream_minion_only"; recommendedProxySettings = true; -- 2.43.0 From e1a85f08d2db98e7e30fdd9e64a93c06ade67e10 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Wed, 15 Oct 2025 23:21:19 +0000 Subject: [PATCH] feat(pm/umber): init grocy Change-Id: zoqyltwplryxqptuulosrpxplxlpzssk Grocy is a stock tracking application for groceries. I'd like to use it to keep track of some of my stuff, so let's host it on umber! --- packetmix/systems/umber/grocy.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 packetmix/systems/umber/grocy.nix diff --git a/packetmix/systems/umber/grocy.nix b/packetmix/systems/umber/grocy.nix new file mode 100644 index 00000000..cbf534a2 --- /dev/null +++ b/packetmix/systems/umber/grocy.nix @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2025 FreshlyBakedCake +# +# SPDX-License-Identifier: MIT + +{ lib, ... }: +{ + services.grocy = { + enable = true; + hostName = "grocy.starrysky.fyi"; + + settings.currency = "GBP"; + }; + + services.nginx.virtualHosts."grocy.starrysky.fyi" = { + acmeRoot = null; + forceSSL = lib.mkForce false; + onlySSL = true; + }; + + clicks.storage.impermanence.persist.directories = [ "/var/lib/grocy" ]; +} -- 2.43.0