diff options
| -rw-r--r-- | TODOs.org | 74 | ||||
| -rwxr-xr-x | nixos-switch.sh | 10 | ||||
| -rw-r--r-- | secrets/secret-envrc.sh | bin | 4315 -> 3314 bytes | |||
| -rw-r--r-- | vps-configuration.env.nix | 95 |
4 files changed, 22 insertions, 157 deletions
@@ -1,42 +1,4 @@ * Tasks - v4 -** DONE Prosody in localhost -CLOSED: [2020-08-14 ven. 09:29] -** CANCELLED Prosody in NixOS with NGINX -https://www.reddit.com/r/linuxadmin/comments/7z0ahv/prosody_behind_reverse_proxy/dunbdmv/: -#+BEGIN_SRC nginx -server { - listen 80; - listen [::]:80; - server_name xmpp.domain.com - - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - ssl on; - ssl_certificate /path/to/cert; - ssl_certificate_key /path/to/key; - - location / { - proxy_pass http://192.168.2.101:5222; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header Host $host; - proxy_cache_bypass $http_upgrade; - } -} -#+END_SRC -Use Prosody as a server itself -** DONE Prosody TLS -CLOSED: [2020-08-16 dim. 18:52] -** DONE matterbridge -CLOSED: [2020-08-16 dim. 21:58] -** DONE Converse -CLOSED: [2020-08-16 dim. 21:58] ** DONE cgit CLOSED: [2020-08-14 ven. 09:29] ** TODO Terraform restore from backup when provisioning @@ -70,7 +32,6 @@ resource "vultr_block_storage" "vps_storage" { live = "yes" } #+END_SRC -** TODO Stop doing chmod to share certificates * Tasks - v5 ** TODO Run cgit from nginx instead of using lighttpd ** TODO EteSync? @@ -78,21 +39,11 @@ resource "vultr_block_storage" "vps_storage" { * Services - v2 ** DONE =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk CLOSED: [2020-08-14 ven. 09:29] -** DONE =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server -CLOSED: [2020-08-16 dim. 21:58] -Setup under Prosody server, and bridge it with Telegram and WhatsApp using matterbridge. -#+BEGIN_SRC nix -muc = [{ - domain = envsubstConfiguration.prosodyMUCTLD; -}]; -uploadHttp = { - domain = envsubstConfiguration.prosodyHTTPUploadTLD; -}; -#+END_SRC ** DONE =git.$tld=: cgit server with repositories from ~/dev/libre/ CLOSED: [2020-08-14 ven. 09:29] ** DONE =boneco.$tld=: [[https://git.sr.ht/~euandreh/boneco][boneco]] deployment CLOSED: [2020-08-15 sam. 18:17] +** CANCELLED =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc No need for roundcube, Nextcloud has a web interface client. ** TODO =$tld=: current Jekyll blog @@ -155,8 +106,27 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. +** On shutting down Prosody and matterbridge +Only after having a fully working configuration between Prosody, matterbridge +and the gateways, I realized that matterbridge only support private groups for a +few of their integrations. I should have read the whole documentation instead of +just jumping in and start configuring. + +Instead of finishing the desired setup (missing things listed below), I'll +remove the existing configuration. + +I do like XMPP over everything else, but I see little point in maintaining it if +nobody I want to talk to wants to use it. + +I'll have to search for other solutions, or other ways to approach this problem. +*** XMPP tasks +**** Setup MUC on Prosody +**** Setup DNS =SRV= records +**** =xmpp.$tld=: Prosody server +**** =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server +=proxyPass= from =chat.$tld= to =xmpp.$tld/conversejs=. +**** Stop doing chmod to share certificates * Questions ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? ** Enable 2FA for Nextcloud? -Do XMPP support that too? -* Scrath +* Scratch diff --git a/nixos-switch.sh b/nixos-switch.sh index c972ea4..6a75a69 100755 --- a/nixos-switch.sh +++ b/nixos-switch.sh @@ -7,13 +7,3 @@ cd "$(dirname "${BASH_SOURCE[0]}")" envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix' echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade - -# Ugly hack to change TLS certificates permissions -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ -sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/key.pem; \ -sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ -sudo chmod 770 /var/lib/acme/chat.arrobaponto.org/; \ -sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ -sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/key.pem; \ -sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/; \ -sudo systemctl restart prosody.service" diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex 18af943..067183e 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index 831a714..f5a9122 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -5,7 +5,6 @@ let TLD = "$TLD"; nextcloudTLD = "$NEXTCLOUD_TLD"; gitTLD = "$GIT_TLD"; - prosodyTLD = "$PROSODY_TLD"; bonecoTLD = "$BONECO_TLD"; letsencryptEmail = "$LETSENCRYPT_EMAIL"; authorizedKey = "$AUTHORIZED_KEY"; @@ -19,18 +18,6 @@ let gitRoot = "$GIT_ROOT"; gitPort = "$GIT_PORT"; systemStateVersion = "$SYSTEM_STATE_VERSION"; - prosodyAdminUser = "$PROSODY_ADMIN_USER"; - prosodyMUCTLD = "$PROSODY_MUC_TLD"; - prosodyPort = "$PROSODY_PORT"; - prosodyHTTPPort = "$PROSODY_HTTP_PORT"; - matterbridgeTelegramToken = "$MATTERBRIDGE_TELEGRAM_TOKEN"; - matterbridgeTelegramChannel = "$MATTERBRIDGE_TELEGRAM_CHANNEL"; - matterbridgeBotJID = "$MATTERBRIDGE_BOT_JID"; - matterbridgeBotPassword = "$MATTERBRIDGE_BOT_PASSWORD"; - matterbridgeBotNick = "$MATTERBRIDGE_BOT_NICK"; - matterbridgeMUCServer = "$MATTERBRIDGE_MUC_SERVER"; - matterbridgeXMPPServer = "$MATTERBRIDGE_XMPP_SERVER"; - matterbridgeXMPPChannel = "$MATTERBRIDGE_XMPP_CHANNEL"; }; boneco = pkgs.stdenv.mkDerivation { name = "boneco"; @@ -66,16 +53,6 @@ in { # HTTP and HTPPS: NGINX 80 443 - - # XMPP: Prosody - # https://prosody.im/doc/ports - 5000 - 5222 - 5269 - 5280 - 5281 - 5347 - 5582 ]; security.acme = { @@ -113,17 +90,6 @@ in { enableACME = true; root = boneco; }; - "${envsubstConfiguration.prosodyTLD}" = { - forceSSL = true; - enableACME = true; - serverAliases = [ envsubstConfiguration.prosodyMUCTLD ]; - locations = { - "/" = { - proxyPass = - "http://localhost:${envsubstConfiguration.prosodyHTTPPort}/"; - }; - }; - }; }; }; @@ -157,67 +123,6 @@ in { }; }; - prosody = let - fullchainPEM = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; - in { - enable = true; - admins = [ envsubstConfiguration.prosodyAdminUser ]; - allowRegistration = false; - modules = { websocket = true; }; - package = pkgs.prosody.override { - withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; - }; - extraModules = [ "http_upload" "conversejs" "bookmarks" ]; - ssl = { - cert = fullchainPEM; - key = keyPEM; - }; - virtualHosts = { - "${envsubstConfiguration.prosodyTLD}" = { - enabled = true; - domain = "${envsubstConfiguration.prosodyTLD}"; - ssl = { - cert = fullchainPEM; - key = keyPEM; - }; - }; - }; - # muc = [{ - # domain = envsubstConfiguration.prosodyMUCTLD; - # }]; - }; - - matterbridge = { - enable = true; - configFile = '' - [telegram.mytelegram] - Token="${envsubstConfiguration.matterbridgeTelegramToken}" - RemoteNickFormat="[{PROTOCOL}] <{NICK}>" - - [xmpp.myxmpp] - Server="${envsubstConfiguration.matterbridgeXMPPServer}" - Jid="${envsubstConfiguration.matterbridgeBotJID}" - Password="${envsubstConfiguration.matterbridgeBotPassword}" - Muc="${envsubstConfiguration.matterbridgeMUCServer}" - Nick="${envsubstConfiguration.matterbridgeBotNick}" - RemoteNickFormat="[{PROTOCOL}] <{NICK}>" - - [[gateway]] - name="gateway1" - enable=true - - [[gateway.inout]] - account="telegram.mytelegram" - channel="${envsubstConfiguration.matterbridgeTelegramChannel}" - - [[gateway.inout]] - account="xmpp.myxmpp" - channel="${envsubstConfiguration.matterbridgeXMPPChannel}" - ''; - }; - lighttpd = { enable = true; port = pkgs.lib.toInt envsubstConfiguration.gitPort; |