aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cluster/prod/app/jitsi/config/config.js2
-rw-r--r--cluster/prod/app/jitsi/config/nginx.conf10
-rw-r--r--cluster/prod/cluster.nix6
-rw-r--r--cluster/prod/known_hosts1
-rw-r--r--cluster/prod/node/pamplemousse.nix14
l---------cluster/prod/node/pamplemousse.site.nix1
-rw-r--r--cluster/prod/site/corrin.nix8
-rw-r--r--cluster/prod/ssh_config3
-rw-r--r--cluster/staging/app/core/deploy/diplonat.hcl2
-rw-r--r--nix/configuration.nix17
10 files changed, 43 insertions, 21 deletions
diff --git a/cluster/prod/app/jitsi/config/config.js b/cluster/prod/app/jitsi/config/config.js
index cbbb616..1a6b412 100644
--- a/cluster/prod/app/jitsi/config/config.js
+++ b/cluster/prod/app/jitsi/config/config.js
@@ -369,7 +369,7 @@ var config = {
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// Does only support plaintext. No line skip.
- // noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
+ noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
diff --git a/cluster/prod/app/jitsi/config/nginx.conf b/cluster/prod/app/jitsi/config/nginx.conf
index 53c8596..954db0b 100644
--- a/cluster/prod/app/jitsi/config/nginx.conf
+++ b/cluster/prod/app/jitsi/config/nginx.conf
@@ -81,6 +81,12 @@ http {
alias /srv/jitsi-meet/$1/$2;
}
+ # Disallow robots indexation
+ location = /robots.txt {
+ add_header Content-Type text/plain;
+ return 200 "User-agent: *\nDisallow: /\n";
+ }
+
# not used yet VVV
# colibri (JVB) websockets
#location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
@@ -92,12 +98,12 @@ http {
#}
- location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" {
+ location ~* {{ key "secrets/jitsi/blacklist_regex" }} {
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
}
location = /http-bind {
- if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") {
+ if ($args ~* {{ key "secrets/jitsi/blacklist_regex" }}) {
return 403 'forbidden';
}
diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix
index ddb9813..247e83b 100644
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@@ -99,6 +99,12 @@
address = "10.83.5.4";
endpoint = "82.64.238.84:33743";
};
+ "pamplemousse" = {
+ siteName = "corrin";
+ publicKey = "6y5GrNXEql12AObuSfOHGxxUKpdlcyapu+juLYOEBhc=";
+ address = "10.83.6.1";
+ endpoint = "45.81.62.36:33731";
+ };
};
# Pin Nomad version
diff --git a/cluster/prod/known_hosts b/cluster/prod/known_hosts
index 3475b9d..c167b84 100644
--- a/cluster/prod/known_hosts
+++ b/cluster/prod/known_hosts
@@ -13,3 +13,4 @@ onion.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjBQ67fxwuDDzRP
oseille.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgQdQ5UVFFn+DXN90ut9+V7NtEopQJnES3r8soKTZW4
io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT41Sd+ucZAgxUwtdieqNqoC3+T
ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn
+pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA
diff --git a/cluster/prod/node/pamplemousse.nix b/cluster/prod/node/pamplemousse.nix
new file mode 100644
index 0000000..00ab784
--- /dev/null
+++ b/cluster/prod/node/pamplemousse.nix
@@ -0,0 +1,14 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.timeout = 5;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ deuxfleurs.hostName = "pamplemousse";
+ deuxfleurs.staticIPv4.address = "192.168.5.201";
+ deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201";
+}
diff --git a/cluster/prod/node/pamplemousse.site.nix b/cluster/prod/node/pamplemousse.site.nix
new file mode 120000
index 0000000..0a97c41
--- /dev/null
+++ b/cluster/prod/node/pamplemousse.site.nix
@@ -0,0 +1 @@
+../site/corrin.nix \ No newline at end of file
diff --git a/cluster/prod/site/corrin.nix b/cluster/prod/site/corrin.nix
new file mode 100644
index 0000000..f400bee
--- /dev/null
+++ b/cluster/prod/site/corrin.nix
@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+ deuxfleurs.siteName = "corrin";
+ deuxfleurs.staticIPv4.defaultGateway = "192.168.5.1";
+ deuxfleurs.cnameTarget = "corrin.site.deuxfleurs.fr.";
+ deuxfleurs.publicIPv4 = "45.81.62.36";
+}
diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config
index 62517d2..c8abb42 100644
--- a/cluster/prod/ssh_config
+++ b/cluster/prod/ssh_config
@@ -44,3 +44,6 @@ Host io
Host ortie
HostName ortie.machine.deuxfleurs.fr
+
+Host pamplemousse
+ HostName 2001:912:1ac0:2200::201
diff --git a/cluster/staging/app/core/deploy/diplonat.hcl b/cluster/staging/app/core/deploy/diplonat.hcl
index 160004f..b6a83aa 100644
--- a/cluster/staging/app/core/deploy/diplonat.hcl
+++ b/cluster/staging/app/core/deploy/diplonat.hcl
@@ -54,7 +54,7 @@ job "core-diplonat" {
data = <<EOH
DIPLONAT_REFRESH_TIME=60
DIPLONAT_EXPIRATION_TIME=300
-DIPLONAT_IPV6_ONLY={{ $site := env "meta.site" }}{{ if eq $site "corrin" }}false{{ else }}true{{ end }}
+DIPLONAT_IPV6_ONLY=true
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
DIPLONAT_CONSUL_URL=https://localhost:8501
DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
diff --git a/nix/configuration.nix b/nix/configuration.nix
index ab7b11a..68751a2 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -78,23 +78,6 @@ SystemMaxUse=1G
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
- # FIXME: Temporary patch for OpenSSH (CVE-2024-6387)
- # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765
- programs.ssh.package = pkgs.openssh.overrideAttrs(prev: {
- patches = prev.patches ++ [
- (pkgs.fetchpatch {
- url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
- hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
- })
- (pkgs.fetchpatch {
- url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch";
- hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4=";
- })
- ];
-
- doCheck = false;
- });
-
virtualisation.docker = {
enable = true;
extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {