From 6582e62fc6e10e7e8833c068652d5b176af6415a Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 2 Mar 2025 23:06:16 +0000 Subject: [PATCH 1/5] update flake secrets --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 9987979..a5e27cb 100644 --- a/flake.lock +++ b/flake.lock @@ -559,11 +559,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1739387047, - "narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=", + "lastModified": 1740945438, + "narHash": "sha256-o4HM0SyrDh7PUjWJD+tVGDVB5sMQbA/jBgArFACnkrQ=", "ref": "refs/heads/master", - "rev": "be51e237b5b3d441a194f3e516175f6a543aee35", - "revCount": 280, + "rev": "3773ecaab796751389e21c38df6c234bcfbb7170", + "revCount": 285, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, From cce83b0c085d0667e7fbea3e24262f4f9072dc71 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 2 Mar 2025 23:07:58 +0000 Subject: [PATCH 2/5] fail2ban nginx-botsearch --- hosts/common/optional/fail2ban.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hosts/common/optional/fail2ban.nix b/hosts/common/optional/fail2ban.nix index 5811fcc..f8048f0 100644 --- a/hosts/common/optional/fail2ban.nix +++ b/hosts/common/optional/fail2ban.nix @@ -13,6 +13,7 @@ enable = true; maxretry = 5; ignoreIP = [ + "86.173.148.116" ]; bantime-increment = { enable = true; @@ -29,6 +30,15 @@ bantime = 600; maxretry = 10; }; + nginx-botsearch.settings = { + filter = "nginx-botsearch"; + action = "iptables-allports"; + logpath = "/var/log/nginx/access.log"; + backend = "auto"; + findtime = 600; + bantime = 86400; + maxretry = 3; + }; }; }; } From 5c4e08fb46e02c6e36e8cc20f97450232d2ca935 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 2 Mar 2025 23:09:58 +0000 Subject: [PATCH 3/5] enable xmpp container - start config of jitsi meet --- hosts/cloudnix/default.nix | 2 +- hosts/common/optional/nginx/xmpp.nix | 39 +++++++++++- .../common/optional/nixos-containers/xmpp.nix | 60 ++++++++++++++++--- 3 files changed, 90 insertions(+), 11 deletions(-) diff --git a/hosts/cloudnix/default.nix b/hosts/cloudnix/default.nix index 3772ec0..aa1d8df 100644 --- a/hosts/cloudnix/default.nix +++ b/hosts/cloudnix/default.nix @@ -32,7 +32,7 @@ in { ../common/optional/distributed-builds/local-machine.nix # ../common/optional/nixos-containers/semitamaps.nix # ../common/optional/nixos-containers/vaultwarden.nix - # ../common/optional/nixos-containers/xmpp.nix + ../common/optional/nixos-containers/xmpp.nix ../common/optional/fail2ban.nix ../common/optional/restic-backup.nix diff --git a/hosts/common/optional/nginx/xmpp.nix b/hosts/common/optional/nginx/xmpp.nix index beefc8f..c3d3a81 100644 --- a/hosts/common/optional/nginx/xmpp.nix +++ b/hosts/common/optional/nginx/xmpp.nix @@ -33,6 +33,7 @@ in { email = email; extraDomainNames = [ "chat.${xmppDomain}" + # "meet.${xmppDomain}" ]; group = "www-data"; }; @@ -43,8 +44,44 @@ in { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; + # virtualHosts."meet.${xmppDomain}" = { + # forceSSL = true; + # enableACME = false; + # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # locations = { + # "/" = { + # proxyPass = "http://${xmppIp}"; + # extraConfig = '' + # ssi on; + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/http-bind" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/http-bind"; + # extraConfig = '' + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # ''; + # }; + # "/xmpp-websocket" = { + # proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header Upgrade $http_upgrade; + # + # proxy_set_header Host "${xmppDomain}"; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_read_timeout 900s; + # tcp_nodelay on; + # ''; + # }; + # }; + # }; virtualHosts."chat.${xmppDomain}" = { - # enableACME = true; forceSSL = true; extraConfig = '' client_max_body_size 10G; diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix index 3c450d6..533c950 100644 --- a/hosts/common/optional/nixos-containers/xmpp.nix +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -7,7 +7,6 @@ }: let containerName = "xmpp"; xmppDomain = configVars.domains.xmpp; - pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; hostAddress = configVars.networking.addresses.xmpp.hostAddress; externalIp = configVars.networking.addresses.cloudnix.ip; localAddress = configVars.networking.addresses.xmpp.localAddress; @@ -17,6 +16,7 @@ [ xmppPorts.coturn xmppPorts.coturn-tls + xmppPorts.jitsi-calls ] ++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp; xmppTCPPorts = [ @@ -54,10 +54,6 @@ in { ]; }; - systemd.tmpfiles.rules = [ - "d /var/lib/prosody 0750" - ]; - containers."${containerName}" = { autoStart = true; privateNetwork = true; @@ -69,10 +65,6 @@ in { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; - "/var/lib/prosody" = { - hostPath = "/var/lib/prosody"; - isReadOnly = false; - }; "/var/lib/acme/${xmppDomain}/" = { hostPath = "/var/lib/acme/${xmppDomain}/"; isReadOnly = false; @@ -104,6 +96,12 @@ in { gid = 33; }; + # users.users.nginx = { + # isSystemUser = true; + # uid = 60; + # extraGroups = ["www-data"]; + # }; + # users.users.prosody = { isSystemUser = true; uid = 149; @@ -181,9 +179,16 @@ in { "http" "websocket" "http_altconnect" + "invites" + "invites_adhoc" + "invites_page" + "invites_register" + "invites_register_web" ]; allowRegistration = true; extraConfig = '' + storage = "sql" + sql = { driver = "SQLite3", database = "prosody.sqlite" } Include "${config.sops.templates."prosody_secrets.lua".path}" registration_invite_only = true; allow_user_invites = true; @@ -246,6 +251,22 @@ in { ''; domain = "${xmppDomain}"; }; + + # virtualHosts."meet.${xmppDomain}" = { + # enabled = true; + # ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # ssl.key = "/var/lib/acme/${xmppDomain}/key.pem"; + # extraConfig = '' + # authentication = "internal_hashed" + # ''; + # virtualHosts."guest.meet.${xmppDomain}" = { + # enabled = true; + # extraConfig = '' + # authentication = "anonymous" + # c2s_require_encryption = false + # ''; + # }; + muc = [ { domain = "conference.${xmppDomain}"; @@ -275,6 +296,27 @@ in { ''; }; + # nixpkgs.config.permittedInsecurePackages = [ + # "jitsi-meet-1.0.8043" + # ]; + # + # services.jitsi-meet = { + # enable = true; + # hostName = "meet.${xmppDomain}"; + # secureDomain.enable = true; + # videobridge.enable = true; + # nginx = { + # enable = false; + # }; + # }; + + # services.nginx.virtualHosts."meet.${xmppDomain}" = { + # enableACME = false; + # # forceSSL = true; + # # sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem"; + # # sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem"; + # }; + system.stateVersion = "24.05"; }; }; From 0fb07d155123c0d43ce58e246b9635c839385db6 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 2 Mar 2025 23:24:52 +0000 Subject: [PATCH 4/5] delete forgejo nixos-container --- .../optional/nixos-containers/forgejo.nix | 119 ------------------ 1 file changed, 119 deletions(-) delete mode 100644 hosts/common/optional/nixos-containers/forgejo.nix diff --git a/hosts/common/optional/nixos-containers/forgejo.nix b/hosts/common/optional/nixos-containers/forgejo.nix deleted file mode 100644 index 3875a2c..0000000 --- a/hosts/common/optional/nixos-containers/forgejo.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ - pkgs, - lib, - configVars, - inputs, - ... -}: let - containerName = "forgejo"; - pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; - hostAddress = configVars.networking.addresses.forgejo.hostAddress; - localAddress = configVars.networking.addresses.forgejo.localAddress; - forgejoPort = configVars.networking.addresses.forgejo.port; - forgejoDomain = configVars.domains.forgejo; - cloudnixIp = configVars.networking.addresses.cloudnix.ip; - sops-nix = inputs.sops-nix; -in { - networking = { - nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp1s0"; - }; - }; - - environment.persistence."/persist" = { - hideMounts = true; - directories = [ - "/var/lib/nixos-containers/${containerName}" - ]; - }; - imports = [../nginx/forgejo.nix]; - - containers."${containerName}" = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = localAddress; - nixpkgs = pkgs.path; - bindMounts = { - "/etc/ssh/ssh_host_ed25519_key" = { - hostPath = "/etc/ssh/ssh_host_ed25519_key"; - isReadOnly = true; - }; - }; - - config = { - pkgs, - lib, - ... - }: let - secretsDirectory = builtins.toString inputs.nix-secrets; - secretsFile = "${secretsDirectory}/secrets.yaml"; - in { - networking = { - defaultGateway = cloudnixIp; - firewall = { - enable = true; - allowedTCPPorts = [ - forgejoPort - ]; - }; - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - - sops = { - defaultSopsFile = "${secretsFile}"; - validateSopsFiles = false; - - age = { - sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - }; - }; - - imports = [ - sops-nix.nixosModules.sops - ]; - - environment.systemPackages = [ - pkgs.vim - pkgs.git - pkgs.lsof - ]; - - services.forgejo = { - enable = true; - package = pkgs.forgejo; - database.type = "sqlite3"; - lfs.enable = true; - settings = { - server = { - DOMAIN = "git.${forgejoDomain}"; - ROOT_URL = "https://git.${forgejoDomain}/"; - HTTP_PORT = forgejoPort; - }; - service.DISABLE_REGISTRATION = false; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - }; - }; - - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - - users.users = { - root = { - openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); - }; - }; - - system.stateVersion = "24.05"; - }; - }; -} From 895028c9b5fc1d273bf958e88f3bc6559bbaecb6 Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 3 Mar 2025 14:24:07 +0000 Subject: [PATCH 5/5] add inetutils to xmpp container --- flake.lock | 8 ++++---- hosts/common/optional/nixos-containers/xmpp.nix | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index a5e27cb..44d4aae 100644 --- a/flake.lock +++ b/flake.lock @@ -559,11 +559,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1740945438, - "narHash": "sha256-o4HM0SyrDh7PUjWJD+tVGDVB5sMQbA/jBgArFACnkrQ=", + "lastModified": 1741010621, + "narHash": "sha256-vKAZ6lq8q6zHS04eq7oJxcZ2X0dju90asKx2m3JVr9I=", "ref": "refs/heads/master", - "rev": "3773ecaab796751389e21c38df6c234bcfbb7170", - "revCount": 285, + "rev": "cb2c221bb583ff62ba97c094933fe64787a992ea", + "revCount": 286, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/common/optional/nixos-containers/xmpp.nix b/hosts/common/optional/nixos-containers/xmpp.nix index 533c950..b3221ff 100644 --- a/hosts/common/optional/nixos-containers/xmpp.nix +++ b/hosts/common/optional/nixos-containers/xmpp.nix @@ -8,8 +8,8 @@ containerName = "xmpp"; xmppDomain = configVars.domains.xmpp; hostAddress = configVars.networking.addresses.xmpp.hostAddress; - externalIp = configVars.networking.addresses.cloudnix.ip; localAddress = configVars.networking.addresses.xmpp.localAddress; + externalIp = configVars.networking.addresses.cloudnix.ip; sops-nix = inputs.sops-nix; xmppPorts = configVars.networking.addresses.xmpp.ports; xmppUDPPorts = @@ -149,6 +149,7 @@ in { pkgs.git pkgs.prosody pkgs.coturn + pkgs.inetutils ]; sops.templates."prosody_secrets.lua" = {