kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

add tls

Browse source
This commit is contained in:
Kiara Grouwstra 2025-07-11 21:40:52 +02:00
parent dabeae4695
commit e790a4450f
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
4 changed files with 25 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/cache.yaml
View file

@ -12,7 +12,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- run: attic login fediversity http://attic.fediversity.net:8080 ${{ secrets.ATTIC_PUSH_KEY }} && attic use demo - run: attic login fediversity https://attic.fediversity.net ${{ secrets.ATTIC_PUSH_KEY }} && attic use demo
- name: Set up SSH key to access age secrets - name: Set up SSH key to access age secrets
run: | run: |

2
infra/common/nixos/default.nix
View file

@ -26,7 +26,7 @@ in
nix.settings = { nix.settings = {
substituters = [ substituters = [
"http://attic.fediversity.net/demo" "https://attic.fediversity.net/demo"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM=" "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="

3
infra/common/nixos/nftables-ruleset.nft
View file

@ -43,8 +43,7 @@ table inet filter {
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22) # open tcp ports: sshd (22)
# 8080: used in atticd tcp dport ssh accept
tcp dport {ssh,8080} accept
# open tcp ports: snmp (161) # open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept ip saddr $snmp_allow udp dport {snmp} accept

23
services/fediversity/attic/default.nix
View file

@ -69,7 +69,7 @@ in
]; ];
}; };
# open up access to the mastodon web interface. 80 is necessary if only for ACME # open up access. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
@ -77,6 +77,27 @@ in
9000 9000
]; ];
# https://wiki.nixos.org/wiki/Nginx#TLS_reverse_proxy
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."attic.${config.fediversity.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;"
+
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;";
};
};
};
vars.settings.on-machine.enable = true; vars.settings.on-machine.enable = true;
vars.generators."templates" = rec { vars.generators."templates" = rec {
dependencies = [ "attic" ]; dependencies = [ "attic" ];