From f047111de7641f6b16bf34c599bbfe2a38bddc62 Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Sat, 25 Nov 2023 16:35:10 +0000 Subject: [PATCH] www/global: migrate vm.strangervm->jorah --- hosts/jorah.cx.ts.hillion.co.uk/default.nix | 6 + .../default.nix | 7 +- modules/services/mastodon/default.nix | 74 ++++++++++--- modules/services/matrix.nix | 16 ++- modules/www/global.nix | 103 ++++++------------ modules/www/www-repo.nix | 6 +- 6 files changed, 120 insertions(+), 92 deletions(-) diff --git a/hosts/jorah.cx.ts.hillion.co.uk/default.nix b/hosts/jorah.cx.ts.hillion.co.uk/default.nix index 3d75641..c68d521 100644 --- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix +++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix @@ -22,6 +22,7 @@ custom = { locations.autoServe = true; services.version_tracker.enable = true; + www.global.enable = true; }; ## Filesystems @@ -52,8 +53,11 @@ interfaces = { enp5s0 = { allowedTCPPorts = lib.mkForce [ + 80 # HTTP 1-2 + 443 # HTTPS 1-2 ]; allowedUDPPorts = lib.mkForce [ + 443 # HTTP 3 ]; }; }; @@ -64,6 +68,8 @@ custom.tailscale = { enable = true; preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path; + ipv4Addr = "100.96.143.138"; + ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a"; }; }; } diff --git a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix index e3c5e39..85fa509 100644 --- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix +++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix @@ -21,7 +21,6 @@ ## Custom Services custom = { locations.autoServe = true; - www.global.enable = true; services.matrix.enable = true; }; @@ -37,6 +36,10 @@ 22 # SSH ]; allowedUDPPorts = lib.mkForce [ ]; + trustedInterfaces = lib.mkForce [ + "lo" + "tailscale0" + ]; interfaces = { ens18 = { allowedTCPPorts = lib.mkForce [ @@ -55,6 +58,8 @@ custom.tailscale = { enable = true; preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path; + ipv4Addr = "100.110.89.111"; + ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:626e:596f"; }; ## Resilio Sync (Encrypted) diff --git a/modules/services/mastodon/default.nix b/modules/services/mastodon/default.nix index 7415fc0..1d2147f 100644 --- a/modules/services/mastodon/default.nix +++ b/modules/services/mastodon/default.nix @@ -32,26 +32,68 @@ in }; }; - services.mastodon = { - enable = true; - localDomain = "social.hillion.co.uk"; + services = { + mastodon = { + enable = true; + localDomain = "social.hillion.co.uk"; - vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; }; - otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path; - secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path; - vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path; + vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; }; + otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path; + secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path; + vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path; - smtp = { - user = "mastodon@social.hillion.co.uk"; - port = 587; - passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path; - host = "smtp.eu.mailgun.org"; - fromAddress = "mastodon@social.hillion.co.uk"; - authenticate = true; + smtp = { + user = "mastodon@social.hillion.co.uk"; + port = 587; + passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path; + host = "smtp.eu.mailgun.org"; + fromAddress = "mastodon@social.hillion.co.uk"; + authenticate = true; + }; + + extraConfig = { + EMAIL_DOMAIN_WHITELIST = "hillion.co.uk"; + }; }; - extraConfig = { - EMAIL_DOMAIN_WHITELIST = "hillion.co.uk"; + caddy = { + enable = true; + + virtualHosts."social.hillion.co.uk".extraConfig = '' + handle_path /system/* { + file_server * { + root /var/lib/mastodon/public-system + } + } + + handle /api/v1/streaming/* { + reverse_proxy unix//run/mastodon-streaming/streaming.socket + } + + route * { + file_server * { + root ${pkgs.mastodon}/public + pass_thru + } + reverse_proxy * unix//run/mastodon-web/web.socket + } + + handle_errors { + root * ${pkgs.mastodon}/public + rewrite 500.html + file_server + } + + encode gzip + + header /* { + Strict-Transport-Security "max-age=31536000;" + } + header /emoji/* Cache-Control "public, max-age=31536000, immutable" + header /packs/* Cache-Control "public, max-age=31536000, immutable" + header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" + header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" + ''; }; }; }; diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix index 3c24ac7..703a8f5 100644 --- a/modules/services/matrix.nix +++ b/modules/services/matrix.nix @@ -74,7 +74,11 @@ in tls = false; type = "http"; x_forwarded = true; - bind_addresses = [ "::1" ]; + bind_addresses = [ + "::1" + config.custom.tailscale.ipv4Addr + config.custom.tailscale.ipv6Addr + ]; resources = [ { names = [ "client" "federation" ]; @@ -117,10 +121,12 @@ in }; }; - systemd.services.heisenbridge = lib.mkIf cfg.heisenbridge { - serviceConfig = { - Restart = "on-failure"; - RestartSec = 15; + systemd.services = { + heisenbridge = lib.mkIf cfg.heisenbridge { + serviceConfig = { + Restart = "on-failure"; + RestartSec = 15; + }; }; }; }; diff --git a/modules/www/global.nix b/modules/www/global.nix index a7e11fb..7dbc0d8 100644 --- a/modules/www/global.nix +++ b/modules/www/global.nix @@ -10,82 +10,51 @@ in }; config = lib.mkIf cfg.enable { + custom.www.www-repo.enable = true; + users.users.caddy.extraGroups = [ "mastodon" ]; services.caddy = { enable = true; - virtualHosts."hillion.co.uk".extraConfig = '' - handle /.well-known/* { - respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200 - respond 404 - } - - handle { - redir https://blog.hillion.co.uk{uri} - } - ''; - virtualHosts."blog.hillion.co.uk".extraConfig = '' - root * /var/www/blog.hillion.co.uk - file_server - ''; - virtualHosts."gitea.hillion.co.uk".extraConfig = '' - reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000 - ''; - virtualHosts."homeassistant.hillion.co.uk".extraConfig = '' - reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123 - ''; - virtualHosts."emby.hillion.co.uk".extraConfig = '' - reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096 - ''; - virtualHosts."matrix.hillion.co.uk".extraConfig = '' - reverse_proxy http://${locations.services.matrix}:8008 - ''; - virtualHosts."unifi.hillion.co.uk".extraConfig = '' - reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 { - transport http { - tls_insecure_skip_verify + virtualHosts = { + "hillion.co.uk".extraConfig = '' + handle /.well-known/* { + respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200 + respond 404 } - } - ''; - virtualHosts."drone.hillion.co.uk".extraConfig = '' - reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733 - ''; - virtualHosts."social.hillion.co.uk".extraConfig = '' - handle_path /system/* { - file_server * { - root /var/lib/mastodon/public-system - } - } - handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming.socket - } - - route * { - file_server * { - root ${pkgs.mastodon}/public - pass_thru + handle { + redir https://blog.hillion.co.uk{uri} } - reverse_proxy * unix//run/mastodon-web/web.socket - } - - handle_errors { - root * ${pkgs.mastodon}/public - rewrite 500.html + ''; + "blog.hillion.co.uk".extraConfig = '' + root * /var/www/blog.hillion.co.uk file_server - } - - encode gzip - - header /* { - Strict-Transport-Security "max-age=31536000;" - } - header /emoji/* Cache-Control "public, max-age=31536000, immutable" - header /packs/* Cache-Control "public, max-age=31536000, immutable" - header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" - header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" - ''; + ''; + "gitea.hillion.co.uk".extraConfig = '' + reverse_proxy http://gitea.gitea.ts.hillion.co.uk:3000 + ''; + "homeassistant.hillion.co.uk".extraConfig = '' + reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123 + ''; + "emby.hillion.co.uk".extraConfig = '' + reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096 + ''; + "matrix.hillion.co.uk".extraConfig = '' + reverse_proxy http://${locations.services.matrix}:8008 + ''; + "unifi.hillion.co.uk".extraConfig = '' + reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 { + transport http { + tls_insecure_skip_verify + } + } + ''; + "drone.hillion.co.uk".extraConfig = '' + reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733 + ''; + }; }; }; } diff --git a/modules/www/www-repo.nix b/modules/www/www-repo.nix index 011ffe3..ea16c54 100644 --- a/modules/www/www-repo.nix +++ b/modules/www/www-repo.nix @@ -53,10 +53,10 @@ in }; script = '' - if [ ! -d "${cfg.path}/.git" ] ; then - ${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.path} + if [ ! -d "${cfg.location}/.git" ] ; then + ${pkgs.git}/bin/git clone ${cfg.remote} ${cfg.location} else - cd ${cfg.path} + cd ${cfg.location} ${pkgs.git} remote set-url origin ${cfg.remote} ${pkgs.git}/bin/git fetch ${pkgs.git}/bin/git reset --hard origin/${cfg.branch}