diff --git a/flake.lock b/flake.lock index 868c399..e6cb2dd 100644 --- a/flake.lock +++ b/flake.lock @@ -61,11 +61,11 @@ ] }, "locked": { - "lastModified": 1651886851, - "narHash": "sha256-kbXOJSf1uho0/7P54nZkJdJY3oAelIjyc6tfiRhaXJI=", + "lastModified": 1652167840, + "narHash": "sha256-Qx//y33FkhUun+en60SakO9iQPPLu18fUpr3kKTkif8=", "owner": "nix-community", "repo": "home-manager", - "rev": "882bd8118bdbff3a6e53e5ced393932b351ce2f6", + "rev": "4293902b64990d43847fe90e50ef7908f7dc1e30", "type": "github" }, "original": { @@ -135,11 +135,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1651726670, - "narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=", + "lastModified": 1652082323, + "narHash": "sha256-7GSVLvfCJtH9dJ3om9Lg4fsi9UKvoxxR69gUTcx0ol8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01", + "rev": "2a3aac479caeba0a65b2ad755fe5f284f1fde74d", "type": "github" }, "original": { diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 4622da8..77c4158 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -16,6 +16,7 @@ hosts.hetzner-vm.services.quassel hosts.hetzner-vm.services.mpd hosts.hetzner-vm.services.storage-sftp + hosts.hetzner-vm.services.misskey (modulesPath + "/profiles/qemu-guest.nix") diff --git a/hosts/hetzner-vm/services/invidious.nix b/hosts/hetzner-vm/services/invidious.nix index b1316f5..0ce25a3 100644 --- a/hosts/hetzner-vm/services/invidious.nix +++ b/hosts/hetzner-vm/services/invidious.nix @@ -39,11 +39,20 @@ RuntimeMaxSec = "1200"; }; - services.nginx.virtualHosts."invidious-unproxied.owo.monster" = { + services.nginx.virtualHosts."invidious.owo.monster" = { forceSSL = true; enableACME = true; locations = { "/".proxyPass = "http://127.0.0.1:3000"; }; }; + services.nginx.virtualHosts."invidious-nojs.owo.monster" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:3000"; + "/js/".extraConfig = "deny all;"; + }; + }; + #networking.firewall.allowedTCPPorts = [ 3000 ]; } diff --git a/hosts/hetzner-vm/services/misskey.nix b/hosts/hetzner-vm/services/misskey.nix new file mode 100644 index 0000000..ac47427 --- /dev/null +++ b/hosts/hetzner-vm/services/misskey.nix @@ -0,0 +1,78 @@ +{ pkgs, ... }: +let + misskeyDomain = "social.owo.monster"; + misskeyPort = 3020; + redisPort = 3019; + + # USE NPX YARN + + misskeyBuildDeps = with pkgs; [ + gccStdenv + nodePackages.node-gyp-build + python3 + pkg-config + vips + nodePackages.npm + ]; + + misskeyPackages = with pkgs; [ + git + jq + + + nodejs + nodePackages.npm + + ffmpeg + ] ++ misskeyBuildDeps; +in { + users.users."misskey" = { + isNormalUser = true; + createHome = true; + }; + home-manager.users."misskey".home.packages = misskeyPackages; + + # make .config/default.yml a symlink to /etc/misskey.yml + environment.etc."misskey.yml".text = pkgs.lib.generators.toYAML {} { + url = "https://${misskeyDomain}/"; + port = misskeyPort; + + db = { + host = "localhost"; + port = "5432"; + db = "misskey"; + user = "misskey"; + pass = "a"; + }; + + redis = { + host = "127.0.0.1"; + port = redisPort; + }; + }; + + services.nginx.virtualHosts."${misskeyDomain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString misskeyPort}"; + proxyWebsockets = true; + }; + }; + }; + + services.postgresql = { + enable = true; + ensureUsers = [{ + name = "misskey"; + ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES"; + }]; + ensureDatabases = [ "misskey" ]; + }; + + services.redis.servers."misskey" = { + enable = true; + port = redisPort; + }; +} diff --git a/profiles/tailscale/tailscale.nix b/profiles/tailscale/tailscale.nix index f7a7e45..59f6902 100644 --- a/profiles/tailscale/tailscale.nix +++ b/profiles/tailscale/tailscale.nix @@ -1,4 +1,5 @@ _: { services.tailscale.enable = true; networking.firewall.trustedInterfaces = [ "tailscale0" ]; + networking.firewall.checkReversePath = "loose"; }