add wiki-js

roll back the roll back
Merge pull request 'jitsi-fixes' (#15 ) from jitsi-fixes into master
2022-02-23 19:46:13 +02:00 · 2022-02-16 11:06:51 +03:00 · 2022-02-16 08:30:24 +02:00 · 2022-02-16 07:01:12 +02:00 · 2022-02-16 06:59:59 +02:00 · 2022-02-15 15:48:42 +03:00
10 changed files with 169 additions and 53 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -27,6 +27,7 @@ in
    ./resources/limits.nix
    ./videomeet/jitsi.nix
    ./git/gitea.nix
+    ./local/services/wiki-js.nix
  ];

  nixpkgs.overlays = [ (nix-overlay) ];
@ -35,8 +36,8 @@ in
  networking = {
    hostName = config.services.userdata.hostname;
    firewall = {
-      allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
-      allowedUDPPorts = lib.mkForce [ 8443 ];
+      allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
+      allowedUDPPorts = lib.mkForce [ 8443 10000 ];
    };
    nameservers = [ "1.1.1.1" "1.0.0.1" ];
  };
--- a/files.nix
+++ b/files.nix
@ -24,11 +24,11 @@ in
    [
      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
-      (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
      "d /var/lib/restic 0600 restic - - -"
      "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
      "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
-      (if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
      (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  cfg = config.services.userdata;
 in
@ -9,7 +9,7 @@ in
  security.acme = {
    acceptTerms = true;
    email = "${cfg.username}@${cfg.domain}";
-    certs = {
+    certs = lib.mkForce {
      "${cfg.domain}" = {
        domain = "*.${cfg.domain}";
        extraDomainNames = [ "${cfg.domain}" ];
@ -17,6 +17,12 @@ in
        dnsProvider = "cloudflare";
        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
+      "meet.${cfg.domain}" = {
+        domain = "meet.${cfg.domain}";
+        group = "acmerecievers";
+        dnsProvider = "cloudflare";
+        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+      };
    };
  };
 }
--- a/local/services/wiki-js.nix
+++ b/local/services/wiki-js.nix
@ -0,0 +1,30 @@
+{ lib, ... }:
+{
+  systemd.services.wiki-js = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.postgresql = {
+    enable = lib.mkOverride 1100 true;
+    ensureDatabases = [ "wiki" ];
+    ensureUsers = [
+      { name = "wiki-js";
+        ensurePermissions."DATABASE wiki" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  services.wiki-js = {
+    enable = true;
+    settings = {
+      bindIP = "127.0.0.1";
+      port = 3010;
+      db = {
+        host = "/run/postgresql";
+        user = "wiki-js";
+      };
+    };
+    stateDirectoryName = "wiki-js";
+  };
+}
--- a/mailserver/system/mailserver.nix
+++ b/mailserver/system/mailserver.nix
@ -13,11 +13,6 @@ in
    })
  ];

-  services.dovecot2 = {
-    enablePAM = lib.mkForce true;
-    showPAMFailure = lib.mkForce true;
-  };
-
  users.users = {
    virtualMail = {
      isNormalUser = false;
@ -34,7 +29,6 @@ in
    loginAccounts = {
      "${cfg.username}@${cfg.domain}" = {
        hashedPassword = cfg.hashedMasterPassword;
-        catchAll = [ cfg.domain ];
        sieveScript = ''
          require ["fileinto", "mailbox"];
          if header :contains "Chat-Version" "1.0"
@ -49,7 +43,6 @@ in
        name = "${user.username}@${cfg.domain}";
        value = {
          hashedPassword = user.hashedPassword;
-          catchAll = [ cfg.domain ];
          sieveScript = ''
            require ["fileinto", "mailbox"];
            if header :contains "Chat-Version" "1.0"
--- a/userdata/schema.json
+++ b/userdata/schema.json
@ -43,6 +43,12 @@
                },
                "enableSwagger": {
                    "type": "boolean"
+                },
+                "skippedMigrations": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                }
            }
        },
--- a/users.nix
+++ b/users.nix
@ -17,7 +17,7 @@ in
        value = {
          isNormalUser = true;
          hashedPassword = user.hashedPassword;
-          openssh.authorizedKeys.keys = user.sshKeys;
+          openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else []);
        };
      })
      cfg.users);
--- a/variables-module.nix
+++ b/variables-module.nix
@ -84,6 +84,13 @@ in
        '';
        type = types.bool;
      };
+      skippedMigrations = mkOption {
+        default = [ ];
+        description = ''
+          List of migrations that should be skipped
+        '';
+        type = types.listOf types.str;
+      };
    };
    #############
    #  Secrets  #
--- a/videomeet/jitsi.nix
+++ b/videomeet/jitsi.nix
@ -6,7 +6,7 @@ in
  services.jitsi-meet = {
    enable = config.services.userdata.jitsi.enable;
    hostName = "meet.${domain}";
-    nginx.enable = false;
+    nginx.enable = true;
    interfaceConfig = {
      SHOW_JITSI_WATERMARK = false;
      SHOW_WATERMARK_FOR_GUESTS = false;
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -1,32 +1,68 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 let
  domain = config.services.userdata.domain;
 in
 {
  services.nginx = {
    enable = true;
-    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+    sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
+    sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
    clientMaxBodySize = "1024m";
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+    '';

    virtualHosts = {
      "${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "vpn.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "git.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:3000";
@ -37,51 +73,36 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:80/";
          };
        };
      };
-      "meet.${domain}" = {
-        forceSSL = true;
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
-        root = pkgs.jitsi-meet;
-        extraConfig = ''
-          ssi on;
-        '';
-        locations = {
-          "@root_path" = {
-            extraConfig = ''
-              rewrite ^/(.*)$ / break;
-            '';
-          };
-          "~ ^/([^/\\?&:'\"]+)$" = {
-            tryFiles = "$uri @root_path";
-          };
-          "=/http-bind" = {
-            proxyPass = "http://localhost:5280/http-bind";
-            extraConfig = ''
-              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-              proxy_set_header Host $host;
-            '';
-          };
-          "=/external_api.js" = {
-            alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
-          };
-          "=/config.js" = {
-            alias = "${pkgs.jitsi-meet}/config.js";
-          };
-          "=/interface_config.js" = {
-            alias = "${pkgs.jitsi-meet}/interface_config.js";
-          };
-        };
-      };
      "password.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:8222";
@ -92,6 +113,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:5050";
@ -103,14 +134,56 @@ in
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:4000";
          };
        };
+      };
+      "wiki.${domain}" = {
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        root = "/var/empty";
+        forceSSL = true;
        extraConfig = ''
-          client_max_body_size 1024m;
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
        '';
+        locations = {
+          "/_assets/" = {
+            extraConfig = ''
+              alias ${pkgs.wiki-js}/assets/;
+              try_files $uri =404;
+              expires 7d;
+              access_log off;
+              log_not_found off;
+            '';
+          };
+          "/" = {
+            proxyPass = "http://127.0.0.1:3010";
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header   Upgrade $http_upgrade;
+              proxy_set_header   Connection "upgrade";
+            '';
+          };
+        };
      };
    };
  };
Author	SHA1	Message	Date
Izorkin	3f726cdf60	add wiki-js	2022-02-23 19:46:13 +02:00
Inex Code	a0a6c99fe8	roll back the roll back	2022-02-16 11:06:51 +03:00
Inex Code	8cb55168eb	Merge pull request 'jitsi-fixes' (#15 ) from jitsi-fixes into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#15	2022-02-16 08:30:24 +02:00
Illia Chub	896600bf52	Added missing dependencies	2022-02-16 07:01:12 +02:00
Illia Chub	c03fd25959	Resolved build issues with DNS-01 nad webroot enabled	2022-02-16 06:59:59 +02:00
Inex Code	b583340e1d	Revert "Merge pull request 'Fixed Jitsi functionality and Jitsi certificate resolution' (#14 ) from jitsi-fixes into master" This reverts commit `dc767677d8`, reversing changes made to `d4bb381693`.	2022-02-15 15:48:42 +03:00
Inex Code	dc767677d8	Merge pull request 'Fixed Jitsi functionality and Jitsi certificate resolution' (#14 ) from jitsi-fixes into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#14	2022-02-15 14:09:45 +02:00
Illia Chub	163afde7cf	Fixed Jitsi functionality and Jitsi certificate resolution	2022-02-08 08:44:54 +02:00
Inex Code	d4bb381693	Merge pull request 'Add ability to skip migrations in API' (#11 ) from skipped-migrations into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#11	2022-01-14 02:58:58 +02:00
Inex Code	c3ee4d00fc	Add ability to skip migrations in API	2022-01-14 03:43:26 +03:00
Illia Chub	f5ec301441	Resolved null limit zone memory allocation size	2021-12-21 11:57:03 +02:00
Illia Chub	ae8e8b2c9b	Temporarily disabled CSP headers as they tend to break some of our applications	2021-12-21 08:18:38 +02:00
Illia Chub	b7f49e52c0	Merge pull request 'Added Qualys A+ rated SSL/TLS settings' (#8 ) from security-improvements into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#8	2021-12-20 19:18:58 +02:00
Illia Chub	b5011cdd65	Added Qualys A+ rated SSL/TLS settings	2021-12-17 19:17:23 +02:00
Inex Code	1b8bdb013a	Fix pleroma permissions	2021-12-16 16:58:26 +03:00
Inex Code	3f42ad5c68	Hotfix inability to build when custom user don't have ssh keys	2021-12-16 13:27:11 +03:00
Inex Code	63aaeec08c	Remove PAM from mailserver and remove catchall	2021-12-15 17:42:47 +03:00