magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-25 09:36:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixup altra http proxy for synapse

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-07-27 20:59:48 +02:00
parent 262a2fba32
commit 6099b301cd
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
3 changed files with 149 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/systems/altra/default.nix
View file

@ -38,6 +38,7 @@ in
./http-synapse-proxy.nix ./http-synapse-proxy.nix
../../common/remote_access.nix ../../common/remote_access.nix
inputs.serokell-nix.nixosModules.acme-sh
config'.flake.nixosModules.hashicorp config'.flake.nixosModules.hashicorp
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
]; ];

191
nixos/systems/altra/http-synapse-proxy.nix
View file

@ -1,76 +1,160 @@
{ pkgs, inputs', lib, config, ... }: { pkgs, inputs', lib, config, ... }:
let let
inherit (lib) inherit (lib)
singleton; singleton
mkForce;
certs = config.services.acme-sh.certs;
in in
{ {
users.users.nginx = { users.users.wwwrun = {
group = "nginx"; group = "wwwrun";
isSystemUser = true; isSystemUser = true;
uid = config.ids.uids.nginx; uid = config.ids.uids.wwwrun;
}; };
users.groups.nginx = { users.groups.wwwrun = {
gid = config.ids.gids.nginx; gid = config.ids.gids.wwwrun;
}; };
systemd.services.nginx-proxy = systemd.services.apache-proxy =
let let
nginxConfiguration = inputs'.nixng.nglib.generators.toNginx { apacheConfiguration = inputs'.nixng.nglib.generators.toApache [
daemon = "off"; {
worker_processes = 2; LoadModule = [
[ "mpm_event_module" "modules/mod_mpm_event.so" ]
[ "log_config_module" "modules/mod_log_config.so" ]
[ "unixd_module" "modules/mod_unixd.so" ]
[ "authz_core_module" "modules/mod_authz_core.so" ]
[ "authn_core_module" "modules/mod_authn_core.so" ]
[ "dir_module" "modules/mod_dir.so" ]
[ "mime_module" "modules/mod_mime.so" ]
[ "proxy_module" "modules/mod_proxy.so" ]
[ "proxy_http_module" "modules/mod_proxy_http.so" ]
[ "access_compat_module" "modules/mod_access_compat.so" ]
[ "proxy_connect_module" "modules/mod_proxy_connect.so" ]
[ "authn_file_module" "modules/mod_authn_file.so" ]
[ "authz_user_module" "modules/mod_authz_user.so" ]
[ "authz_host_module" "modules/mod_authz_host.so" ]
[ "auth_basic_module" "modules/mod_auth_basic.so" ]
[ "ssl_module" "modules/mod_ssl.so" ]
];
}
{
Listen = "0.0.0.0:8883";
events."" = { ServerRoot = "/var/empty";
use = "epoll"; ServerName = "altra";
worker_connections = 128; PidFile = "/run/apache/apache.pid";
};
error_log = "/var/log/nginx/error.log warn"; DocumentRoot = "/var/empty";
}
http."" = { {
server_tokens = "off"; ErrorLog = "/var/log/apache/error.log";
include = singleton [ "${pkgs.nginx}/conf/mime.types" ]; TransferLog = "/var/log/apache/access.log";
charset = "utf-8";
access_log = "/var/log/nginx/access.log combined"; LogLevel = "debug";
}
server."" = { {
listen = [ "8883" ]; AddType = singleton [
"image/svg+xml"
"svg"
"svgz"
];
AddEncoding = [
"gzip"
"svgz"
];
location."/" = { TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types";
satisfy = "all"; }
allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ]; {
deny = "all"; Directory."/" = {
Require = [ "all" "denied" ];
rewrite_by_lua_file Options = "SymlinksIfOwnerMatch";
auth_basic = "\"Administrators Area\"";
auth_basic_user_file = "/var/secret/htpasswd";
resolver = "8.8.8.8";
proxy_pass = "http://$http_host$uri$is_args$args";
};
}; };
};
}; VirtualHost."*:8883" = [
{
ProxyRequests = "on";
AddDefaultCharset = "off";
AllowCONNECT = "443";
}
{
ServerName = "synapse-proxy.in.redalder.org";
SSLEngine = "on";
SSLCertificateFile = certs.apache-proxy.certPath;
SSLCertificateKeyFile = certs.apache-proxy.keyPath;
SSLCipherSuite = "HIGH:!aNULL:!MD5";
}
{
Proxy."*" = {
Require = [ "all" "denied" ];
};
}
{
ProxyMatch."^([a-zA-Z]+\.)+[a-zA-Z]*:(443|8443).*$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secret/htpasswd";
RequireAll."" = {
Require = [
[ "user synapse" ]
[ "method CONNECT" ]
];
RequireAny."" = {
Require = [
[ "ip 10.64.2.1" ]
[ "ip 127.0.0.1" ]
];
};
};
};
}
{
ProxyMatch."^http:\/\/([a-zA-Z]+\.)+[a-zA-Z]*(|:(80))$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secret/htpasswd";
RequireAll."" = {
Require = [
[ "user synapse" ]
[ "not method CONNECT"]
];
RequireAny."" = {
Require = [
[ "ip 10.64.0.2" ]
];
};
};
};
}
];
}
];
in in
{ {
serviceConfig = { serviceConfig = {
Type = "forking";
Restart = "always"; Restart = "always";
RestartSec = "10s"; RestartSec = "10s";
# User and group # User and group
User = "nginx"; User = "wwwrun";
Group = "nginx"; Group = "wwwrun";
# Runtime directory and mode # Runtime directory and mode
RuntimeDirectory = "nginx"; RuntimeDirectory = "apache";
RuntimeDirectoryMode = "0750"; RuntimeDirectoryMode = "0750";
# Cache directory and mode # Cache directory and mode
CacheDirectory = "nginx"; CacheDirectory = "apache";
CacheDirectoryMode = "0750"; CacheDirectoryMode = "0750";
# Logs directory and mode # Logs directory and mode
LogsDirectory = "nginx"; LogsDirectory = "apache";
LogsDirectoryMode = "0750"; LogsDirectoryMode = "0750";
# Proc filesystem # Proc filesystem
ProcSubset = "pid"; ProcSubset = "pid";
@ -96,18 +180,31 @@ in
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true; RestrictNamespaces = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RemoveIPC = true; RemoveIPC = true;
PrivateMounts = true; PrivateMounts = true;
# System Call Filtering # System Call Filtering
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid ~@ipc" ];
}; };
wantedBy = [ "multi-user.target" ];
script = '' script = ''
ls /proc/self/fd /dev ls /proc/self/fd /dev
${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration} ${pkgs.apacheHttpd}/bin/httpd -f ${pkgs.writeText "apache.conf" apacheConfiguration}
''; '';
}; };
services.acme-sh.certs.apache-proxy = {
production = true;
user = "wwwrun";
domains."synapse-proxy.in.redalder.org" = "dns_hetzner";
mainDomain = "synapse-proxy.in.redalder.org";
postRun = "systemctl try-reload-or-restart --no-block apache-proxy.service";
};
systemd.services."acme-sh-apache-proxy" = {
serviceConfig.EnvironmentFile = mkForce "/var/secret/hetzner.env";
};
} }

7
nixos/systems/altra/networking.nix
View file

@ -68,8 +68,9 @@ in
# ]; # ];
# }; # };
# interfaces."wg0" = { interfaces."wg0" = {
# allowedTCPPorts = [ allowedTCPPorts = [
8883
# ## Consul # ## Consul
# 8600 # DNS # 8600 # DNS
# 8500 # HTTP # 8500 # HTTP
@ -81,7 +82,7 @@ in
# 4647 # 4647
# 4648 # 4648
# 10000 # 10000
# ]; ];
# allowedTCPPortRanges = [ # allowedTCPPortRanges = [
# { # {
# from = 21000; # from = 21000;