fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:main
Branches Tags
fi:main
fi:ikiwiki
fi:mas
june:main
..
compare: june:main
Branches Tags
june:main
fi:main
fi:ikiwiki
fi:mas

No commits in common. "main" and "main" have entirely different histories.
main ... main

13 changed files with 102 additions and 159 deletions
Download patch file Download diff file Expand all files Collapse all files

7
config/hosts/forgejo/forgejo.nix
View file

@ -4,7 +4,6 @@
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
lfs.enable = true;
settings = {
DEFAULT = {
@ -18,7 +17,6 @@
ROOT_URL = "https://git.nekover.se/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set.
OFFLINE_MODE = true;
};
admin = {
DISABLE_REGULAR_ORG_CREATION = false;
@ -36,10 +34,11 @@
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
repository = {
DEFAULT_REPO_UNITS = "repo.code";
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};

23
config/hosts/mastodon/containers/fedifetcher/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ nixpkgs-unstable, ... }:
{
containers.fedifetcher = {
nixpkgs = nixpkgs-unstable;
autoStart = true;
bindMounts = {
"/secrets" = {
hostPath = "/secrets-fedifetcher";
isReadOnly = true;
};
};
config = { ... }: {
imports = [
./fedifetcher.nix
];
networking.useHostResolvConf = true;
system.stateVersion = "24.05";
};
};
}

42
config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, ... }:
{
# config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix
systemd.services.fedifetcher = {
path = [ pkgs.fedifetcher ];
description = "fetch fedi posts";
script = ''
fedifetcher
'';
environment = lib.mapAttrs' (n: v:
(lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n)
(builtins.toString v))) {
server = "social.nekover.se";
state-dir = "/var/lib/fedifetcher";
lock-file = "/run/fedifetcher/fedifetcher.lock";
from-lists = 1;
from-notifications = 1;
max-bookmarks = 80;
max-favourites = 40;
max-follow-requests = 80;
max-followers = 80;
max-followings = 80;
remember-hosts-for-days = 30;
remember-users-for-hours = 168;
reply-interval-in-hours = 2;
};
serviceConfig = {
DynamicUser = true;
User = "fedifetcher";
RuntimeDirectory = "fedifetcher";
RuntimeDirectoryPreserve = true;
StateDirectory = "fedifetcher";
UMask = "0077";
EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ];
};
};
systemd.timers.fedifetcher = {
wantedBy = [ "multi-user.target" ];
timerConfig = { OnCalendar = "*:0/5"; };
};
}

1
config/hosts/mastodon/default.nix
View file

@ -5,5 +5,6 @@
./mastodon.nix
./opensearch.nix
./nginx.nix
./containers/fedifetcher
];
}

8
config/hosts/mastodon/mastodon.nix
View file

@ -2,8 +2,8 @@
let
tangerineUI = pkgs.fetchgit {
url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
rev = "v2.5.3";
hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE=";
rev = "v2.5.2";
hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c=";
};
mastodonModern = pkgs.fetchgit {
url = "https://git.gay/freeplay/Mastodon-Modern.git";
@ -16,14 +16,14 @@ let
};
mastodonNekoverseOverlay = final: prev: {
mastodon = (prev.mastodon.override rec {
version = "4.5.6";
version = "4.5.2";
srcOverride = final.applyPatches {
src = pkgs.stdenv.mkDerivation {
name = "mastodonWithThemes";
src = pkgs.fetchgit {
url = "https://github.com/mastodon/mastodon.git";
rev = "v${version}";
sha256 = "sha256-m2LDNyv2jxsp5zPKOfQWvtBG8bD8iuBWBEoz+L0OvNk=";
sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ=";
};
# mastodon ships with broken symlinks, disable the check for that for now
dontCheckForBrokenSymlinks = true;

8
config/hosts/mastodon/secrets.nix
View file

@ -57,5 +57,13 @@
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-fedifetcher-access-token.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ];
destDir = "/secrets-fedifetcher";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

14
config/hosts/matrix/matrix-authentication-service.nix
View file

@ -33,17 +33,6 @@ let
}];
proxy_protocol = false;
}
{
name = "admin";
resources = [{
name = "adminapi";
}];
binds = [{
host = "localhost";
port = 8083;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
@ -74,7 +63,8 @@ let
version = 2;
algorithm = "argon2id";
}
];
];
minimum_complexity = 8;
};
};
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);

27
config/hosts/matrix/nginx.nix
View file

@ -34,19 +34,6 @@
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
"~ ^/_synapse/admin" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well.
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
@ -64,18 +51,8 @@
port = 80;
}
];
locations = {
"/" = {
proxyPass = "http://localhost:8080";
};
"~ ^/api/admin" = {
proxyPass = "http://localhost:8083";
extraConfig = ''
# Restrict access to admin API.
allow 172.21.87.0/24; # management VPN
deny all;
'';
};
locations."/" = {
proxyPass = "http://localhost:8080";
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;

1
config/hosts/web-public-2/nginx.nix
View file

@ -19,7 +19,6 @@
anisync.grzb.de 127.0.0.1:8443;
cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 127.0.0.1:8443;
element-admin.nekover.se 127.0.0.1:8443;
fi.nekover.se 10.202.41.125:8443;
gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443;

1
config/hosts/web-public-2/virtualHosts/default.nix
View file

@ -4,7 +4,6 @@
./acme-challenge.nix
./anisync.grzb.de.nix
./element.nekover.se.nix
./element-admin.nekover.se.nix
./gameserver.grzb.de.nix
./git.grzb.de.nix
./mewtube.nekover.se.nix

95
config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
View file

@ -1,95 +0,0 @@
{ config, pkgs, ... }:
let
elementAdminVersion = "0.1.10";
elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "element-admin";
version = elementAdminVersion;
src = pkgs.fetchzip {
url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip";
sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI=";
};
nativeBuildInputs = [
pkgs.nodejs
pkgs.pnpm.configHook
];
pnpmDeps = pkgs.pnpm.fetchDeps {
inherit (finalAttrs) pname version src;
fetcherVersion = 2;
hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4=";
};
buildPhase = ''
pnpm build
'';
installPhase = ''
cp -a dist $out
'';
});
in
{
services.nginx.virtualHosts."element-admin.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
root = elementAdmin;
locations."/assets" = {
extraConfig = ''
expires 1y;
add_header Cache-Control "public, max-age=31536000, immutable";
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
locations."/" = {
index = "/index.html";
tryFiles = "$uri $uri/ /";
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 127.0.0.1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
}

4
config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }:
let
elementWebVersion = "1.12.10";
elementWebVersion = "1.12.2";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-YpxfV4BCXh2fffQvVsZGOfK82TpGzg6uOx7iUPqiXVE=";
sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs=";
};
elementWebSecurityHeaders = ''
# Configuration best practices

30
flake.lock generated
View file

@ -103,11 +103,11 @@
]
},
"locked": {
"lastModified": 1769813415,
"narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
"lastModified": 1764234087,
"narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "8946737ff703382fda7623b9fab071d037e897d5",
"rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
"type": "github"
},
"original": {
@ -118,11 +118,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1770802195,
"narHash": "sha256-vabHY4acHLmaB7Ak9FKzk2wSEKhAS/yXL7SBySB/S5U=",
"lastModified": 1765178948,
"narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "08ebc444a070153227d6f45acf979f4d5f1f97f9",
"rev": "f376a52d0dc796aec60b5606a2676240ff1565b9",
"type": "github"
},
"original": {
@ -134,11 +134,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1770824979,
"narHash": "sha256-OedDmV9we3oOdiz9xjLiQCajwRa8WWcE/rOF3y/VlVc=",
"lastModified": 1765227377,
"narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8605a9be3795437e3717dab6c542d2d571369e70",
"rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e",
"type": "github"
},
"original": {
@ -150,11 +150,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1770818322,
"narHash": "sha256-tttCN+yrhM7svQW6DqtS3JV9POrRJAaS/e0xuUHBTEM=",
"lastModified": 1765183668,
"narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d9ca3a4b73f19ea147c9d977d3dde8f612ac648f",
"rev": "fc2de1563f89f0843eba27f14576d261df0e3b80",
"type": "github"
},
"original": {
@ -197,11 +197,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1766537863,
"narHash": "sha256-HEt+wbazRgJYeY+lgj65bxhPyVc4x7NEB2bs5NU6DF8=",
"lastModified": 1764185122,
"narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "23f0a53ca6e58e61e1ea2b86791c69b79c91656d",
"rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba",
"type": "gitlab"
},
"original": {