plerome: use upstream package

Resolved null limit zone memory allocation size
Temporarily disabled CSP headers as they tend to break some of our applications
2021-12-23 11:51:15 +02:00 · 2021-12-21 11:57:03 +02:00 · 2021-12-21 08:18:38 +02:00 · 2021-12-20 19:18:58 +02:00 · 2021-12-17 19:17:23 +02:00 · 2021-12-16 16:58:26 +03:00
7 changed files with 89 additions and 222 deletions
--- a/files.nix
+++ b/files.nix
@ -24,11 +24,11 @@ in
    [
      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
-      (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
      "d /var/lib/restic 0600 restic - - -"
      "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
      "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
-      (if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
--- a/mailserver/system/mailserver.nix
+++ b/mailserver/system/mailserver.nix
@ -13,11 +13,6 @@ in
    })
  ];

-  services.dovecot2 = {
-    enablePAM = lib.mkForce true;
-    showPAMFailure = lib.mkForce true;
-  };
-
  users.users = {
    virtualMail = {
      isNormalUser = false;
@ -34,7 +29,6 @@ in
    loginAccounts = {
      "${cfg.username}@${cfg.domain}" = {
        hashedPassword = cfg.hashedMasterPassword;
-        catchAll = [ cfg.domain ];
        sieveScript = ''
          require ["fileinto", "mailbox"];
          if header :contains "Chat-Version" "1.0"
@ -49,7 +43,6 @@ in
        name = "${user.username}@${cfg.domain}";
        value = {
          hashedPassword = user.hashedPassword;
-          catchAll = [ cfg.domain ];
          sieveScript = ''
            require ["fileinto", "mailbox"];
            if header :contains "Chat-Version" "1.0"
--- a/social/pleroma-module.nix
+++ b/social/pleroma-module.nix
@ -1,133 +0,0 @@
-{ config, options, lib, pkgs, stdenv, ... }:
-let
-  cfg = config.services.pleroma;
-in
-{
-  options = {
-    services.pleroma = with lib; {
-      enable = mkEnableOption "pleroma";
-
-      package = mkOption {
-        type = types.package;
-        default = pkgs.pleroma-otp;
-        description = "Pleroma package to use.";
-      };
-
-      user = mkOption {
-        type = types.str;
-        default = "pleroma";
-        description = "User account under which pleroma runs.";
-      };
-
-      group = mkOption {
-        type = types.str;
-        default = "pleroma";
-        description = "Group account under which pleroma runs.";
-      };
-
-      stateDir = mkOption {
-        type = types.str;
-        default = "/var/lib/pleroma";
-        readOnly = true;
-        description = "Directory where the pleroma service will save the uploads and static files.";
-      };
-
-      configs = mkOption {
-        type = with types; listOf str;
-        description = ''
-          Pleroma public configuration.
-          This list gets appended from left to
-          right into /etc/pleroma/config.exs. Elixir evaluates its
-          configuration imperatively, meaning you can override a
-          setting by appending a new str to this NixOS option list.
-          <emphasis>DO NOT STORE ANY PLEROMA SECRET
-          HERE</emphasis>, use
-          <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>
-          instead.
-          This setting is going to be stored in a file part of
-          the Nix store. The Nix store being world-readable, it's not
-          the right place to store any secret
-          Have a look to Pleroma section in the NixOS manual for more
-          informations.
-        '';
-      };
-
-      secretConfigFile = mkOption {
-        type = types.str;
-        default = "/var/lib/pleroma/secrets.exs";
-        description = ''
-          Path to the file containing your secret pleroma configuration.
-          <emphasis>DO NOT POINT THIS OPTION TO THE NIX
-          STORE</emphasis>, the store being world-readable, it'll
-          compromise all your secrets.
-        '';
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    users = {
-      users."${cfg.user}" = {
-        description = "Pleroma user";
-        home = cfg.stateDir;
-        extraGroups = [ cfg.group ];
-      };
-      groups."${cfg.group}" = { };
-    };
-
-    environment.systemPackages = [ cfg.package ];
-
-    environment.etc."/pleroma/config.exs".text = ''
-      ${lib.concatMapStrings (x: "${x}") cfg.configs}
-      # The lau/tzdata library is trying to download the latest
-      # timezone database in the OTP priv directory by default.
-      # This directory being in the store, it's read-only.
-      # Setting that up to a more appropriate location.
-      config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data"
-      import_config "${cfg.secretConfigFile}"
-    '';
-
-    systemd.services.pleroma = {
-      description = "Pleroma social network";
-      after = [ "network-online.target" "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        Type = "exec";
-        WorkingDirectory = "~";
-        StateDirectory = "pleroma pleroma/static pleroma/uploads";
-        StateDirectoryMode = "700";
-
-        # Checking the conf file is there then running the database
-        # migration before each service start, just in case there are
-        # some pending ones.
-        #
-        # It's sub-optimal as we'll always run this, even if pleroma
-        # has not been updated. But the no-op process is pretty fast.
-        # Better be safe than sorry migration-wise.
-        ExecStartPre =
-          let preScript = pkgs.writers.writeBashBin "pleromaStartPre"
-            "${cfg.package}/bin/pleroma_ctl migrate";
-          in "${preScript}/bin/pleromaStartPre";
-
-        ExecStart = "${cfg.package}/bin/pleroma start";
-        ExecStop = "${cfg.package}/bin/pleroma stop";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-
-        # Systemd sandboxing directives.
-        # Taken from the upstream contrib systemd service at
-        # pleroma/installation/pleroma.service
-        PrivateTmp = true;
-        ProtectHome = true;
-        ProtectSystem = "full";
-        PrivateDevices = false;
-        NoNewPrivileges = true;
-        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
-      };
-    };
-
-  };
-  meta.maintainers = with lib.maintainers; [ ninjatrappeur ];
-}
--- a/social/pleroma-package.nix
+++ b/social/pleroma-package.nix
@ -1,69 +0,0 @@
-{ lib
-, stdenv
-, autoPatchelfHook
-, fetchurl
-, file
-, makeWrapper
-, ncurses
-, nixosTests
-, openssl
-, unzip
-, zlib
-}:
-stdenv.mkDerivation {
-  pname = "pleroma-otp";
-  version = "2.3.0";
-
-  # To find the latest binary release stable link, have a look at
-  # the CI pipeline for the latest commit of the stable branch
-  # https://git.pleroma.social/pleroma/pleroma/-/tree/stable
-  src = {
-    aarch64-linux = fetchurl {
-      url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/182392/artifacts/download";
-      sha256 = "1drpd6xh7m2damxi5impb8jwvjl6m3qv5yxynl12i8g66vi3rbwf";
-    };
-    x86_64-linux = fetchurl {
-      url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/182388/artifacts/download";
-      sha256 = "1c6l04gga9iigm249ywwcrjg6wzy8iiid652mws3j9dnl71w2sim";
-    };
-  }."${stdenv.hostPlatform.system}";
-
-  nativeBuildInputs = [ unzip ];
-
-  buildInputs = [
-    autoPatchelfHook
-    file
-    makeWrapper
-    ncurses
-    openssl
-    zlib
-  ];
-
-  # mkDerivation fails to detect the zip nature of $src due to the
-  # missing .zip extension.
-  # Let's unpack the archive explicitely.
-  unpackCmd = "unzip $curSrc";
-
-  installPhase = ''
-    mkdir $out
-    cp -r * $out'';
-
-  # Pleroma is using the project's root path (here the store path)
-  # as its TMPDIR.
-  # Patching it to move the tmp dir to the actual tmpdir
-  postFixup = ''
-    wrapProgram $out/bin/pleroma --set-default RELEASE_TMP "/tmp"
-    wrapProgram $out/bin/pleroma_ctl --set-default RELEASE_TMP "/tmp"'';
-
-  passthru.tests = {
-    pleroma = nixosTests.pleroma;
-  };
-
-  meta = with lib; {
-    description = "ActivityPub microblogging server";
-    homepage = https://git.pleroma.social/pleroma/pleroma;
-    license = licenses.agpl3;
-    maintainers = with maintainers; [ ninjatrappeur ];
-    platforms = [ "x86_64-linux" "aarch64-linux" ];
-  };
-}
--- a/social/pleroma.nix
+++ b/social/pleroma.nix
@ -3,11 +3,6 @@ let
  cfg = config.services.userdata;
 in
 {
-  nixpkgs.overlays = [
-    (self: super: {
-      pleroma-otp = self.callPackage ./pleroma-package.nix { };
-    })
-  ];
  services = {
    pleroma = {
      enable = cfg.pleroma.enable;
--- a/users.nix
+++ b/users.nix
@ -17,7 +17,7 @@ in
        value = {
          isNormalUser = true;
          hashedPassword = user.hashedPassword;
-          openssh.authorizedKeys.keys = user.sshKeys;
+          openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else []);
        };
      })
      cfg.users);
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -1,32 +1,68 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 let
  domain = config.services.userdata.domain;
 in
 {
  services.nginx = {
    enable = true;
-    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+    sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
+    sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
    clientMaxBodySize = "1024m";
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+    '';

    virtualHosts = {
      "${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "vpn.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "git.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:3000";
@ -37,6 +73,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:80/";
@ -50,6 +96,14 @@ in
        root = pkgs.jitsi-meet;
        extraConfig = ''
          ssi on;
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
        '';
        locations = {
          "@root_path" = {
@ -82,6 +136,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:8222";
@ -92,6 +156,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:5050";
@ -103,14 +177,21 @@ in
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:4000";
          };
        };
-        extraConfig = ''
-          client_max_body_size 1024m;
-        '';
      };
    };
  };
Author	SHA1	Message	Date
Izorkin	0905a27cfd	plerome: use upstream package	2021-12-23 11:51:15 +02:00
Illia Chub	f5ec301441	Resolved null limit zone memory allocation size	2021-12-21 11:57:03 +02:00
Illia Chub	ae8e8b2c9b	Temporarily disabled CSP headers as they tend to break some of our applications	2021-12-21 08:18:38 +02:00
Illia Chub	b7f49e52c0	Merge pull request 'Added Qualys A+ rated SSL/TLS settings' (#8 ) from security-improvements into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#8	2021-12-20 19:18:58 +02:00
Illia Chub	b5011cdd65	Added Qualys A+ rated SSL/TLS settings	2021-12-17 19:17:23 +02:00
Inex Code	1b8bdb013a	Fix pleroma permissions	2021-12-16 16:58:26 +03:00
Inex Code	3f42ad5c68	Hotfix inability to build when custom user don't have ssh keys	2021-12-16 13:27:11 +03:00
Inex Code	63aaeec08c	Remove PAM from mailserver and remove catchall	2021-12-15 17:42:47 +03:00