inex
/
selfprivacy-nixos-infect
forked from SelfPrivacy/selfprivacy-nixos-infect
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed Jitsi certificate usage. Added memcached deployment for increased performance. Fixed upload of media files into Pleroma-OTP

master
Illia Chub 2021-02-17 13:17:26 +02:00
parent 4f793fed27
commit 0599112b3a
1 changed files with 129 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
nixos-infect
View File

@ -16,7 +16,7 @@ makeConf() {
mkdir /etc/nixos/letsencrypt
mkdir /etc/nixos/backup
mkdir /etc/nixos/passmgr
mkdir /etc/nixos/nginx
mkdir /etc/nixos/webserver
mkdir /etc/nixos/git
mkdir /etc/nixos/nextcloud
mkdir /etc/nixos/resources
@ -50,7 +50,8 @@ makeConf() {
./letsencrypt/acme.nix
./backup/restic.nix
./passmgr/bitwarden.nix
./nginx/nginx.nix
./webserver/nginx.nix
./webserver/memcached.nix
./nextcloud/nextcloud.nix
./resources/limits.nix
./videomeet/jitsi.nix
@ -197,16 +198,7 @@ EOF
loginAccounts = {
"$LUSER@$DOMAIN" = {
hashedPassword = "$HASHED_PASSWORD";
#aliases = [
# "mail@example.com"
#];
# Make this user the catchAll address for domains blah.com and
# example2.com
catchAll = [
"$DOMAIN"
];
catchAll = [ "$DOMAIN" ];
sieveScript = ''
require ["fileinto", "mailbox"];
if header :contains "Chat-Version" "1.0"
@ -216,18 +208,12 @@ EOF
}
'';
};
};
# Extra virtual aliases. These are email addresses that are forwarded to
# loginAccounts addresses.
extraVirtualAliases = {
# address = forward address;
"admin@$DOMAIN" = "$LUSER@$DOMAIN";
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 1;
certificateFile = "/var/lib/acme/$DOMAIN/fullchain.pem";
keyFile = "/var/lib/acme/$DOMAIN/key.pem";
@ -319,7 +305,7 @@ EOF
}
EOF
cat > /etc/nixos/nginx/nginx.nix << EOF
cat > /etc/nixos/webserver/nginx.nix << EOF
{ pkgs, ... }:
{
services.nginx = {
@ -331,7 +317,6 @@ EOF
clientMaxBodySize = "1024m";
virtualHosts = {
"$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
@ -362,6 +347,41 @@ EOF
};
};
};
"meet.$DOMAIN" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/ilchub.net/fullchain.pem";
sslCertificateKey = "/var/lib/acme/ilchub.net/key.pem";
root = pkgs.jitsi-meet;
extraConfig = ''
ssi on;
'';
locations = {
"@root_path" = {
extraConfig = ''
rewrite ^/(.*)$ / break;
'';
};
"~ ^/([^/\\?&:'\"]+)$" = {
tryFiles = "$uri @root_path";
};
"=/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"=/external_api.js" = {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
"=/config.js" = {
alias = "${pkgs.jitsi-meet}/config.js";
};
"=/interface_config.js" = {
alias = "${pkgs.jitsi-meet}/interface_config.js";
};
};
};
"password.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
@ -382,6 +402,26 @@ EOF
};
};
};
"chat.$DOMAIN" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
locations = {
"/" = {
proxyPass = "https://127.0.0.1:8448";
};
"/_matrix" = {
proxyPass = "https://127.0.0.1:8448";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
};
"social.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
@ -399,6 +439,22 @@ EOF
};
};
}
EOF
cat > /etc/nixos/webserver/memcached.nix << EOF
{ pkgs, ... }:
{
services = {
memcached = {
enable = true;
user = "memcached";
listen = "127.0.0.1";
port = "11211";
maxMemory = 64;
maxConnections = 1024;
};
};
}
EOF
cat > /etc/nixos/nextcloud/nextcloud.nix << EOF
@ -554,7 +610,6 @@ EOF
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
}
EOF