bendodroid/nix-infra
1
0
Fork 0
forked from CCCHH/nix-infra
Code Pull requests Activity

Configure public-web-static host for Element Web hosting

Browse source 
Co-authored-by: julian <julian@jsts.xyz>
This commit is contained in:
yuri 2023-10-07 04:29:08 +02:00 committed by Jannes Grzebien
parent 3053eb9b2f
commit 02411bb800
8 changed files with 206 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
config/hosts/public-web-static/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
networking.hostName = "public-web-static";
system.stateVersion = "23.05";
}

10
config/hosts/public-web-static/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./configuration.nix
./networking.nix
./nginx.nix
./virtualHosts
];
}

20
config/hosts/public-web-static/networking.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.151";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "86:72:08:F6:C0:D6";
linkConfig.Name = "net0";
};
}

8
config/hosts/public-web-static/nginx.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

7
config/hosts/public-web-static/virtualHosts/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./element.hamburg.ccc.de.nix
];
}

47
config/hosts/public-web-static/virtualHosts/element-web-config/config.json Normal file
View file

@ -0,0 +1,47 @@
{
"default_server_name": "hamburg.ccc.de",
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.hamburg.ccc.de",
"server_name": "hamburg.ccc.de"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": true,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": true,
"brand": "Element",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"uisi_autorageshake_app": "element-auto-uisi",
"default_country_code": "DE",
"show_labs_settings": true,
"default_federate": true,
"default_theme": "dark",
"room_directory": {
"servers": [
"matrix.org"
]
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false
},
"setting_defaults": {
"breadcrumbs": true
},
"jitsi": {
"preferredDomain": "meet.element.io"
}
}

93
config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix Normal file
View file

@ -0,0 +1,93 @@
{ pkgs, ... }:
let
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
};
elementSecurityHeaders = ''
# Configuration best practices
# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header Strict-Transport-Security "max-age=63072000" always;
'';
in
{
services.nginx.virtualHosts = {
"acme-element.hamburg.ccc.de" = {
default = true;
enableACME = true;
serverName = "element.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"element.hamburg.ccc.de" = {
default = true;
forceSSL = true;
useACMEHost = "element.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
root = pkgs.buildEnv {
name = "element-web";
paths = [
element-web
./element-web-config
];
};
# Set no-cache for the version, config and index.html
# so that browsers always check for a new copy of Element Web.
# NB http://your-domain/ and http://your-domain/? are also covered by this
locations."= /index.html" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
locations."= /version" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
# covers config.json and config.hostname.json requests as it is prefix.
locations."/config" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
extraConfig = elementSecurityHeaders + ''
index index.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}

14
flake.nix
View file

@ -90,6 +90,20 @@
./config/hosts/matrix ./config/hosts/matrix
]; ];
}; };
public-web-static = {
deployment = {
targetHost = "public-web-static-intern.hamburg.ccc.de";
targetPort = 22;
targetUser = "colmena-deploy";
tags = [ "chaosknoten" ];
};
imports = [
./config/common
./config/proxmox-vm
./config/hosts/public-web-static
];
};
}; };
packages.x86_64-linux = { packages.x86_64-linux = {