diff --git a/README.md b/README.md index f295fe6..e608ad8 100644 --- a/README.md +++ b/README.md @@ -13,20 +13,30 @@ server { hostname berlin.ccc.de; location "/.well-known/matrix/server" { default_type application/json; + add_header Access-Control-Allow-Origin "*"; return 200 '{"m.server":"matrix.berlin.ccc.de:443"}'; } + location "/.well-known/matrix/client" { + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}'; + } } ``` # DNS -``` -_matrix-fed._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -#_matrix._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -#_matrix._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -matrix.berlin.ccc.de. IN A -matrix.berlin.ccc.de. IN AAAA +```dns +_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. +_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. +matrix.berlin.ccc.de. IN A 195.160.173.25 +matrix.berlin.ccc.de. IN AAAA 2001:678:760:cccb::25 +matrix.berlin.ccc.de. IN CAA 0 issue "letsencrypt.org;validationmethods=http-01" +matrix.berlin.ccc.de. IN CAA 0 iodef "mailto:caa@xengi.de" +matrix.berlin.ccc.de. IN SSHFP 1 1 f40e117b002957939a454070adbbafe42d6f5842 +matrix.berlin.ccc.de. IN SSHFP 1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b +matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91 +matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887 ``` # Bots diff --git a/configuration.nix b/configuration.nix index 571d7e7..c202c1a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -49,13 +49,13 @@ proxmoxLXC = { manageNetwork = false; manageHostName = false; - privileged = true; + privileged = false; }; users.users.root = { packages = with pkgs; [ kitty # for terminfo - neofetch # for shits and giggles + fastfetch # for shits and giggles ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" @@ -69,9 +69,17 @@ }; networking = { + hostName = "matrix"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + ]; + useDHCP = false; useNetworkd = true; - nftables.enable = true; dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; firewall = { enable = true; allowedTCPPorts = [ @@ -94,7 +102,6 @@ fstrim.enable = false; # Let Proxmox host handle fstrim openssh = { enable = true; - openFirewall = true; settings = { PermitEmptyPasswords = "no"; PermitRootLogin = "prohibit-password"; @@ -111,6 +118,10 @@ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ ''; }; + sshguard = { + enable = true; + services = [ "sshd" ]; + }; # Cache DNS lookups to improve performance resolved = { enable = true; diff --git a/services/draupnir.nix b/services/draupnir.nix index de4d809..8564d39 100644 --- a/services/draupnir.nix +++ b/services/draupnir.nix @@ -14,4 +14,3 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } - diff --git a/services/nginx.nix b/services/nginx.nix index acaff25..eff02e6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -21,12 +21,14 @@ in recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { + default = true; quic = true; kTLS = true; forceSSL = true; enableACME = true; locations = { - "/".return = "418 \"I'm a Teapot!\""; + #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; + "/".return = "418 \"🫖\""; "~ ^(/_matrix|/_synapse/client)" = { recommendedProxySettings = true; proxyPass = "http://[::1]:8008";