From 520391482411604798cab4d24d48f6c1650718ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Dec 2023 17:36:41 +0100 Subject: add mic92 as krebsminister --- krebs/2configs/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 905eaaef..0d55a01f 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -52,6 +52,7 @@ with import ../../lib/pure.nix { inherit lib; }; config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey config.krebs.users.kmein.pubkey + config.krebs.users.mic92.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. -- cgit v1.2.3 From c441ad385478b29c763d3acc430c6596add9c98a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 11:54:18 +0100 Subject: mastodon: set streamingProcesses --- krebs/2configs/mastodon.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index af308b2c..2a3dc841 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -13,6 +13,7 @@ enable = true; localDomain = "social.krebsco.de"; configureNginx = true; + streamingProcesses = 3; trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; smtp.createLocally = false; smtp.fromAddress = "derp"; -- cgit v1.2.3 From d20f33ca775ca553aff70d069d39de635c1287f9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 12:18:18 +0100 Subject: mastodon: upgrade postgresql 11 -> 16 --- krebs/2configs/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 2a3dc841..ab400955 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -3,7 +3,7 @@ services.postgresql = { enable = true; dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; - package = pkgs.postgresql_11; + package = pkgs.postgresql_16; }; systemd.tmpfiles.rules = [ "d /var/state/postgresql 0700 postgres postgres -" -- cgit v1.2.3 From 316e8431c2723e258f9939dfe182f6ce3e7b0b89 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 13:09:09 +0100 Subject: default: open retiolum ports --- krebs/2configs/default.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 0d55a01f..dc02f54a 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -9,6 +9,8 @@ with import ../../lib/pure.nix { inherit lib; }; krebs.announce-activation.enable = true; krebs.enable = true; krebs.tinc.retiolum.enable = mkDefault true; + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; # trust krebs ACME CA krebs.ssl.trustIntermediate = true; -- cgit v1.2.3 From 75374a27f903538601a124e1b99c53815bb6c4a6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 13:22:20 +0100 Subject: default: add more retiolum options --- krebs/2configs/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index dc02f54a..5d64555c 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -8,7 +8,15 @@ with import ../../lib/pure.nix { inherit lib; }; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = mkDefault true; + + # retiolum + krebs.tinc.retiolum = { + enable = mkDefault true; + extraConfig = '' + AutoConnect = yes + LocalDiscovery = yes + ''; + }; networking.firewall.allowedTCPPorts = [ 655 ]; networking.firewall.allowedUDPPorts = [ 655 ]; -- cgit v1.2.3 From d165a0871caadf7686f5ca56a54ea0e95b2698eb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 14:13:22 +0100 Subject: mastodon-proxy: add acmeFallbackHost --- krebs/2configs/mastodon-proxy.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 4d359c3f..35bf6020 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -5,6 +5,7 @@ virtualHosts."social.krebsco.de" = { forceSSL = true; enableACME = true; + acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 # recommendedProxySettings = true; -- cgit v1.2.3 From 25d035de777df95cd0c809e647d942a75d5a4906 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 16:43:46 +0100 Subject: hotdog: add nginx config for acme in container --- krebs/2configs/nginx.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 krebs/2configs/nginx.nix (limited to 'krebs/2configs') diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix new file mode 100644 index 00000000..812093a7 --- /dev/null +++ b/krebs/2configs/nginx.nix @@ -0,0 +1,24 @@ +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "spam@krebsco.de"; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + enableReload = true; + + virtualHosts.default = { + default = true; + locations."= /etc/os-release".extraConfig = '' + default_type text/plain; + alias /etc/os-release; + ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; + }; + }; +} -- cgit v1.2.3 From 04f538164ce11ce977a851b6de2a9d2c5f7a9adb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 19:12:20 +0100 Subject: fix ssl cert for social.krebsco.de --- krebs/2configs/mastodon-proxy.nix | 12 ++---------- krebs/2configs/mastodon.nix | 11 ++--------- krebs/2configs/reaktor2.nix | 2 ++ 3 files changed, 6 insertions(+), 19 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 35bf6020..b579a503 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -8,17 +8,9 @@ acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 - # recommendedProxySettings = true; - proxyPass = "http://hotdog.r"; + recommendedProxySettings = true; + proxyPass = "https://hotdog.r"; proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; }; }; }; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index ab400955..ebc4207a 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -19,18 +19,11 @@ smtp.fromAddress = "derp"; }; - services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { - forceSSL = lib.mkForce false; - enableACME = lib.mkForce false; - locations."@proxy".extraConfig = '' - proxy_redirect off; - proxy_pass_header Server; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - ''; - }; + security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; networking.firewall.allowedTCPPorts = [ 80 + 443 ]; environment.systemPackages = [ diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index db7b794f..e8482765 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -526,6 +526,8 @@ in { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; }; services.nginx.virtualHosts."bedge.r" = { -- cgit v1.2.3