diff options
-rw-r--r-- | cluster/prod/app/jitsi/config/config.js | 2 | ||||
-rw-r--r-- | cluster/prod/app/jitsi/config/nginx.conf | 10 | ||||
-rw-r--r-- | cluster/prod/cluster.nix | 6 | ||||
-rw-r--r-- | cluster/prod/known_hosts | 1 | ||||
-rw-r--r-- | cluster/prod/node/pamplemousse.nix | 14 | ||||
l--------- | cluster/prod/node/pamplemousse.site.nix | 1 | ||||
-rw-r--r-- | cluster/prod/site/corrin.nix | 8 | ||||
-rw-r--r-- | cluster/prod/ssh_config | 3 | ||||
-rw-r--r-- | cluster/staging/app/core/deploy/diplonat.hcl | 2 | ||||
-rw-r--r-- | nix/configuration.nix | 17 |
10 files changed, 43 insertions, 21 deletions
diff --git a/cluster/prod/app/jitsi/config/config.js b/cluster/prod/app/jitsi/config/config.js index cbbb616..1a6b412 100644 --- a/cluster/prod/app/jitsi/config/config.js +++ b/cluster/prod/app/jitsi/config/config.js @@ -369,7 +369,7 @@ var config = { // Message to show the users. Example: 'The service will be down for // maintenance at 01:00 AM GMT, // Does only support plaintext. No line skip. - // noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr", + noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr", // Enables calendar integration, depends on googleApiApplicationClientID // and microsoftApiApplicationClientID diff --git a/cluster/prod/app/jitsi/config/nginx.conf b/cluster/prod/app/jitsi/config/nginx.conf index 53c8596..954db0b 100644 --- a/cluster/prod/app/jitsi/config/nginx.conf +++ b/cluster/prod/app/jitsi/config/nginx.conf @@ -81,6 +81,12 @@ http { alias /srv/jitsi-meet/$1/$2; } + # Disallow robots indexation + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + # not used yet VVV # colibri (JVB) websockets #location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { @@ -92,12 +98,12 @@ http { #} - location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" { + location ~* {{ key "secrets/jitsi/blacklist_regex" }} { return 302 https://www.service-public.fr/particuliers/vosdroits/R17674; } location = /http-bind { - if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") { + if ($args ~* {{ key "secrets/jitsi/blacklist_regex" }}) { return 403 'forbidden'; } diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index ddb9813..247e83b 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -99,6 +99,12 @@ address = "10.83.5.4"; endpoint = "82.64.238.84:33743"; }; + "pamplemousse" = { + siteName = "corrin"; + publicKey = "6y5GrNXEql12AObuSfOHGxxUKpdlcyapu+juLYOEBhc="; + address = "10.83.6.1"; + endpoint = "45.81.62.36:33731"; + }; }; # Pin Nomad version diff --git a/cluster/prod/known_hosts b/cluster/prod/known_hosts index 3475b9d..c167b84 100644 --- a/cluster/prod/known_hosts +++ b/cluster/prod/known_hosts @@ -13,3 +13,4 @@ onion.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjBQ67fxwuDDzRP oseille.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgQdQ5UVFFn+DXN90ut9+V7NtEopQJnES3r8soKTZW4 io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT41Sd+ucZAgxUwtdieqNqoC3+T ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn +pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA diff --git a/cluster/prod/node/pamplemousse.nix b/cluster/prod/node/pamplemousse.nix new file mode 100644 index 0000000..00ab784 --- /dev/null +++ b/cluster/prod/node/pamplemousse.nix @@ -0,0 +1,14 @@ +# Configuration file local to this node + +{ config, pkgs, ... }: + +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.timeout = 5; + boot.loader.efi.canTouchEfiVariables = true; + + deuxfleurs.hostName = "pamplemousse"; + deuxfleurs.staticIPv4.address = "192.168.5.201"; + deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201"; +} diff --git a/cluster/prod/node/pamplemousse.site.nix b/cluster/prod/node/pamplemousse.site.nix new file mode 120000 index 0000000..0a97c41 --- /dev/null +++ b/cluster/prod/node/pamplemousse.site.nix @@ -0,0 +1 @@ +../site/corrin.nix
\ No newline at end of file diff --git a/cluster/prod/site/corrin.nix b/cluster/prod/site/corrin.nix new file mode 100644 index 0000000..f400bee --- /dev/null +++ b/cluster/prod/site/corrin.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + deuxfleurs.siteName = "corrin"; + deuxfleurs.staticIPv4.defaultGateway = "192.168.5.1"; + deuxfleurs.cnameTarget = "corrin.site.deuxfleurs.fr."; + deuxfleurs.publicIPv4 = "45.81.62.36"; +} diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config index 62517d2..c8abb42 100644 --- a/cluster/prod/ssh_config +++ b/cluster/prod/ssh_config @@ -44,3 +44,6 @@ Host io Host ortie HostName ortie.machine.deuxfleurs.fr + +Host pamplemousse + HostName 2001:912:1ac0:2200::201 diff --git a/cluster/staging/app/core/deploy/diplonat.hcl b/cluster/staging/app/core/deploy/diplonat.hcl index 160004f..b6a83aa 100644 --- a/cluster/staging/app/core/deploy/diplonat.hcl +++ b/cluster/staging/app/core/deploy/diplonat.hcl @@ -54,7 +54,7 @@ job "core-diplonat" { data = <<EOH DIPLONAT_REFRESH_TIME=60 DIPLONAT_EXPIRATION_TIME=300 -DIPLONAT_IPV6_ONLY={{ $site := env "meta.site" }}{{ if eq $site "corrin" }}false{{ else }}true{{ end }} +DIPLONAT_IPV6_ONLY=true DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} DIPLONAT_CONSUL_URL=https://localhost:8501 DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt diff --git a/nix/configuration.nix b/nix/configuration.nix index ab7b11a..68751a2 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -78,23 +78,6 @@ SystemMaxUse=1G services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; - # FIXME: Temporary patch for OpenSSH (CVE-2024-6387) - # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765 - programs.ssh.package = pkgs.openssh.overrideAttrs(prev: { - patches = prev.patches ++ [ - (pkgs.fetchpatch { - url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch"; - hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw="; - }) - (pkgs.fetchpatch { - url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch"; - hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4="; - }) - ]; - - doCheck = false; - }); - virtualisation.docker = { enable = true; extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON { |