diff --git a/hosts/cloudnix/default.nix b/hosts/cloudnix/default.nix index 3772ec0..aa1d8df 100644 --- a/hosts/cloudnix/default.nix +++ b/hosts/cloudnix/default.nix @@ -32,7 +32,7 @@ in { ../common/optional/distributed-builds/local-machine.nix # ../common/optional/nixos-containers/semitamaps.nix # ../common/optional/nixos-containers/vaultwarden.nix - # ../common/optional/nixos-containers/xmpp.nix + ../common/optional/nixos-containers/xmpp.nix ../common/optional/fail2ban.nix ../common/optional/restic-backup.nix diff --git a/hosts/common/optional/fail2ban.nix b/hosts/common/optional/fail2ban.nix index 5811fcc..f8048f0 100644 --- a/hosts/common/optional/fail2ban.nix +++ b/hosts/common/optional/fail2ban.nix @@ -13,6 +13,7 @@ enable = true; maxretry = 5; ignoreIP = [ + "86.173.148.116" ]; bantime-increment = { enable = true; @@ -29,6 +30,15 @@ bantime = 600; maxretry = 10; }; + nginx-botsearch.settings = { + filter = "nginx-botsearch"; + action = "iptables-allports"; + logpath = "/var/log/nginx/access.log"; + backend = "auto"; + findtime = 600; + bantime = 86400; + maxretry = 3; + }; }; }; } diff --git a/hosts/common/optional/nginx/xmpp.nix b/hosts/common/optional/nginx/xmpp.nix index beefc8f..c3d3a81 100644 --- a/hosts/common/optional/nginx/xmpp.nix +++ b/hosts/common/optional/nginx/xmpp.nix @@ -33,6 +33,7 @@ in { email = email; extraDomainNames = [ "chat.${xmppDomain}" + # "meet.${xmppDomain}" ]; group = "www-data"; }; @@ -43,8 +44,44 @@ in { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; + # virtualHosts."meet.${xmppDomain}" = { + # forceSSL = true; + # enableACME = false; + # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # locations = { + # "/" = { + # proxyPass = "http://${xmppIp}"; + # extraConfig = '' + # ssi on; + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/http-bind" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/http-bind"; + # extraConfig = '' + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/xmpp-websocket" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header Upgrade $http_upgrade; + # + # proxy_set_header Host "${xmppDomain}"; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_read_timeout 900s; + # tcp_nodelay on; + # ''; + # }; + # }; + # }; virtualHosts."chat.${xmppDomain}" = { - # enableACME = true; forceSSL = true; extraConfig = '' client_max_body_size 10G; diff --git a/hosts/common/optional/nixos-containers/forgejo.nix b/hosts/common/optional/nixos-containers/forgejo.nix deleted file mode 100644 index 3875a2c..0000000 --- a/hosts/common/optional/nixos-containers/forgejo.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ - pkgs, - lib, - configVars, - inputs, - ... -}: let - containerName = "forgejo"; - pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; - hostAddress = configVars.networking.addresses.forgejo.hostAddress; - localAddress = configVars.networking.addresses.forgejo.localAddress; - forgejoPort = configVars.networking.addresses.forgejo.port; - forgejoDomain = configVars.domains.forgejo; - cloudnixIp = configVars.networking.addresses.cloudnix.ip; - sops-nix = inputs.sops-nix; -in { - networking = { - nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp1s0"; - }; - }; - - environment.persistence."/persist" = { - hideMounts = true; - directories = [ - "/var/lib/nixos-containers/${containerName}" - ]; - }; - imports = [../nginx/forgejo.nix]; - - containers."${containerName}" = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = localAddress; - nixpkgs = pkgs.path; - bindMounts = { - "/etc/ssh/ssh_host_ed25519_key" = { - hostPath = "/etc/ssh/ssh_host_ed25519_key"; - isReadOnly = true; - }; - }; - - config = { - pkgs, - lib, - ... - }: let - secretsDirectory = builtins.toString inputs.nix-secrets; - secretsFile = "${secretsDirectory}/secrets.yaml"; - in { - networking = { - defaultGateway = cloudnixIp; - firewall = { - enable = true; - allowedTCPPorts = [ - forgejoPort - ]; - }; - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - - sops = { - defaultSopsFile = "${secretsFile}"; - validateSopsFiles = false; - - age = { - sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - }; - }; - - imports = [ - sops-nix.nixosModules.sops - ]; - - environment.systemPackages = [ - pkgs.vim - pkgs.git - pkgs.lsof - ]; - - services.forgejo = { - enable = true; - package = pkgs.forgejo; - database.type = "sqlite3"; - lfs.enable = true; - settings = { - server = { - DOMAIN = "git.${forgejoDomain}"; - ROOT_URL = "https://git.${forgejoDomain}/"; - HTTP_PORT = forgejoPort; - }; - service.DISABLE_REGISTRATION = false; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - }; - }; - - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - - users.users = { - root = { - openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); - }; - }; - - system.stateVersion = "24.05"; - }; - }; -} diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix index 3c450d6..b3221ff 100644 --- a/hosts/common/optional/nixos-containers/xmpp.nix +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -7,16 +7,16 @@ }: let containerName = "xmpp"; xmppDomain = configVars.domains.xmpp; - pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; hostAddress = configVars.networking.addresses.xmpp.hostAddress; - externalIp = configVars.networking.addresses.cloudnix.ip; localAddress = configVars.networking.addresses.xmpp.localAddress; + externalIp = configVars.networking.addresses.cloudnix.ip; sops-nix = inputs.sops-nix; xmppPorts = configVars.networking.addresses.xmpp.ports; xmppUDPPorts = [ xmppPorts.coturn xmppPorts.coturn-tls + xmppPorts.jitsi-calls ] ++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp; xmppTCPPorts = [ @@ -54,10 +54,6 @@ in { ]; }; - systemd.tmpfiles.rules = [ - "d /var/lib/prosody 0750" - ]; - containers."${containerName}" = { autoStart = true; privateNetwork = true; @@ -69,10 +65,6 @@ in { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; - "/var/lib/prosody" = { - hostPath = "/var/lib/prosody"; - isReadOnly = false; - }; "/var/lib/acme/${xmppDomain}/" = { hostPath = "/var/lib/acme/${xmppDomain}/"; isReadOnly = false; @@ -104,6 +96,12 @@ in { gid = 33; }; + # users.users.nginx = { + # isSystemUser = true; + # uid = 60; + # extraGroups = ["www-data"]; + # }; + # users.users.prosody = { isSystemUser = true; uid = 149; @@ -151,6 +149,7 @@ in { pkgs.git pkgs.prosody pkgs.coturn + pkgs.inetutils ]; sops.templates."prosody_secrets.lua" = { @@ -181,9 +180,16 @@ in { "http" "websocket" "http_altconnect" + "invites" + "invites_adhoc" + "invites_page" + "invites_register" + "invites_register_web" ]; allowRegistration = true; extraConfig = '' + storage = "sql" + sql = { driver = "SQLite3", database = "prosody.sqlite" } Include "${config.sops.templates."prosody_secrets.lua".path}" registration_invite_only = true; allow_user_invites = true; @@ -246,6 +252,22 @@ in { ''; domain = "${xmppDomain}"; }; + + # virtualHosts."meet.${xmppDomain}" = { + # enabled = true; + # ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; + # extraConfig = '' + # authentication = "internal_hashed" + # ''; + # virtualHosts."guest.meet.${xmppDomain}" = { + # enabled = true; + # extraConfig = '' + # authentication = "anonymous" + # c2s_require_encryption = false + # ''; + # }; + muc = [ { domain = "conference.${xmppDomain}"; @@ -275,6 +297,27 @@ in { ''; }; + # nixpkgs.config.permittedInsecurePackages = [ + # "jitsi-meet-1.0.8043" + # ]; + # + # services.jitsi-meet = { + # enable = true; + # hostName = "meet.${xmppDomain}"; + # secureDomain.enable = true; + # videobridge.enable = true; + # nginx = { + # enable = false; + # }; + # }; + + # services.nginx.virtualHosts."meet.${xmppDomain}" = { + # enableACME = false; + # # forceSSL = true; + # # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # }; + system.stateVersion = "24.05"; }; };