fricklerhandwerk/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

strip whitespace

Browse source
This commit is contained in:
Valentin Gagarin 2024-11-13 16:37:13 +01:00
parent 54f484ddd7
commit 6292453baa
1 changed files with 46 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
server/configuration.nix
View file

@ -1,4 +1,3 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
@ -7,7 +6,8 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [
# Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@ -32,21 +32,21 @@
forceSSL = true; forceSSL = true;
globalRedirect = "www.fediversity.eu"; globalRedirect = "www.fediversity.eu";
locations."/.well-known/matrix/client" = { locations."/.well-known/matrix/client" = {
extraConfig = '' extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
''; '';
}; };
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
extraConfig = '' extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}'; return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
''; '';
}; };
}; };
@ -55,21 +55,21 @@
forceSSL = true; forceSSL = true;
root = "/var/www/www.fediversity.eu/fediversity.eu/public"; root = "/var/www/www.fediversity.eu/fediversity.eu/public";
locations."/.well-known/matrix/client" = { locations."/.well-known/matrix/client" = {
extraConfig = '' extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
''; '';
}; };
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
extraConfig = '' extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}'; return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
''; '';
}; };
}; };
@ -80,7 +80,7 @@
certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ]; certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ];
}; };
networking = { networking = {
hostName = "vm02117"; hostName = "vm02117";
domain = "procolix.com"; domain = "procolix.com";
interfaces = { interfaces = {
@ -117,9 +117,9 @@
enable = true; enable = true;
ruleset = '' ruleset = ''
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
flush ruleset flush ruleset
########### define usefull variables here ##################### ########### define usefull variables here #####################
define wan = eth0 define wan = eth0
define ssh_allow = { define ssh_allow = {
@ -137,38 +137,38 @@
define nrpe_allow = { define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4 95.215.185.34/32, # nagios2 ipv4
} }
########### here starts the automated bit ##################### ########### here starts the automated bit #####################
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
policy drop; policy drop;
# established/related connections # established/related connections
ct state established,related accept ct state established,related accept
ct state invalid drop ct state invalid drop
# Limit ping requests. # Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface # loopback interface
iifname lo accept iifname lo accept
# icmp # icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work. # Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22) # open tcp ports: sshd (22)
ip saddr $ssh_allow tcp dport {ssh} accept ip saddr $ssh_allow tcp dport {ssh} accept
# open tcp ports: snmp (161) # open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666) # open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443) # open tcp ports: http (80,443)
tcp dport {http,https} accept tcp dport {http,https} accept
} }
@ -179,13 +179,13 @@
type filter hook output priority 0; type filter hook output priority 0;
} }
} }
table ip nat { table ip nat {
chain postrouting { chain postrouting {
} }
chain prerouting { chain prerouting {
} }
} }
''; '';
}; };
}; };
@ -202,8 +202,8 @@
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
]; ];
packages = with pkgs; [ packages = with pkgs; [
]; ];
@ -212,7 +212,7 @@
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
]; ];
packages = with pkgs; [ packages = with pkgs; [
]; ];
@ -221,7 +221,7 @@
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
]; ];
packages = with pkgs; [ packages = with pkgs; [
]; ];
@ -272,4 +272,3 @@
system.stateVersion = "23.11"; # Did you read the comment? system.stateVersion = "23.11"; # Did you read the comment?
} }