SelfPrivacy/selfprivacy-nixos-infect
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git synced 2024-11-22 12:01:27 +00:00
Code Issues Projects Releases Wiki Activity

Fixed Jitsi certificate usage. Added memcached deployment for increased performance. Fixed upload of media files into Pleroma-OTP

Browse source
This commit is contained in:
Illia Chub 2021-02-17 13:17:26 +02:00
parent 4f793fed27
commit 0599112b3a
1 changed files with 129 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

203
nixos-infect
View file

@ -16,7 +16,7 @@ makeConf() {
mkdir /etc/nixos/letsencrypt mkdir /etc/nixos/letsencrypt
mkdir /etc/nixos/backup mkdir /etc/nixos/backup
mkdir /etc/nixos/passmgr mkdir /etc/nixos/passmgr
mkdir /etc/nixos/nginx mkdir /etc/nixos/webserver
mkdir /etc/nixos/git mkdir /etc/nixos/git
mkdir /etc/nixos/nextcloud mkdir /etc/nixos/nextcloud
mkdir /etc/nixos/resources mkdir /etc/nixos/resources
@ -41,20 +41,21 @@ makeConf() {
$network_import $network_import
$NIXOS_IMPORT $NIXOS_IMPORT
./files.nix ./files.nix
./mailserver/system/mailserver.nix ./mailserver/system/mailserver.nix
./vpn/ocserv.nix ./vpn/ocserv.nix
./api/api.nix ./api/api.nix
./api/api-service.nix ./api/api-service.nix
./social/pleroma-module.nix ./social/pleroma-module.nix
./social/pleroma.nix ./social/pleroma.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./backup/restic.nix ./backup/restic.nix
./passmgr/bitwarden.nix ./passmgr/bitwarden.nix
./nginx/nginx.nix ./webserver/nginx.nix
./nextcloud/nextcloud.nix ./webserver/memcached.nix
./nextcloud/nextcloud.nix
./resources/limits.nix ./resources/limits.nix
./videomeet/jitsi.nix ./videomeet/jitsi.nix
./git/gitea.nix ./git/gitea.nix
]; ];
boot.cleanTmpDir = true; boot.cleanTmpDir = true;
@ -195,39 +196,24 @@ EOF
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password" # mkpasswd -m sha-512 "super secret password"
loginAccounts = { loginAccounts = {
"$LUSER@$DOMAIN" = { "$LUSER@$DOMAIN" = {
hashedPassword = "$HASHED_PASSWORD"; hashedPassword = "$HASHED_PASSWORD";
catchAll = [ "$DOMAIN" ];
#aliases = [ sieveScript = ''
# "mail@example.com"
#];
# Make this user the catchAll address for domains blah.com and
# example2.com
catchAll = [
"$DOMAIN"
];
sieveScript = ''
require ["fileinto", "mailbox"]; require ["fileinto", "mailbox"];
if header :contains "Chat-Version" "1.0" if header :contains "Chat-Version" "1.0"
{ {
fileinto :create "DeltaChat"; fileinto :create "DeltaChat";
stop; stop;
} }
''; '';
}; };
}; };
# Extra virtual aliases. These are email addresses that are forwarded to
# loginAccounts addresses.
extraVirtualAliases = { extraVirtualAliases = {
# address = forward address; "admin@$DOMAIN" = "$LUSER@$DOMAIN";
"admin@$DOMAIN" = "$LUSER@$DOMAIN";
}; };
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 1; certificateScheme = 1;
certificateFile = "/var/lib/acme/$DOMAIN/fullchain.pem"; certificateFile = "/var/lib/acme/$DOMAIN/fullchain.pem";
keyFile = "/var/lib/acme/$DOMAIN/key.pem"; keyFile = "/var/lib/acme/$DOMAIN/key.pem";
@ -319,7 +305,7 @@ EOF
} }
EOF EOF
cat > /etc/nixos/nginx/nginx.nix << EOF cat > /etc/nixos/webserver/nginx.nix << EOF
{ pkgs, ... }: { pkgs, ... }:
{ {
services.nginx = { services.nginx = {
@ -331,7 +317,6 @@ EOF
clientMaxBodySize = "1024m"; clientMaxBodySize = "1024m";
virtualHosts = { virtualHosts = {
"$DOMAIN" = { "$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem"; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
@ -340,7 +325,7 @@ EOF
"vpn.$DOMAIN" = { "vpn.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem"; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
}; };
"git.$DOMAIN" = { "git.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
@ -349,28 +334,63 @@ EOF
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
}; };
}; };
}; };
"cloud.$DOMAIN" = { "cloud.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem"; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:80/"; proxyPass = "http://127.0.0.1:80/";
};
}; };
}; };
"meet.$DOMAIN" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/ilchub.net/fullchain.pem";
sslCertificateKey = "/var/lib/acme/ilchub.net/key.pem";
root = pkgs.jitsi-meet;
extraConfig = ''
ssi on;
'';
locations = {
"@root_path" = {
extraConfig = ''
rewrite ^/(.*)$ / break;
'';
};
"~ ^/([^/\\?&:'\"]+)$" = {
tryFiles = "$uri @root_path";
};
"=/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"=/external_api.js" = {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
"=/config.js" = {
alias = "${pkgs.jitsi-meet}/config.js";
};
"=/interface_config.js" = {
alias = "${pkgs.jitsi-meet}/interface_config.js";
};
};
}; };
"password.$DOMAIN" = { "password.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem"; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8222"; proxyPass = "http://127.0.0.1:8222";
};
}; };
};
}; };
"api.$DOMAIN" = { "api.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
@ -379,8 +399,28 @@ EOF
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:5050"; proxyPass = "http://127.0.0.1:5050";
};
}; };
}; };
"chat.$DOMAIN" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
locations = {
"/" = {
proxyPass = "https://127.0.0.1:8448";
};
"/_matrix" = {
proxyPass = "https://127.0.0.1:8448";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
}; };
"social.$DOMAIN" = { "social.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem"; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
@ -401,6 +441,22 @@ EOF
} }
EOF EOF
cat > /etc/nixos/webserver/memcached.nix << EOF
{ pkgs, ... }:
{
services = {
memcached = {
enable = true;
user = "memcached";
listen = "127.0.0.1";
port = "11211";
maxMemory = 64;
maxConnections = 1024;
};
};
}
EOF
cat > /etc/nixos/nextcloud/nextcloud.nix << EOF cat > /etc/nixos/nextcloud/nextcloud.nix << EOF
{ pkgs, ... }: { pkgs, ... }:
{ {
@ -451,9 +507,9 @@ EOF
type = "sqlite3"; type = "sqlite3";
host = "127.0.0.1"; host = "127.0.0.1";
name = "gitea"; name = "gitea";
user = "gitea"; user = "gitea";
path = "/var/lib/gitea/data/gitea.db"; path = "/var/lib/gitea/data/gitea.db";
createDatabase = true; createDatabase = true;
}; };
ssh = { ssh = {
enable = true; enable = true;
@ -473,19 +529,19 @@ EOF
settings = { settings = {
mailer = { mailer = {
ENABLED = false; ENABLED = false;
}; };
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "arc-green";
}; };
picture = { picture = {
DISABLE_GRAVATAR = true; DISABLE_GRAVATAR = true;
}; };
admin = { admin = {
ENABLE_KANBAN_BOARD = true; ENABLE_KANBAN_BOARD = true;
}; };
repository = { repository = {
FORCE_PRIVATE = false; FORCE_PRIVATE = false;
}; };
}; };
}; };
}; };
@ -499,33 +555,33 @@ EOF
dovecot2 = { dovecot2 = {
serviceConfig = { serviceConfig = {
cpuAccounting = true; cpuAccounting = true;
cpuQuota = "20%"; cpuQuota = "20%";
memoryAccounting = true; memoryAccounting = true;
memoryMax = "256M"; memoryMax = "256M";
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
startLimitBurst = 5; startLimitBurst = 5;
blockIOWeigth = 25; blockIOWeigth = 25;
}; };
}; };
postfix = { postfix = {
serviceConfig = { serviceConfig = {
cpuAccounting = true; cpuAccounting = true;
cpuQuota = "20%"; cpuQuota = "20%";
memoryAccounting = true; memoryAccounting = true;
memoryMax = "256M"; memoryMax = "256M";
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
startLimitBurst = 5; startLimitBurst = 5;
blockIOWeigth = 25; blockIOWeigth = 25;
}; };
}; };
ocserv = { ocserv = {
serviceConfig = { serviceConfig = {
cpuAccounting = true; cpuAccounting = true;
cpuQuota = "70%"; cpuQuota = "70%";
memoryAccounting = true; memoryAccounting = true;
memoryMax = "512M"; memoryMax = "512M";
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
startLimitBurst = 5; startLimitBurst = 5;
}; };
}; };
nginx = { nginx = {
@ -536,7 +592,7 @@ EOF
memoryMax = "768M"; memoryMax = "768M";
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
startLimitBurst = 5; startLimitBurst = 5;
blockIOWeigth = 10; blockIOWeigth = 10;
}; };
}; };
}; };
@ -554,7 +610,6 @@ EOF
SHOW_JITSI_WATERMARK = false; SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false; SHOW_WATERMARK_FOR_GUESTS = false;
}; };
}; };
} }
EOF EOF
@ -1218,4 +1273,4 @@ removeSwap
if [[ -z "$NO_REBOOT" ]]; then if [[ -z "$NO_REBOOT" ]]; then
reboot reboot
fi fi