dendrite & nextcloud stuff, jillo.oat.zone

2024-05-04 07:36:07 +02:00 · 2023-11-24 08:48:12 +01:00 · 2023-11-24 08:48:12 +01:00 · 749bbcd236
parent c2837a6ac0
commit 749bbcd236
4 changed files with 108 additions and 83 deletions
--- a/hosts/lucent-firepit/default.nix
+++ b/hosts/lucent-firepit/default.nix
@ -174,6 +174,11 @@ in {
        dataDir = "/var/lib/terraria";
      };

+      nextcloud = {
+        enable = true;
+        domain = "nextcloud.dark-firepit.cloud";
+      };
+
      jmusicbot = let
        baseOptions = {
          owner = 276416332894044160;
--- a/hosts/lucent-firepit/webapps/default.nix
+++ b/hosts/lucent-firepit/webapps/default.nix
@ -151,6 +151,14 @@ in {
            proxyPass = "http://127.0.0.1:3436/";
          };
        };
+        # todo: move to flake
+        "jillo.oat.zone" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:15385/";
+          };
+        };
        "drawdog.oat.zone" = {
          enableACME = true;
          forceSSL = true;
--- a/modules/services/dendrite.nix
+++ b/modules/services/dendrite.nix
@ -2,101 +2,107 @@

 with lib;
 let
-	cfg = config.modules.services.dendrite;
-	fullDomain = "matrix." + cfg.hostDomain;
+  cfg = config.modules.services.dendrite;
+  fullDomain = "${cfg.prefix}.${cfg.hostDomain}";
  maxUploadMegabytes = 600;
 in {
-	options.modules.services.dendrite = {
-		enable = mkOption {
-			type = types.bool;
-			default = false;
-		};
+  options.modules.services.dendrite = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };

-		hostDomain = mkOption {
-			type = types.str;
-			default = null;
-		};
+    hostDomain = mkOption {
+      type = types.str;
+      default = null;
+    };

-		port = mkOption {
-			type = types.port;
-			default = 8008;
-		};
-	};
+    prefix = mkOption {
+      type = types.str;
+      default = "matrix";
+    };

-	config = mkIf cfg.enable {
-		assertions = [
-			{ assertion = cfg.hostDomain != null;
-				description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
-			}
-		];
+    port = mkOption {
+      type = types.port;
+      default = 8008;
+    };
+  };

-		services.dendrite = {
-			enable = true;
-			httpPort = cfg.port;
-			# httpsPort = cfg.port;
-			tlsCert = "/var/lib/dendrite_keys/server.cert";
-			tlsKey = "/var/lib/dendrite_keys/server.key";
-			loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
-			environmentFile = "/var/lib/dendrite_keys/registration_secret";
-			settings = {
-			  global = {
-				  server_name = cfg.hostDomain;
-				  private_key = "/var/lib/dendrite_keys/private/private_key.pem";
-				  presence = {
-				    enable_inbound = true;
-				    enable_outbound = true;
-				  };
-				};
-				client_api = {
-				  registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
-				};
-				media_api = {
-				  max_file_size_bytes = maxUploadMegabytes;
-				  dynamic_thumbnails = true;
-				};
-			};
+  config = mkIf cfg.enable {
+    assertions = [
+      { assertion = cfg.hostDomain != null;
+        description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
+      }
+    ];

-		};
+    services.dendrite = {
+      enable = true;
+      httpPort = cfg.port;
+      # httpsPort = cfg.port;
+      tlsCert = "/var/lib/dendrite_keys/server.crt";
+      tlsKey = "/var/lib/dendrite_keys/server.key";
+      loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
+      environmentFile = "/var/lib/dendrite_keys/registration_secret";
+      settings = {
+        global = {
+          server_name = cfg.hostDomain;
+          private_key = "/var/lib/dendrite_keys/private/private_key.pem";
+          presence = {
+            enable_inbound = true;
+            enable_outbound = true;
+          };
+        };
+        client_api = {
+          registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
+        };
+        media_api = {
+          max_file_size_bytes = maxUploadMegabytes;
+          dynamic_thumbnails = true;
+        };
+      };

-		services.nginx.virtualHosts."${fullDomain}" = {
-			forceSSL = true;
-			enableACME = true;
+    };

-			listen = [
-				{ addr = "0.0.0.0";
-					port = 443;
-					ssl = true;
-				}
-				{ addr = "[::]";
-					port = 443;
-					ssl = true;
-				}
-			];
+    services.nginx.virtualHosts."${fullDomain}" = {
+      forceSSL = true;
+      enableACME = true;

-			locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      #listen = [
+      #  { addr = "0.0.0.0";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #  { addr = "[::]";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #];

-			extraConfig = ''
-				proxy_set_header Host $host;
-				proxy_set_header X-RealIP $remote_addr;
-				proxy_read_timeout 600;
-				client_max_body_size ${toString maxUploadMegabytes}M;
-			'';
-		};
+      locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      #locations."/_matrix".proxyPass = "https://localhost:${toString cfg.port}";

-		services.nginx.virtualHosts."${cfg.hostDomain}" = {
-			forceSSL = true;
-			enableACME = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-RealIP $remote_addr;
+        proxy_read_timeout 600;
+        client_max_body_size ${toString maxUploadMegabytes}M;
+      '';
+    };

-			locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
+    services.nginx.virtualHosts."${cfg.hostDomain}" = {
+      forceSSL = true;
+      enableACME = true;

-			# locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
-			locations."/.well-known/matrix/client".extraConfig = ''
-				add_header Access-Control-Allow-Origin '*';
-				return 200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }';
-			'';
-		};
+      locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";

-		networking.firewall.allowedTCPPorts = [ 80 443 ];
-		networking.firewall.allowedUDPPorts = [ 80 443 ];
-	};
+	    # locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
+      locations."/.well-known/matrix/client".extraConfig = ''
+        add_header Access-Control-Allow-Origin '*';
+        return 200 '{ \"m.homeserver\": { \"base_url\": \"https://${fullDomain}\"} }';
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    networking.firewall.allowedUDPPorts = [ 80 443 ];
+  };
 }
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -12,7 +12,7 @@ in {

    package = mkOption {
      type = types.package;
-      default = pkgs.nextcloud24;
+      default = pkgs.nextcloud27;
    };

    domain = mkOption {
@ -28,10 +28,16 @@ in {
      }
    ];

+    # vomit inducing
+    # nixpkgs.config.permittedInsecurePackages = [
+    #   "openssl-1.1.1w"
+    # ];
+
    services.nextcloud = {
      enable = true;
      package = cfg.package;
      hostName = cfg.domain;
+      enableBrokenCiphersForSSE = false;
      config = {
        dbtype = "pgsql";
        dbuser = "nextcloud";