diff --git a/hosts/lucent-firepit/default.nix b/hosts/lucent-firepit/default.nix index 4e22171..1595619 100644 --- a/hosts/lucent-firepit/default.nix +++ b/hosts/lucent-firepit/default.nix @@ -174,6 +174,11 @@ in { dataDir = "/var/lib/terraria"; }; + nextcloud = { + enable = true; + domain = "nextcloud.dark-firepit.cloud"; + }; + jmusicbot = let baseOptions = { owner = 276416332894044160; diff --git a/hosts/lucent-firepit/webapps/default.nix b/hosts/lucent-firepit/webapps/default.nix index c5e46ed..292eb38 100644 --- a/hosts/lucent-firepit/webapps/default.nix +++ b/hosts/lucent-firepit/webapps/default.nix @@ -151,6 +151,14 @@ in { proxyPass = "http://127.0.0.1:3436/"; }; }; + # todo: move to flake + "jillo.oat.zone" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:15385/"; + }; + }; "drawdog.oat.zone" = { enableACME = true; forceSSL = true; diff --git a/modules/services/dendrite.nix b/modules/services/dendrite.nix index 2018bc6..905d2a0 100644 --- a/modules/services/dendrite.nix +++ b/modules/services/dendrite.nix @@ -2,101 +2,107 @@ with lib; let - cfg = config.modules.services.dendrite; - fullDomain = "matrix." + cfg.hostDomain; + cfg = config.modules.services.dendrite; + fullDomain = "${cfg.prefix}.${cfg.hostDomain}"; maxUploadMegabytes = 600; in { - options.modules.services.dendrite = { - enable = mkOption { - type = types.bool; - default = false; - }; + options.modules.services.dendrite = { + enable = mkOption { + type = types.bool; + default = false; + }; - hostDomain = mkOption { - type = types.str; - default = null; - }; + hostDomain = mkOption { + type = types.str; + default = null; + }; - port = mkOption { - type = types.port; - default = 8008; - }; - }; + prefix = mkOption { + type = types.str; + default = "matrix"; + }; - config = mkIf cfg.enable { - assertions = [ - { assertion = cfg.hostDomain != null; - description = "@config.modules.services.dendrite.hostDomain@ must not equal null"; - } - ]; + port = mkOption { + type = types.port; + default = 8008; + }; + }; - services.dendrite = { - enable = true; - httpPort = cfg.port; - # httpsPort = cfg.port; - tlsCert = "/var/lib/dendrite_keys/server.cert"; - tlsKey = "/var/lib/dendrite_keys/server.key"; - loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ]; - environmentFile = "/var/lib/dendrite_keys/registration_secret"; - settings = { - global = { - server_name = cfg.hostDomain; - private_key = "/var/lib/dendrite_keys/private/private_key.pem"; - presence = { - enable_inbound = true; - enable_outbound = true; - }; - }; - client_api = { - registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; - }; - media_api = { - max_file_size_bytes = maxUploadMegabytes; - dynamic_thumbnails = true; - }; - }; + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.hostDomain != null; + description = "@config.modules.services.dendrite.hostDomain@ must not equal null"; + } + ]; - }; + services.dendrite = { + enable = true; + httpPort = cfg.port; + # httpsPort = cfg.port; + tlsCert = "/var/lib/dendrite_keys/server.crt"; + tlsKey = "/var/lib/dendrite_keys/server.key"; + loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ]; + environmentFile = "/var/lib/dendrite_keys/registration_secret"; + settings = { + global = { + server_name = cfg.hostDomain; + private_key = "/var/lib/dendrite_keys/private/private_key.pem"; + presence = { + enable_inbound = true; + enable_outbound = true; + }; + }; + client_api = { + registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + }; + media_api = { + max_file_size_bytes = maxUploadMegabytes; + dynamic_thumbnails = true; + }; + }; - services.nginx.virtualHosts."${fullDomain}" = { - forceSSL = true; - enableACME = true; + }; - listen = [ - { addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { addr = "[::]"; - port = 443; - ssl = true; - } - ]; + services.nginx.virtualHosts."${fullDomain}" = { + forceSSL = true; + enableACME = true; - locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + #listen = [ + # { addr = "0.0.0.0"; + # port = 443; + # ssl = true; + # } + # { addr = "[::]"; + # port = 443; + # ssl = true; + # } + #]; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-RealIP $remote_addr; - proxy_read_timeout 600; - client_max_body_size ${toString maxUploadMegabytes}M; - ''; - }; + locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + #locations."/_matrix".proxyPass = "https://localhost:${toString cfg.port}"; - services.nginx.virtualHosts."${cfg.hostDomain}" = { - forceSSL = true; - enableACME = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-RealIP $remote_addr; + proxy_read_timeout 600; + client_max_body_size ${toString maxUploadMegabytes}M; + ''; + }; - locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'"; + services.nginx.virtualHosts."${cfg.hostDomain}" = { + forceSSL = true; + enableACME = true; - # locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'"; - locations."/.well-known/matrix/client".extraConfig = '' - add_header Access-Control-Allow-Origin '*'; - return 200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'; - ''; - }; + locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'"; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - }; + # locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'"; + locations."/.well-known/matrix/client".extraConfig = '' + add_header Access-Control-Allow-Origin '*'; + return 200 '{ \"m.homeserver\": { \"base_url\": \"https://${fullDomain}\"} }'; + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; + }; } diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 550618d..5f04090 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -12,7 +12,7 @@ in { package = mkOption { type = types.package; - default = pkgs.nextcloud24; + default = pkgs.nextcloud27; }; domain = mkOption { @@ -28,10 +28,16 @@ in { } ]; + # vomit inducing + # nixpkgs.config.permittedInsecurePackages = [ + # "openssl-1.1.1w" + # ]; + services.nextcloud = { enable = true; package = cfg.package; hostName = cfg.domain; + enableBrokenCiphersForSSE = false; config = { dbtype = "pgsql"; dbuser = "nextcloud";