From caa41d56a0af5b2d76486e3dc33a3742fc3717ce Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Mon, 14 Feb 2022 03:33:03 +0300 Subject: [PATCH] update container settings --- flake.nix | 8 +- machines/NixOS-CT/default.nix | 3 + profiles/servers/caddy.nix | 109 --------------- profiles/servers/coturn.nix | 47 +++---- profiles/servers/matrix-synapse.nix | 201 ---------------------------- profiles/servers/nginx.nix | 100 ++++++++++++++ roles/container.nix | 4 +- 7 files changed, 126 insertions(+), 346 deletions(-) delete mode 100644 profiles/servers/caddy.nix delete mode 100644 profiles/servers/matrix-synapse.nix create mode 100644 profiles/servers/nginx.nix diff --git a/flake.nix b/flake.nix index 11a9141..67683fa 100644 --- a/flake.nix +++ b/flake.nix @@ -120,11 +120,11 @@ specialArgs = { inherit inputs; }; }; in (genAttrs hosts mkHost) // { - NixOS-CT = (name: nixpkgs-stable.lib.nixosSystem { - system = builtins.readFile (./machines + "/${name}/system"); - modules = [ (import (./machines + "/${name}")) { device = name; } ]; + NixOS-CT = nixpkgs-stable.lib.nixosSystem { + system = builtins.readFile (./machines/NixOS-CT/system); + modules = [ (import (./machines/NixOS-CT)) { device = "NixOS-CT"; } ]; specialArgs = { inherit inputs; }; - } NixOS-CT); + }; }; legacyPackages.x86_64-linux = diff --git a/machines/NixOS-CT/default.nix b/machines/NixOS-CT/default.nix index d180d0c..5702d41 100644 --- a/machines/NixOS-CT/default.nix +++ b/machines/NixOS-CT/default.nix @@ -2,6 +2,9 @@ imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [ ./hardware-configuration.nix inputs.self.nixosRoles.container + + nginx + coturn ]; deviceSpecific.devInfo = { diff --git a/profiles/servers/caddy.nix b/profiles/servers/caddy.nix deleted file mode 100644 index 8faf778..0000000 --- a/profiles/servers/caddy.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ config, lib, pkgs, ...}: { - services.caddy = { - enable = true; - # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; - acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; - globalConfig = '' - email ataraxiadev@ataraxiadev.com - ''; - virtualHosts = let - # default = { - # useACMEHost = "ataraxiadev.com"; - # }; - in { - "ataraxiadev.com" = { - serverAliases = [ "www.ataraxiadev.com" ]; - # listenAddresses = [ "0.0.0.0" ]; - extraConfig = '' - templates - encode gzip zstd - root * /srv/www/ataraxiadev.com - file_server - ''; - }; - "matrix.ataraxiadev.com" = { - extraConfig = '' - @identity { - path /_matrix/identity/* - } - @noidentity { - not path /_matrix/identity/* - } - @search { - path /_matrix/client/r0/user_directory/search/* - } - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - @static { - path /matrix/static-files/* - } - @nostatic { - not path /matrix/static-files/* - } - @wellknown { - path /.well-known/matrix/* - } - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - handle { - encode zstd gzip - reverse_proxy localhost:8008 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - ''; - }; - }; - }; - - users.users.caddy.extraGroups = [ "acme" ]; -} \ No newline at end of file diff --git a/profiles/servers/coturn.nix b/profiles/servers/coturn.nix index 3c709e3..b77cc89 100644 --- a/profiles/servers/coturn.nix +++ b/profiles/servers/coturn.nix @@ -1,22 +1,8 @@ { config, pkgs, lib, ... }: { - secrets-envsubst.turn-shared-secret = { - directory = "mautrix-telegram"; + secrets.turn-shared-secret = { owner = "turnserver"; - secrets = [ "turn_shared_secret" ]; - template = "$turn_shared_secret"; }; - # systemd.services.test_systemd_timers = { - # serviceConfig.Type = "oneshot"; - # path = [ - # pkgs.curl - # ]; - # script = '' - # curl http://icanhazip.com - # ''; - # }; - - # enable coturn services.coturn = rec { enable = true; no-cli = true; @@ -24,16 +10,15 @@ min-port = 49152; max-port = 49172; use-auth-secret = true; - static-auth-secret-file = config.secrets-envsubst.turn-shared-secret.substituted; - realm = "turn.ataraxiadev.com"; - no-tls = true; - no-dtls = true; - # cert = config.secrets."ataraxiadev.com.pem".decrypted; - # pkey = config.secrets."ataraxiadev.com.key".decrypted; + static-auth-secret-file = config.secrets.turn-shared-secret.decrypted; + realm = "turn.matrix.ataraxiadev.com"; + cert = "${config.security.acme.certs."ataraxiadev.com".directory}/fullchain.pem"; + pkey = "${config.security.acme.certs."ataraxiadev.com".directory}/privkey.pem"; extraConfig = '' + external-ip=matrix.ataraxiadev.com + prod user-quota=20 - total-quota=600 - # external-ip= + total-quota=200 #for debugging # verbose # allowed-peer-ip=10.0.0.1 @@ -64,18 +49,18 @@ ''; }; + users.users.turnserver.extraGroups = [ "acme" ]; + networking.firewall = let - # networking.firewall = { - # interfaces.enp0s3 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; + range = with config.services.coturn; [{ + from = min-port; + to = max-port; + }]; in { - # allowedUDPPortRanges = range; + allowedUDPPortRanges = range; allowedUDPPorts = [ 3478 5349 ]; - # allowedTCPPortRanges = range; + allowedTCPPortRanges = range; allowedTCPPorts = [ 3478 5349 ]; }; } \ No newline at end of file diff --git a/profiles/servers/matrix-synapse.nix b/profiles/servers/matrix-synapse.nix deleted file mode 100644 index e20a41a..0000000 --- a/profiles/servers/matrix-synapse.nix +++ /dev/null @@ -1,201 +0,0 @@ -{ pkgs, config, lib, options, ... }: { - services.postgresql.enable = true; - services.postgresqlBackup = { - enable = true; - location = config.users.users.alukard.home + "/matrix-backup"; - startAt = "*-*-* 07:00:00"; - }; - - services.matrix-synapse = with config.services.coturn; { - enable = true; - allow_guest_access = true; - # app_service_config_files = [ config.secrets-envsubst.mautrix-telegram-registration.substituted ]; - extraConfigFiles = [ config.secrets-envsubst.matrix-shared-secret.substituted ]; - logConfig = options.services.matrix-synapse.logConfig.default + '' - loggers: - shared_secret_authenticator: - level: INFO - ''; - listeners = [ - # { - # bind_address = "::"; - # port = 8448; - # type = "http"; - # tls = true; - # x_forwarded = false; - # resources = [{ - # compress = false; - # names = [ "federation" ]; - # }]; - # } - { - bind_address = "::"; - port = 8008; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - compress = true; - names = [ "client" ]; - }]; - } - { - bind_address = "::"; - port = 8048; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - compress = false; - names = [ "federation" ]; - }]; - } - ]; - plugins = with pkgs.matrix-synapse-plugins; [ matrix-synapse-shared-secret-auth ]; - public_baseurl = "https://matrix.ataraxiadev.com"; - server_name = "ataraxiadev.com"; - turn_uris = [ - "turns:${realm}?transport=udp" "turns:${realm}?transport=tcp" - "turn:${realm}?transport=udp" "turn:${realm}?transport=tcp" - ]; - turn_user_lifetime = "24h"; - }; - - secrets-envsubst.matrix-shared-secret = { - directory = "mautrix-telegram"; - owner = "matrix-synapse"; - secrets = [ "shared_secret" "reg_shared_secret" "turn_shared_secret" ]; - template = '' - registration_shared_secret: $reg_shared_secret - turn_allow_guests: False - turn_shared_secret: $turn_shared_secret - password_providers: - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: "$shared_secret" - ''; - }; - - # services.mautrix-telegram = { - # enable = true; - # environmentFile = toString config.secrets-envsubst.mautrix-telegram; - # settings = { - # appservice = { - # address = "http://localhost:29317"; - # bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX"; - # database = "postgresql://mautrix-telegram:$MATRIX_PASS@localhost/mautrix-telegram"; - # id = "telegram"; - # max_body_size = 1; - # port = 29317; - # public = { - # enabled = true; - # prefix = "/mautrix-telegram"; - # external = "https://matrix.ataraxiadev.com/mautrix-telegram"; - # }; - # provisioning.enabled = false; - # }; - # bridge = { - # alias_template = "tg_{groupname}"; - # allow_matrix_login = false; - # animated_sticker = { - # target = "gif"; - # args = { - # width = 128; - # height = 128; - # fps = 30; - # background = "15191E"; - # }; - # }; - # bot_messages_as_notices = true; - # catch_up = true; - # command_prefix = "!tg"; - # encryption = { - # allow = true; - # default = false; - # }; - # filter = { - # mode = "whitelist"; - # list = [ ]; - # }; - # image_as_file_size = 10; - # login_shared_secret_map."ataraxiadev.com" = "$SHARED_SECRET_AUTH"; - # max_document_size = 100; - # max_initial_member_sync = -1; - # max_telegram_delete = 10; - # permissions = { - # "*" = "relaybot"; - # "@ataraxiadev:ataraxiadev.com" = "admin"; - # "@kpoxa:ataraxiadev.com" = "full"; - # }; - # plaintext_highlights = true; - # startup_sync = false; - # sync_direct_chat_list = false; - # sync_direct_chats = false; - # username_template = "tg_{userid}"; - # }; - # homeserver = { - # address = "https://matrix.ataraxiadev.com"; - # asmux = false; - # domain = "ataraxiadev.com"; - # verify_ssl = true; - # }; - # telegram = { bot_token = "disabled"; }; - # }; - # }; - - # secrets-envsubst.mautrix-telegram = { - # secrets = [ "as_token" "hs_token" "api_id" "api_hash" "matrix_pass" "shared_secret" ]; - # template = '' - # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$as_token - # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$hs_token - # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=$api_id - # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=$api_hash - # MATRIX_PASS=$matrix_pass - # SHARED_SECRET_AUTH=$shared_secret - # ''; - # }; - - # secrets-envsubst.mautrix-telegram-registration = { - # directory = "mautrix-telegram"; - # secrets = [ "as_token" "hs_token" "sender_localpart" ]; - # owner = "matrix-synapse"; - # template = builtins.toJSON { - # as_token = "$as_token"; - # hs_token = "$hs_token"; - # id = "telegram"; - # namespaces = { - # aliases = [{ - # exclusive = true; - # regex = "#tg_.+:ataraxiadev.com"; - # }]; - # users = [{ - # exclusive = true; - # regex = "@tg_.+:ataraxiadev.com"; - # } { - # exclusive = true; - # regex = "@telegrambot:ataraxiadev.com"; - # }]; - # }; - # rate_limited = false; - # sender_localpart = "$sender_localpart"; - # url = "http://localhost:29317"; - # }; - # }; - - # systemd.services.mautrix-telegram = { - # path = with pkgs; [ lottieconverter ]; - # serviceConfig = { - # DynamicUser = lib.mkForce false; - # User = "mautrix-telegram"; - # }; - # }; - - # users.users.mautrix-telegram = { - # group = "mautrix-telegram"; - # isSystemUser = true; - # }; - - # users.groups.mautrix-telegram = {}; - - users.users.matrix-synapse.name = lib.mkForce "matrix-synapse"; -} \ No newline at end of file diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix new file mode 100644 index 0000000..2f1fbc9 --- /dev/null +++ b/profiles/servers/nginx.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: { + security.acme = { + acceptTerms = true; + email = "ataraxiadev@ataraxiadev.com"; + certs = { + "ataraxiadev.com" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "matrix.ataraxiadev.com" + "cinny.ataraxiadev.com" + "dimension.ataraxiadev.com" + "element.ataraxiadev.com" + "goneb.ataraxiadev.com" + "jitsi.ataraxiadev.com" + "stats.ataraxiadev.com" + ]; + }; + }; + }; + + services.nginx = { + enable = true; + group = "acme"; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + virtualHosts = let + default = { + useACMEHost = "ataraxiadev.com"; + forceSSL = true; + }; + proxyPass = { + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + ''; + }; + in { + "ataraxiadev.com" = { + locations."/.well-known/matrix" = { + proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix"; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Access-Control-Allow-Origin *; + # if ($request_method = 'POST') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Credentials' 'true'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + # } + # if ($request_method = 'GET') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Credentials' 'true'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + # } + # if ($request_method = 'OPTIONS') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Credentials' 'true'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + # } + ''; + }; + } // default; + "matrix:443" = { + serverAliases = [ + "matrix.ataraxiadev.com" + "cinny.ataraxiadev.com" + "dimension.ataraxiadev.com" + "element.ataraxiadev.com" + "goneb.ataraxiadev.com" + "jitsi.ataraxiadev.com" + "stats.ataraxiadev.com" + ]; + listen = [{ + addr = "0.0.0.0"; + port = 443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://matrix-ct:81"; + } // proxyPass; + } // default; + "matrix:8448" = { + serverAliases = [ "matrix.ataraxiadev.com" ]; + listen = [{ + addr = "0.0.0.0"; + port = 8448; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://matrix-ct:8449"; + } // proxyPass; + } // default; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; +} \ No newline at end of file diff --git a/roles/container.nix b/roles/container.nix index 4a01fb1..c03229e 100644 --- a/roles/container.nix +++ b/roles/container.nix @@ -18,7 +18,9 @@ security ssh zsh + + vscode-server ]; environment.systemPackages = [ pkgs.kitty ]; -} \ No newline at end of file +}