SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-10-31 22:27:19 +00:00
Code Issues Projects Releases Wiki Activity

roll back the roll back

Browse source
This commit is contained in:
Inex Code 2022-02-15 14:09:45 +02:00 committed by inexcode
parent df5aba5fa5
commit d8b27cb4eb
4 changed files with 9 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
configuration.nix
View file

@ -35,8 +35,8 @@ in
networking = { networking = {
hostName = config.services.userdata.hostname; hostName = config.services.userdata.hostname;
firewall = { firewall = {
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ]; allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
allowedUDPPorts = lib.mkForce [ 8443 ]; allowedUDPPorts = lib.mkForce [ 8443 10000 ];
}; };
nameservers = [ "1.1.1.1" "1.0.0.1" ]; nameservers = [ "1.1.1.1" "1.0.0.1" ];
}; };

6
letsencrypt/acme.nix
View file

@ -17,6 +17,12 @@ in
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini"; credentialsFile = "/var/lib/cloudflare/Credentials.ini";
}; };
"meet.${cfg.domain}" = {
domain = "meet.${cfg.domain}";
group = "acmerecievers";
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
};
}; };
}; };
} }

2
videomeet/jitsi.nix
View file

@ -6,7 +6,7 @@ in
services.jitsi-meet = { services.jitsi-meet = {
enable = config.services.userdata.jitsi.enable; enable = config.services.userdata.jitsi.enable;
hostName = "meet.${domain}"; hostName = "meet.${domain}";
nginx.enable = false; nginx.enable = true;
interfaceConfig = { interfaceConfig = {
SHOW_JITSI_WATERMARK = false; SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false; SHOW_WATERMARK_FOR_GUESTS = false;

43
webserver/nginx.nix
View file

@ -89,49 +89,6 @@ in
}; };
}; };
}; };
"meet.${domain}" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = pkgs.jitsi-meet;
extraConfig = ''
ssi on;
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"@root_path" = {
extraConfig = ''
rewrite ^/(.*)$ / break;
'';
};
"~ ^/([^/\\?&:'\"]+)$" = {
tryFiles = "$uri @root_path";
};
"=/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"=/external_api.js" = {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
"=/config.js" = {
alias = "${pkgs.jitsi-meet}/config.js";
};
"=/interface_config.js" = {
alias = "${pkgs.jitsi-meet}/interface_config.js";
};
};
};
"password.${domain}" = { "password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";