Setup cgit and Prosody

The TLS setup for Prosody is broken, though.

1 files changed, 71 insertions, 7 deletions

diff --git a/TODOs.org b/TODOs.org
index 7abc29b..476da0d 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -1,6 +1,46 @@
 * Tasks - v4
-** TODO snapshot with swap
-** TODO cron: borg, postgresql backup and nixos update
+** TODO Prosody in localhost
+** TODO Prosody in NixOS with NGINX
+https://www.reddit.com/r/linuxadmin/comments/7z0ahv/prosody_behind_reverse_proxy/dunbdmv/:
+#+BEGIN_SRC nginx
+server {
+  listen 80;
+  listen [::]:80;
+  server_name xmpp.domain.com
+
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  ssl on;
+  ssl_certificate /path/to/cert;
+  ssl_certificate_key /path/to/key;
+
+  location / {
+    proxy_pass http://192.168.2.101:5222;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection 'upgrade';
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
+}
+#+END_SRC
+** TODO matterbridge
+#+BEGIN_SRC nix
+matterbridge = {
+  enable = false;
+  configFile = ''
+  '';
+};
+#+END_SRC
+** TODO cgit
+** TODO snapshot with swap: nixos-rebuild switch takes too much memory
+Adding swap memory maybe be a lot slower, but allows me to stay inside the 512MB memory server plan
+** TODO cron: borg, PostgreSQL backup and NixOS update and collect gargabe
 ** TODO Configure PostgreSQL permissions correctly
 ** TODO Harden the server
 *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
@@ -9,6 +49,7 @@
 *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]]
 *** TODO Move secrets outside the Nix store
 *** TODO Properly configure PostgreSQL
+*** TODO Separate lighttpd user ownership from =$GIT_ROOT=?
 ** TODO Add volume
 And put in to fstab
 Can I use Terraform to automate the mounting?
@@ -26,10 +67,13 @@ resource "vultr_block_storage" "vps_storage" {
   live        = "yes"
 }
 #+END_SRC
+** TODO EteSync?
+** TODO Run cgit from nginx instead of using lighttpd
 * Services - v2
 ** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk
-** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server
-** TODO =git.$tld=: git-instaweb (or cgit) server with repositories from ~/dev/libre/
+** TODO =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server
+Setup under Prosody server, and bridge it with Telegram and WhatsApp using matterbridge.
+** TODO =git.$tld=: cgit server with repositories from ~/dev/libre/
 ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc
 No need for roundcube, Nextcloud has a web interface client.
 ** TODO =$tld=: current Jekyll blog
@@ -95,7 +139,27 @@ We could use the raw Droplet IP instead of the DNS A record, but I prefer callin
 * Questions
 ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation?
 * Scrath
-https://federationtester.matrix.org/
-EteSync?
 
-DHCP?
+
+
+
+      # ssl = {
+      #   cert = "/var/lib/acme/${envsubstConfiguration.TLD}/fullchain.pem";
+      #   key = "/var/lib/acme/${envsubstConfiguration.TLD}/key.pem";
+      # };
+      # virtualHosts = {
+      #   "${envsubstConfiguration.prosodyTLD}" = {
+      #     enabled = true;
+      #     domain = "${envsubstConfiguration.prosodyTLD}";
+      #     ssl = {
+      #       cert = "/var/lib/acme/${envsubstConfiguration.TLD}/fullchain.pem";
+      #       key = "/var/lib/acme/${envsubstConfiguration.TLD}/key.pem";
+      #     };
+      #   };
+      # };
+      # muc = [{
+      #   domain = envsubstConfiguration.prosodyMUCTLD;
+      # }];
+      # uploadHttp = {
+      #   domain = envsubstConfiguration.prosodyHTTPUploadTLD;
+      # };