mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-30 06:21:28 +00:00
Fixed Jitsi functionality and Jitsi certificate resolution
This commit is contained in:
parent
a448d4da5d
commit
3497ddd0a2
|
@ -35,8 +35,8 @@ in
|
||||||
networking = {
|
networking = {
|
||||||
hostName = config.services.userdata.hostname;
|
hostName = config.services.userdata.hostname;
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 8443 ];
|
allowedUDPPorts = lib.mkForce [ 8443 10000 ];
|
||||||
};
|
};
|
||||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -17,6 +17,12 @@ in
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
};
|
};
|
||||||
|
"meet.${cfg.domain}" = {
|
||||||
|
domain = "meet.${cfg.domain}";
|
||||||
|
group = "acmerecievers";
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@ in
|
||||||
services.jitsi-meet = {
|
services.jitsi-meet = {
|
||||||
enable = config.services.userdata.jitsi.enable;
|
enable = config.services.userdata.jitsi.enable;
|
||||||
hostName = "meet.${domain}";
|
hostName = "meet.${domain}";
|
||||||
nginx.enable = false;
|
nginx.enable = true;
|
||||||
interfaceConfig = {
|
interfaceConfig = {
|
||||||
SHOW_JITSI_WATERMARK = false;
|
SHOW_JITSI_WATERMARK = false;
|
||||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||||
|
|
|
@ -89,49 +89,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"meet.${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
root = pkgs.jitsi-meet;
|
|
||||||
extraConfig = ''
|
|
||||||
ssi on;
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
||||||
expires 10m;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"@root_path" = {
|
|
||||||
extraConfig = ''
|
|
||||||
rewrite ^/(.*)$ / break;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"~ ^/([^/\\?&:'\"]+)$" = {
|
|
||||||
tryFiles = "$uri @root_path";
|
|
||||||
};
|
|
||||||
"=/http-bind" = {
|
|
||||||
proxyPass = "http://localhost:5280/http-bind";
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"=/external_api.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
|
|
||||||
};
|
|
||||||
"=/config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/config.js";
|
|
||||||
};
|
|
||||||
"=/interface_config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/interface_config.js";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"password.${domain}" = {
|
"password.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
|
Loading…
Reference in a new issue