xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of ssh://git.berlin.ccc.de/cccb/matrix

Browse source
This commit is contained in:
XenGi 2025-12-05 21:34:08 +01:00
commit 1889afea8d
Signed by: xengi
SSH key fingerprint: SHA256:dM+fLZGsDvyv6kunjE8bGduL24VsCFB4LEOSdmRHdG0
4 changed files with 35 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

24
README.md
View file

@ -13,20 +13,30 @@ server {
hostname berlin.ccc.de; hostname berlin.ccc.de;
location "/.well-known/matrix/server" { location "/.well-known/matrix/server" {
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.server":"matrix.berlin.ccc.de:443"}'; return 200 '{"m.server":"matrix.berlin.ccc.de:443"}';
} }
location "/.well-known/matrix/client" {
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}';
}
} }
``` ```
# DNS # DNS
``` ```dns
_matrix-fed._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de.
#_matrix._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de.
#_matrix._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. matrix.berlin.ccc.de. IN A 195.160.173.25
_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. matrix.berlin.ccc.de. IN AAAA 2001:678:760:cccb::25
matrix.berlin.ccc.de. IN A <IPv4> matrix.berlin.ccc.de. IN CAA 0 issue "letsencrypt.org;validationmethods=http-01"
matrix.berlin.ccc.de. IN AAAA <IPv6> matrix.berlin.ccc.de. IN CAA 0 iodef "mailto:caa@xengi.de"
matrix.berlin.ccc.de. IN SSHFP 1 1 f40e117b002957939a454070adbbafe42d6f5842
matrix.berlin.ccc.de. IN SSHFP 1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b
matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91
matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
``` ```
# Bots # Bots

19
configuration.nix
View file

@ -49,13 +49,13 @@
proxmoxLXC = { proxmoxLXC = {
manageNetwork = false; manageNetwork = false;
manageHostName = false; manageHostName = false;
privileged = true; privileged = false;
}; };
users.users.root = { users.users.root = {
packages = with pkgs; [ packages = with pkgs; [
kitty # for terminfo kitty # for terminfo
neofetch # for shits and giggles fastfetch # for shits and giggles
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
@ -69,9 +69,17 @@
}; };
networking = { networking = {
hostName = "matrix";
domain = "berlin.ccc.de";
nameservers = [
"2606:4700:4700::1111#one.one.one.one"
"2620:fe::fe#dns.quad9.net"
];
useDHCP = false;
useNetworkd = true; useNetworkd = true;
nftables.enable = true;
dhcpcd.enable = false; dhcpcd.enable = false;
nftables.enable = true;
tempAddresses = "disabled";
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -94,7 +102,6 @@
fstrim.enable = false; # Let Proxmox host handle fstrim fstrim.enable = false; # Let Proxmox host handle fstrim
openssh = { openssh = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
PermitEmptyPasswords = "no"; PermitEmptyPasswords = "no";
PermitRootLogin = "prohibit-password"; PermitRootLogin = "prohibit-password";
@ -111,6 +118,10 @@
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
''; '';
}; };
sshguard = {
enable = true;
services = [ "sshd" ];
};
# Cache DNS lookups to improve performance # Cache DNS lookups to improve performance
resolved = { resolved = {
enable = true; enable = true;

1
services/draupnir.nix
View file

@ -14,4 +14,3 @@
secrets.accessToken = config.age.secrets.draupnir_access_token.path; secrets.accessToken = config.age.secrets.draupnir_access_token.path;
}; };
} }

4
services/nginx.nix
View file

@ -21,12 +21,14 @@ in
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
virtualHosts."${fqdn}" = { virtualHosts."${fqdn}" = {
default = true;
quic = true; quic = true;
kTLS = true; kTLS = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = {
"/".return = "418 \"I'm a Teapot!\""; #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
"/".return = "418 \"🫖\"";
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://[::1]:8008"; proxyPass = "http://[::1]:8008";