forked from CCCHH/nix-infra
Configure public-web-static host for Element Web hosting
Co-authored-by: julian <julian@jsts.xyz>
This commit is contained in:
parent
3053eb9b2f
commit
02411bb800
7
config/hosts/public-web-static/configuration.nix
Normal file
7
config/hosts/public-web-static/configuration.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
networking.hostName = "public-web-static";
|
||||||
|
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
10
config/hosts/public-web-static/default.nix
Normal file
10
config/hosts/public-web-static/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./configuration.nix
|
||||||
|
./networking.nix
|
||||||
|
./nginx.nix
|
||||||
|
./virtualHosts
|
||||||
|
];
|
||||||
|
}
|
20
config/hosts/public-web-static/networking.nix
Normal file
20
config/hosts/public-web-static/networking.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
networking.interfaces.net0 = {
|
||||||
|
ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "172.31.17.151";
|
||||||
|
prefixLength = 25;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
networking.defaultGateway = "172.31.17.129";
|
||||||
|
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
|
||||||
|
networking.search = [ "hamburg.ccc.de" ];
|
||||||
|
|
||||||
|
systemd.network.links."10-net0" = {
|
||||||
|
matchConfig.MACAddress = "86:72:08:F6:C0:D6";
|
||||||
|
linkConfig.Name = "net0";
|
||||||
|
};
|
||||||
|
}
|
8
config/hosts/public-web-static/nginx.nix
Normal file
8
config/hosts/public-web-static/nginx.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.nginx.enable = true;
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 8443 ];
|
||||||
|
}
|
7
config/hosts/public-web-static/virtualHosts/default.nix
Normal file
7
config/hosts/public-web-static/virtualHosts/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./element.hamburg.ccc.de.nix
|
||||||
|
];
|
||||||
|
}
|
|
@ -0,0 +1,47 @@
|
||||||
|
{
|
||||||
|
"default_server_name": "hamburg.ccc.de",
|
||||||
|
"default_server_config": {
|
||||||
|
"m.homeserver": {
|
||||||
|
"base_url": "https://matrix.hamburg.ccc.de",
|
||||||
|
"server_name": "hamburg.ccc.de"
|
||||||
|
},
|
||||||
|
"m.identity_server": {
|
||||||
|
"base_url": "https://vector.im"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"disable_custom_urls": true,
|
||||||
|
"disable_guests": false,
|
||||||
|
"disable_login_language_selector": false,
|
||||||
|
"disable_3pid_login": true,
|
||||||
|
"brand": "Element",
|
||||||
|
"integrations_ui_url": "https://scalar.vector.im/",
|
||||||
|
"integrations_rest_url": "https://scalar.vector.im/api",
|
||||||
|
"integrations_widgets_urls": [
|
||||||
|
"https://scalar.vector.im/_matrix/integrations/v1",
|
||||||
|
"https://scalar.vector.im/api",
|
||||||
|
"https://scalar-staging.vector.im/_matrix/integrations/v1",
|
||||||
|
"https://scalar-staging.vector.im/api",
|
||||||
|
"https://scalar-staging.riot.im/scalar/api"
|
||||||
|
],
|
||||||
|
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
|
||||||
|
"uisi_autorageshake_app": "element-auto-uisi",
|
||||||
|
"default_country_code": "DE",
|
||||||
|
"show_labs_settings": true,
|
||||||
|
"default_federate": true,
|
||||||
|
"default_theme": "dark",
|
||||||
|
"room_directory": {
|
||||||
|
"servers": [
|
||||||
|
"matrix.org"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"enable_presence_by_hs_url": {
|
||||||
|
"https://matrix.org": false,
|
||||||
|
"https://matrix-client.matrix.org": false
|
||||||
|
},
|
||||||
|
"setting_defaults": {
|
||||||
|
"breadcrumbs": true
|
||||||
|
},
|
||||||
|
"jitsi": {
|
||||||
|
"preferredDomain": "meet.element.io"
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,93 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
element-web = pkgs.fetchzip {
|
||||||
|
url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
|
||||||
|
sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
|
||||||
|
};
|
||||||
|
elementSecurityHeaders = ''
|
||||||
|
# Configuration best practices
|
||||||
|
# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"acme-element.hamburg.ccc.de" = {
|
||||||
|
default = true;
|
||||||
|
enableACME = true;
|
||||||
|
serverName = "element.hamburg.ccc.de";
|
||||||
|
|
||||||
|
listen = [
|
||||||
|
{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 31820;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
"element.hamburg.ccc.de" = {
|
||||||
|
default = true;
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "element.hamburg.ccc.de";
|
||||||
|
|
||||||
|
listen = [
|
||||||
|
{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 8443;
|
||||||
|
ssl = true;
|
||||||
|
extraParameters = [ "proxy_protocol" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
root = pkgs.buildEnv {
|
||||||
|
name = "element-web";
|
||||||
|
paths = [
|
||||||
|
element-web
|
||||||
|
./element-web-config
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set no-cache for the version, config and index.html
|
||||||
|
# so that browsers always check for a new copy of Element Web.
|
||||||
|
# NB http://your-domain/ and http://your-domain/? are also covered by this
|
||||||
|
|
||||||
|
locations."= /index.html" = {
|
||||||
|
extraConfig = elementSecurityHeaders + ''
|
||||||
|
add_header Cache-Control "no-cache";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."= /version" = {
|
||||||
|
extraConfig = elementSecurityHeaders + ''
|
||||||
|
add_header Cache-Control "no-cache";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
# covers config.json and config.hostname.json requests as it is prefix.
|
||||||
|
locations."/config" = {
|
||||||
|
extraConfig = elementSecurityHeaders + ''
|
||||||
|
add_header Cache-Control "no-cache";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
extraConfig = elementSecurityHeaders + ''
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
# redirect server error pages to the static page /50x.html
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
|
||||||
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||||
|
# $remote_port to the client address and client port, when using proxy
|
||||||
|
# protocol.
|
||||||
|
# First set our proxy protocol proxy as trusted.
|
||||||
|
set_real_ip_from 172.31.17.140;
|
||||||
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||||
|
# header.
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
14
flake.nix
14
flake.nix
|
@ -90,6 +90,20 @@
|
||||||
./config/hosts/matrix
|
./config/hosts/matrix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
public-web-static = {
|
||||||
|
deployment = {
|
||||||
|
targetHost = "public-web-static-intern.hamburg.ccc.de";
|
||||||
|
targetPort = 22;
|
||||||
|
targetUser = "colmena-deploy";
|
||||||
|
tags = [ "chaosknoten" ];
|
||||||
|
};
|
||||||
|
imports = [
|
||||||
|
./config/common
|
||||||
|
./config/proxmox-vm
|
||||||
|
./config/hosts/public-web-static
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
packages.x86_64-linux = {
|
packages.x86_64-linux = {
|
||||||
|
|
Loading…
Reference in a new issue