From 3497ddd0a2db301d80fef4c5459578523565cd72 Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Tue, 8 Feb 2022 08:44:54 +0200 Subject: [PATCH] Fixed Jitsi functionality and Jitsi certificate resolution --- configuration.nix | 4 ++-- letsencrypt/acme.nix | 6 ++++++ videomeet/jitsi.nix | 2 +- webserver/nginx.nix | 43 ------------------------------------------- 4 files changed, 9 insertions(+), 46 deletions(-) diff --git a/configuration.nix b/configuration.nix index 1281ac4..5062c44 100644 --- a/configuration.nix +++ b/configuration.nix @@ -35,8 +35,8 @@ in networking = { hostName = config.services.userdata.hostname; firewall = { - allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ]; - allowedUDPPorts = lib.mkForce [ 8443 ]; + allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ]; + allowedUDPPorts = lib.mkForce [ 8443 10000 ]; }; nameservers = [ "1.1.1.1" "1.0.0.1" ]; }; diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index 2e9c99b..ea2467e 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -17,6 +17,12 @@ in dnsProvider = "cloudflare"; credentialsFile = "/var/lib/cloudflare/Credentials.ini"; }; + "meet.${cfg.domain}" = { + domain = "meet.${cfg.domain}"; + group = "acmerecievers"; + dnsProvider = "cloudflare"; + credentialsFile = "/var/lib/cloudflare/Credentials.ini"; + }; }; }; } diff --git a/videomeet/jitsi.nix b/videomeet/jitsi.nix index 27ed438..c3fbd3d 100644 --- a/videomeet/jitsi.nix +++ b/videomeet/jitsi.nix @@ -6,7 +6,7 @@ in services.jitsi-meet = { enable = config.services.userdata.jitsi.enable; hostName = "meet.${domain}"; - nginx.enable = false; + nginx.enable = true; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 4536c5f..cdd6936 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -89,49 +89,6 @@ in }; }; }; - "meet.${domain}" = { - forceSSL = true; - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - root = pkgs.jitsi-meet; - extraConfig = '' - ssi on; - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - expires 10m; - ''; - locations = { - "@root_path" = { - extraConfig = '' - rewrite ^/(.*)$ / break; - ''; - }; - "~ ^/([^/\\?&:'\"]+)$" = { - tryFiles = "$uri @root_path"; - }; - "=/http-bind" = { - proxyPass = "http://localhost:5280/http-bind"; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - ''; - }; - "=/external_api.js" = { - alias = "${pkgs.jitsi-meet}/libs/external_api.min.js"; - }; - "=/config.js" = { - alias = "${pkgs.jitsi-meet}/config.js"; - }; - "=/interface_config.js" = { - alias = "${pkgs.jitsi-meet}/interface_config.js"; - }; - }; - }; "password.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";