dendrite & nextcloud stuff, jillo.oat.zone

hosts/lucent-firepit/default.nix

@@ -174,6 +174,11 @@ in {
         dataDir = "/var/lib/terraria";
       };
 
+      nextcloud = {
+        enable = true;
+        domain = "nextcloud.dark-firepit.cloud";
+      };
+
       jmusicbot = let
         baseOptions = {
           owner = 276416332894044160;

hosts/lucent-firepit/webapps/default.nix

@@ -151,6 +151,14 @@ in {
             proxyPass = "http://127.0.0.1:3436/";
           };
         };
+        # todo: move to flake
+        "jillo.oat.zone" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:15385/";
+          };
+        };
         "drawdog.oat.zone" = {
           enableACME = true;
           forceSSL = true;

modules/services/dendrite.nix

@@ -2,101 +2,107 @@
 
 with lib;
 let
-	cfg = config.modules.services.dendrite;
+  cfg = config.modules.services.dendrite;
-	fullDomain = "matrix." + cfg.hostDomain;
+  fullDomain = "${cfg.prefix}.${cfg.hostDomain}";
   maxUploadMegabytes = 600;
 in {
-	options.modules.services.dendrite = {
+  options.modules.services.dendrite = {
-		enable = mkOption {
+    enable = mkOption {
-			type = types.bool;
+      type = types.bool;
-			default = false;
+      default = false;
-		};
+    };
 
-		hostDomain = mkOption {
+    hostDomain = mkOption {
-			type = types.str;
+      type = types.str;
-			default = null;
+      default = null;
-		};
+    };
 
-		port = mkOption {
+    prefix = mkOption {
-			type = types.port;
+      type = types.str;
-			default = 8008;
+      default = "matrix";
-		};
+    };
-	};
 
-	config = mkIf cfg.enable {
+    port = mkOption {
-		assertions = [
+      type = types.port;
-			{ assertion = cfg.hostDomain != null;
+      default = 8008;
-				description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
+    };
-			}
+  };
-		];
 
-		services.dendrite = {
+  config = mkIf cfg.enable {
-			enable = true;
+    assertions = [
-			httpPort = cfg.port;
+      { assertion = cfg.hostDomain != null;
-			# httpsPort = cfg.port;
+        description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
-			tlsCert = "/var/lib/dendrite_keys/server.cert";
+      }
-			tlsKey = "/var/lib/dendrite_keys/server.key";
+    ];
-			loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
-			environmentFile = "/var/lib/dendrite_keys/registration_secret";
-			settings = {
-			  global = {
-				  server_name = cfg.hostDomain;
-				  private_key = "/var/lib/dendrite_keys/private/private_key.pem";
-				  presence = {
-				    enable_inbound = true;
-				    enable_outbound = true;
-				  };
-				};
-				client_api = {
-				  registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
-				};
-				media_api = {
-				  max_file_size_bytes = maxUploadMegabytes;
-				  dynamic_thumbnails = true;
-				};
-			};
 
-		};
+    services.dendrite = {
+      enable = true;
+      httpPort = cfg.port;
+      # httpsPort = cfg.port;
+      tlsCert = "/var/lib/dendrite_keys/server.crt";
+      tlsKey = "/var/lib/dendrite_keys/server.key";
+      loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
+      environmentFile = "/var/lib/dendrite_keys/registration_secret";
+      settings = {
+        global = {
+          server_name = cfg.hostDomain;
+          private_key = "/var/lib/dendrite_keys/private/private_key.pem";
+          presence = {
+            enable_inbound = true;
+            enable_outbound = true;
+          };
+        };
+        client_api = {
+          registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
+        };
+        media_api = {
+          max_file_size_bytes = maxUploadMegabytes;
+          dynamic_thumbnails = true;
+        };
+      };
 
-		services.nginx.virtualHosts."${fullDomain}" = {
+    };
-			forceSSL = true;
-			enableACME = true;
 
-			listen = [
+    services.nginx.virtualHosts."${fullDomain}" = {
-				{ addr = "0.0.0.0";
+      forceSSL = true;
-					port = 443;
+      enableACME = true;
-					ssl = true;
-				}
-				{ addr = "[::]";
-					port = 443;
-					ssl = true;
-				}
-			];
 
-			locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      #listen = [
+      #  { addr = "0.0.0.0";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #  { addr = "[::]";
+      #    port = 443;
+      #    ssl = true;
+      #  }
+      #];
 
-			extraConfig = ''
+      locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
-				proxy_set_header Host $host;
+      #locations."/_matrix".proxyPass = "https://localhost:${toString cfg.port}";
-				proxy_set_header X-RealIP $remote_addr;
-				proxy_read_timeout 600;
-				client_max_body_size ${toString maxUploadMegabytes}M;
-			'';
-		};
 
-		services.nginx.virtualHosts."${cfg.hostDomain}" = {
+      extraConfig = ''
-			forceSSL = true;
+        proxy_set_header Host $host;
-			enableACME = true;
+        proxy_set_header X-RealIP $remote_addr;
+        proxy_read_timeout 600;
+        client_max_body_size ${toString maxUploadMegabytes}M;
+      '';
+    };
 
-			locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
+    services.nginx.virtualHosts."${cfg.hostDomain}" = {
+      forceSSL = true;
+      enableACME = true;
 
-			# locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
+      locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
-			locations."/.well-known/matrix/client".extraConfig = ''
-				add_header Access-Control-Allow-Origin '*';
-				return 200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }';
-			'';
-		};
 
-		networking.firewall.allowedTCPPorts = [ 80 443 ];
+	    # locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
-		networking.firewall.allowedUDPPorts = [ 80 443 ];
+      locations."/.well-known/matrix/client".extraConfig = ''
-	};
+        add_header Access-Control-Allow-Origin '*';
+        return 200 '{ \"m.homeserver\": { \"base_url\": \"https://${fullDomain}\"} }';
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    networking.firewall.allowedUDPPorts = [ 80 443 ];
+  };
 }

modules/services/nextcloud.nix

@@ -12,7 +12,7 @@ in {
 
     package = mkOption {
       type = types.package;
-      default = pkgs.nextcloud24;
+      default = pkgs.nextcloud27;
     };
 
     domain = mkOption {
@@ -28,10 +28,16 @@ in {
       }
     ];
 
+    # vomit inducing
+    # nixpkgs.config.permittedInsecurePackages = [
+    #   "openssl-1.1.1w"
+    # ];
+
     services.nextcloud = {
       enable = true;
       package = cfg.package;
       hostName = cfg.domain;
+      enableBrokenCiphersForSSE = false;
       config = {
         dbtype = "pgsql";
         dbuser = "nextcloud";