commit f30972fe71a56873336d7ae84706fd4e611450b8
parent 2fd4dbe78b0e178b1264c55bd1d8a7338db4224f
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 3 Dec 2024 08:02:10 +0100
parent 2fd4dbe78b0e178b1264c55bd1d8a7338db4224f
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 3 Dec 2024 08:02:10 +0100
machines/trabbi: move `fedi` to `hector`
11 files changed, 179 insertions(+), 172 deletions(-)
A
|
146
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D
|
146
-------------------------------------------------------------------------------
diff --git a/machines/hector/default.nix b/machines/hector/default.nix @@ -21,6 +21,9 @@ # git server (gitolite+stagit) ./git.nix + # communication + ./fedi + ./syncthing.nix ./websites
diff --git a/machines/hector/fedi/gotosocial.nix b/machines/hector/fedi/gotosocial.nix @@ -0,0 +1,146 @@ +{ pkgs, lib, config, ... }: + +let + gotosocial = pkgs.callPackage ../../../pkgs/gotosocial {}; + +in { + + dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; + gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; + }; + + systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; + + restic-backups.gotosocial = { + user = "gotosocial"; + passwordFile = config.age.secrets.restic-gotosocial.path; + sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; + paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; + runBeforeBackup = '' + ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json + ''; + }; + + + systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; + + services.gotosocial = { + enable = true; + package = gotosocial; + group = "nginx"; + environmentFile = config.age.secrets.gotosocial-env.path; + settings = { + application-name = "ctucx.fedi"; + + host = "fedi.ctu.cx"; + account-domain = "ctu.cx"; + protocol = "https"; + + bind-address = "[::1]"; + port = 8085; + + trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; + + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/db.sqlite"; + + accounts-allow-custom-css = true; + accounts-registration-open = false; + + instance-expose-peers = true; + instance-expose-suspended = true; + instance-expose-suspended-web = true; + + instance-languages = [ "de" "en-us" ]; + + storage-backend = "local"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + + media-local-max-size = "50MiB"; + media-remote-max-size = "50MiB"; + + media-remote-cache-days = 3; + media-cleanup-from = "01:00"; + + + smtp-host = "hector.ctu.cx"; + smtp-port = 587; + smtp-username = "gts@ctu.cx"; + smtp-from = "gts@ctu.cx"; + }; + }; + + services.nginx.appendHttpConfig = '' + proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; + ''; + + # services.nginx.virtualHosts."ctu.cx" = { + # enableACME = true; + # forceSSL = true; + # kTLS = true; + # locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + # locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + # locations."/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + # }; + + services.nginx.virtualHosts."fedi.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + extraConfig = '' + if ($http_user_agent ~* (mnemo.social)) { + return 403; + } + ''; + locations = { + "= /".return = "307 /@katja"; + + "/" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 50M; + ''; + }; + + "~ /.well-known/(webfinger|host-meta)$" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri$is_args$query_string; + proxy_cache_valid 200 10m; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri; + proxy_cache_valid 200 604800s; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "/assets/".extraConfig = '' + alias ${config.services.gotosocial.package}/share/web/assets/; + autoindex off; + expires max; + add_header Cache-Control "public, immutable"; + ''; + }; + + }; + +}
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix @@ -9,7 +9,6 @@ ./hardware-configuration.nix # communication - ./fedi ./matrix ./mail
diff --git a/machines/trabbi/fedi/gotosocial.nix b/machines/trabbi/fedi/gotosocial.nix @@ -1,146 +0,0 @@ -{ pkgs, lib, config, ... }: - -let - gotosocial = pkgs.callPackage ../../../pkgs/gotosocial {}; - -in { - - dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; - - age.secrets = { - restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; - gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; - }; - - systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; - - restic-backups.gotosocial = { - user = "gotosocial"; - passwordFile = config.age.secrets.restic-gotosocial.path; - sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; - paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; - runBeforeBackup = '' - ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json - ''; - }; - - - systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; - - services.gotosocial = { - enable = true; - package = gotosocial; - group = "nginx"; - environmentFile = config.age.secrets.gotosocial-env.path; - settings = { - application-name = "ctucx.fedi"; - - host = "fedi.ctu.cx"; - account-domain = "ctu.cx"; - protocol = "https"; - - bind-address = "[::1]"; - port = 8085; - - trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; - - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/db.sqlite"; - - accounts-allow-custom-css = true; - accounts-registration-open = false; - - instance-expose-peers = true; - instance-expose-suspended = true; - instance-expose-suspended-web = true; - - instance-languages = [ "de" "en-us" ]; - - storage-backend = "local"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - - media-local-max-size = "50MiB"; - media-remote-max-size = "50MiB"; - - media-remote-cache-days = 3; - media-cleanup-from = "01:00"; - - - smtp-host = "trabbi.ctu.cx"; - smtp-port = 587; - smtp-username = "gts@ctu.cx"; - smtp-from = "gts@ctu.cx"; - }; - }; - - services.nginx.appendHttpConfig = '' - proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; - ''; - - services.nginx.virtualHosts."ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - locations."/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - }; - - services.nginx.virtualHosts."fedi.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - extraConfig = '' - if ($http_user_agent ~* (mnemo.social)) { - return 403; - } - ''; - locations = { - "= /".return = "307 /@katja"; - - "/" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 50M; - ''; - }; - - "~ /.well-known/(webfinger|host-meta)$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri$is_args$query_string; - proxy_cache_valid 200 10m; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri; - proxy_cache_valid 200 604800s; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "/assets/".extraConfig = '' - alias ${config.services.gotosocial.package}/share/web/assets/; - autoindex off; - expires max; - add_header Cache-Control "public, immutable"; - ''; - }; - - }; - -}
diff --git a/machines/trabbi/websites/ctu.cx.nix b/machines/trabbi/websites/ctu.cx.nix @@ -14,7 +14,10 @@ locations = { "/netzabdeckung.html".return = "307 https://wifionic.de/"; "/bikemap".return = "307 https://bikemap.ctu.cx/"; - }; + "/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + "/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + "/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + }; }; };
diff --git a/secrets/hector/gotosocial-env.age b/secrets/hector/gotosocial-env.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMXN4T3Nwd0hDcTI5ZlBk +YldtMmVScng3V3lIZGxxQmdxbUxDaEJKTGtjCnA1OWNJOE9JU1BuSGVubEdjam1O +TjI4bWFaOEg2UFM5VXJrR3lVazlvMUUKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIDNS +dXdyazVUbTJjRlR1Q2Z4V2R3WUtGRXBCZW1Ic3pNRGIxWk4xTU1MeDQKbW93Y2pK +QjIyQjh1YnJ2MktIVU5lTW5xSGw0aXZ3dGpXMk9kdVZna2k5MAotPiBHcD1qRGpm +LWdyZWFzZSBLXGkgaGpbVQpJWnlGVnIvRlpTRDgKLS0tIDVadE8wVVhIWjZPMGFr +VUJ1Z0Q5bWdUQ3JsZ21DRTBNWXNINm0yTytxQkUKVNDBP89fGael4QpbLouXSZzu +aWW35KYyYwCS5v3Hb+MbsIbrjjSEWZA5K3aN/zXWg0ENWesKt0z6qxUcgHD32vAy +W6A1 +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/restic/gotosocial.age b/secrets/hector/restic/gotosocial.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VVFpaUQxWUpVU0crNCtk +eHRySVljTGtWSW81SDAyNUphVDl0d3N5NEJVCnZlTDl4V3FKYllPRjRXdUJsMndz +aTdnUXJGTWp0aERVeHdKTGFYVFkwOVEKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIHlL +bXZHS3N2UjlSV3BFUzA0eklEcWl4QVpWb0tzenZQajQvdnMyL1VGZ00Ka2F6UVhn +c0hsb2tKZCtUbzM5aHZNRkh5RWpINzY1SmJWQzJDUHdLY09zQQotPiBLLS4nLWdy +ZWFzZSBaL3gtIEcoKE5OPyB4Ii9EUCZ7IiB7TlF8QyMydQpPcUdZMFFpSEkrZ0hj +TjZ6WGVMVDcvVGVBR29DK01GdUNBVHJaalBDazJHSW11OTZ0cmRabC9YNEpOVkQ4 +czVlCkxQWGs1V0tFVmxTeTNUNDF4cUJaaHdGaExSNDlSYkkKLS0tIGV2THVLQ1E0 +TWNVb0o5WVpobm1IUUh3ZWdxVzcrTG1MNzNSeCtxUm1iejgK4WSlQEbu27/G0zzN +Cz+hoZ2CfKxQ9WwKb6P7ctNCYs4GmtnhYeEa9zQfzeeeARB1/bZdJ+keyal1nnkA +hxCTlKU= +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -69,10 +69,8 @@ in { "trabbi/restic/mail.age".publicKeys = [ main-key trabbi ]; "trabbi/restic/matrix-synapse.age".publicKeys = [ main-key trabbi ]; - "trabbi/restic/gotosocial.age".publicKeys = [ main-key trabbi ]; "trabbi/travelynx2fedi-env.age".publicKeys = [ main-key trabbi ]; - "trabbi/gotosocial-env.age".publicKeys = [ main-key trabbi ]; "trabbi/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key trabbi ]; "trabbi/matrix-synapse/sliding-sync-env.age".publicKeys = [ main-key trabbi ]; @@ -92,12 +90,14 @@ in { "hector/restic/vaultwarden.age".publicKeys = [ main-key hector ]; "hector/restic/ctucx-things.age".publicKeys = [ main-key hector ]; "hector/restic/gitolite.age".publicKeys = [ main-key hector ]; + "hector/restic/gotosocial.age".publicKeys = [ main-key hector ]; "hector/syncthing/key.age".publicKeys = [ main-key hector ]; "hector/syncthing/cert.age".publicKeys = [ main-key hector ]; "hector/radicale-users.age".publicKeys = [ main-key hector ]; "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; + "hector/gotosocial-env.age".publicKeys = [ main-key hector ]; "wanderduene/wireguard-privkey.age".publicKeys = [ main-key wanderduene ];
diff --git a/secrets/trabbi/gotosocial-env.age b/secrets/trabbi/gotosocial-env.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TUlLVFMwSzNmL0dNWGxO -dGE5dkV6YnozekVYWjZVcnZVRlM0Wk50MERVCktLSlV4UVRUVmpvT243QjZHcVU2 -SXNNcG5MT29vYVlXcEtXZDJYVmNSeWMKLT4gc3NoLWVkMjU1MTkgcThvY3pnIG92 -M0tlTU5hK3BUdDJHQ1A5Z3grU1pEeVhZTGdIODBvUG43Vm84M2lRU3cKc21VdjZk -L3NvdmI5NmFCSE0rdm95VDcxZkU0L3F2VjJQOEx3N3A2RUJZawotPiBOaUEtZ3Jl -YXNlIDtDPC5SMzogc2sKc1Q5U0FqVVllRUNpWWpqNlNZWUhMUGNOS1l5bzhVMzBH -Y2o1NHRMaUNnWFRpZSswa3lmQkpUVQotLS0gYkVzbWJleS93ZFpCS1l2TG16MG9D -QUlTT3pKRUh6NEEvUlVKSkFkMUcvbwoWRGN3LtjSe8G5LhZTFGW5Nzn049lZOCOE -wZwHKqeujgrsGIcawCqz//lLhPtKaSeCp56DqlpaBh9DBkWJeOgppomy/rY= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/gotosocial.age b/secrets/trabbi/restic/gotosocial.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTC9ldjJwTEkwb3c5K1FL -SnRYYUZtUGtoSVpNRjdJTVd3SjI2MXI3ZGpNCkxybk13NGRuVDdONUpFc2h2Qy96 -T3BMNkpmbzFhVEtIYlA2Q2txckJGZTgKLT4gc3NoLWVkMjU1MTkgcThvY3pnIFhU -MWRMNm85YWltTVpGZHNmVkNkZjJYZG5VWEYrK1dDNkRhNWJSM00rVEUKOGtneE8y -aEM5cVdSdThoeklxZGZEWFRBYlVIdTJMWWI2NCttdDdVcWVHYwotPiBtQl8tZ3Jl -YXNlIGYvOVsndFQ+ICpySCY4fmQKZHFtbXVBWUQydWJxV2tnOQotLS0gNHZKOEdH -NUJvbU50YXBBVlNtNW5IZ2l6VnI4TzhEVExnK0NpSE9wWnQzRQpWV6a1s1gu/er5 -5XDiFemgTqQ5eA3gLh9c8nxAXPQXfsKmMg3w3rpX3KmfwfByjzNrSxxzIvWwjl2c -TGBlccjgWw== ------END AGE ENCRYPTED FILE-----