diff options
| -rw-r--r-- | TODOs.org | 78 | ||||
| -rw-r--r-- | secrets/secret-envrc.sh | bin | 4055 -> 3237 bytes | |||
| -rw-r--r-- | vps-configuration.env.nix | 95 |
3 files changed, 162 insertions, 11 deletions
@@ -1,6 +1,46 @@ * Tasks - v4 -** TODO snapshot with swap -** TODO cron: borg, postgresql backup and nixos update +** TODO Prosody in localhost +** TODO Prosody in NixOS with NGINX +https://www.reddit.com/r/linuxadmin/comments/7z0ahv/prosody_behind_reverse_proxy/dunbdmv/: +#+BEGIN_SRC nginx +server { + listen 80; + listen [::]:80; + server_name xmpp.domain.com + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl on; + ssl_certificate /path/to/cert; + ssl_certificate_key /path/to/key; + + location / { + proxy_pass http://192.168.2.101:5222; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + } +} +#+END_SRC +** TODO matterbridge +#+BEGIN_SRC nix +matterbridge = { + enable = false; + configFile = '' + ''; +}; +#+END_SRC +** TODO cgit +** TODO snapshot with swap: nixos-rebuild switch takes too much memory +Adding swap memory maybe be a lot slower, but allows me to stay inside the 512MB memory server plan +** TODO cron: borg, PostgreSQL backup and NixOS update and collect gargabe ** TODO Configure PostgreSQL permissions correctly ** TODO Harden the server *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]] @@ -9,6 +49,7 @@ *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]] *** TODO Move secrets outside the Nix store *** TODO Properly configure PostgreSQL +*** TODO Separate lighttpd user ownership from =$GIT_ROOT=? ** TODO Add volume And put in to fstab Can I use Terraform to automate the mounting? @@ -26,10 +67,13 @@ resource "vultr_block_storage" "vps_storage" { live = "yes" } #+END_SRC +** TODO EteSync? +** TODO Run cgit from nginx instead of using lighttpd * Services - v2 ** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk -** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server -** TODO =git.$tld=: git-instaweb (or cgit) server with repositories from ~/dev/libre/ +** TODO =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server +Setup under Prosody server, and bridge it with Telegram and WhatsApp using matterbridge. +** TODO =git.$tld=: cgit server with repositories from ~/dev/libre/ ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc No need for roundcube, Nextcloud has a web interface client. ** TODO =$tld=: current Jekyll blog @@ -95,7 +139,27 @@ We could use the raw Droplet IP instead of the DNS A record, but I prefer callin * Questions ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? * Scrath -https://federationtester.matrix.org/ -EteSync? -DHCP? + + + + # ssl = { + # cert = "/var/lib/acme/${envsubstConfiguration.TLD}/fullchain.pem"; + # key = "/var/lib/acme/${envsubstConfiguration.TLD}/key.pem"; + # }; + # virtualHosts = { + # "${envsubstConfiguration.prosodyTLD}" = { + # enabled = true; + # domain = "${envsubstConfiguration.prosodyTLD}"; + # ssl = { + # cert = "/var/lib/acme/${envsubstConfiguration.TLD}/fullchain.pem"; + # key = "/var/lib/acme/${envsubstConfiguration.TLD}/key.pem"; + # }; + # }; + # }; + # muc = [{ + # domain = envsubstConfiguration.prosodyMUCTLD; + # }]; + # uploadHttp = { + # domain = envsubstConfiguration.prosodyHTTPUploadTLD; + # }; diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex 33ca8e6..f0eed7e 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index 304c124..a08e50e 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -2,8 +2,10 @@ let envsubstConfiguration = { + TLD = "$TLD"; nextcloudTLD = "$NEXTCLOUD_TLD"; gitTLD = "$GIT_TLD"; + prosodyTLD = "$PROSODY_TLD"; letsencryptEmail = "$LETSENCRYPT_EMAIL"; authorizedKey = "$AUTHORIZED_KEY"; userPassword = "$USER_PASSWORD"; @@ -13,7 +15,12 @@ let nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD"; nextcloudTablePrefix = "$NEXTCLOUD_TABLE_PREFIX"; gitRoot = "$GIT_ROOT"; + gitPort = "$GIT_PORT"; systemStateVersion = "$SYSTEM_STATE_VERSION"; + prosodyAdminUser = "$PROSODY_ADMIN_USER"; + prosodyMUCTLD = "$PROSODY_MUC_TLD"; + prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD"; + prosodyPort = "$PROSODY_PORT"; }; in { imports = [ ./hardware-configuration.nix ]; @@ -31,11 +38,39 @@ in { environment.systemPackages = with pkgs; [ vim git ]; - networking.firewall.allowedTCPPorts = [ 80 443 22 ]; + networking.firewall.allowedTCPPorts = [ + # SSH: OpenSSH + 22 + + # HTTP and HTPPS: NGINX + 80 + 443 + + # XMPP: Prosody + # https://prosody.im/doc/ports + 5000 + 5222 + 5269 + 5280 + 5281 + 5347 + 5582 + ]; security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; + certs = { + "${envsubstConfiguration.prosodyTLD}" = { + webroot = "/var/www/${envsubstConfiguration.prosodyTLD}"; + email = envsubstConfiguration.letsencryptEmail; + user = "prosody"; + extraDomains = { + "${envsubstConfiguration.prosodyMUCTLD}" = null; + "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; + }; + }; + }; }; services = { @@ -59,6 +94,9 @@ in { "${envsubstConfiguration.gitTLD}" = { forceSSL = true; enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${envsubstConfiguration.gitPort}"; + }; }; }; }; @@ -92,11 +130,60 @@ in { adminpass = envsubstConfiguration.nextcloudAdminPassword; }; }; + + prosody = { + enable = false; + admins = [ envsubstConfiguration.prosodyAdminUser ]; + allowRegistration = true; + ssl = { + cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + }; + virtualHosts = { + "${envsubstConfiguration.prosodyTLD}" = { + enabled = true; + domain = "${envsubstConfiguration.prosodyTLD}"; + ssl = { + cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + }; + }; + }; + }; + + lighttpd = { + enable = true; + port = pkgs.lib.toInt envsubstConfiguration.gitPort; + cgit = { + enable = true; + subdir = ""; + configText = '' + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + scan-path=${envsubstConfiguration.gitRoot} + ''; + }; + }; }; - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; + systemd.services = { + "nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + "lighttpd-cgit-install" = { + enable = true; + description = "Setup folders and permissions for lighttpd and cgit"; + wantedBy = [ "multi-user.target" ]; + script = '' + mkdir -p ${envsubstConfiguration.gitRoot} + chown -R lighttpd:users ${envsubstConfiguration.gitRoot} + chmod -R 770 ${envsubstConfiguration.gitRoot} + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; }; users.extraUsers.andreh = { |