From 059ce9fce293615a7bd88a2328222fdea1599f8e Mon Sep 17 00:00:00 2001 From: inexcode Date: Tue, 15 Feb 2022 15:48:42 +0300 Subject: [PATCH] Revert "Merge pull request 'Fixed Jitsi functionality and Jitsi certificate resolution' (#14) from jitsi-fixes into master" This reverts commit dc767677d85133dae069e8c8e8f063d2549fb29e, reversing changes made to d4bb3816934356051c3a83909c268ee438d18029. --- configuration.nix | 4 ++-- letsencrypt/acme.nix | 6 ------ videomeet/jitsi.nix | 2 +- webserver/nginx.nix | 43 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 9 deletions(-) diff --git a/configuration.nix b/configuration.nix index 5062c44..1281ac4 100644 --- a/configuration.nix +++ b/configuration.nix @@ -35,8 +35,8 @@ in networking = { hostName = config.services.userdata.hostname; firewall = { - allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ]; - allowedUDPPorts = lib.mkForce [ 8443 10000 ]; + allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ]; + allowedUDPPorts = lib.mkForce [ 8443 ]; }; nameservers = [ "1.1.1.1" "1.0.0.1" ]; }; diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index fa051f3..10e5ebf 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -17,12 +17,6 @@ in dnsProvider = "cloudflare"; credentialsFile = "/var/lib/cloudflare/Credentials.ini"; }; - "meet.${cfg.domain}" = { - domain = "meet.${cfg.domain}"; - group = "acmerecievers"; - dnsProvider = "cloudflare"; - credentialsFile = "/var/lib/cloudflare/Credentials.ini"; - }; }; }; } diff --git a/videomeet/jitsi.nix b/videomeet/jitsi.nix index c3fbd3d..27ed438 100644 --- a/videomeet/jitsi.nix +++ b/videomeet/jitsi.nix @@ -6,7 +6,7 @@ in services.jitsi-meet = { enable = config.services.userdata.jitsi.enable; hostName = "meet.${domain}"; - nginx.enable = true; + nginx.enable = false; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index cdd6936..4536c5f 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -89,6 +89,49 @@ in }; }; }; + "meet.${domain}" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + root = pkgs.jitsi-meet; + extraConfig = '' + ssi on; + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; + locations = { + "@root_path" = { + extraConfig = '' + rewrite ^/(.*)$ / break; + ''; + }; + "~ ^/([^/\\?&:'\"]+)$" = { + tryFiles = "$uri @root_path"; + }; + "=/http-bind" = { + proxyPass = "http://localhost:5280/http-bind"; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + ''; + }; + "=/external_api.js" = { + alias = "${pkgs.jitsi-meet}/libs/external_api.min.js"; + }; + "=/config.js" = { + alias = "${pkgs.jitsi-meet}/config.js"; + }; + "=/interface_config.js" = { + alias = "${pkgs.jitsi-meet}/interface_config.js"; + }; + }; + }; "password.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";