public-cof: fix cryptpad
This commit is contained in:
Raito Bezarius
parent
5e24c6c8c7
commit
d8a577b078
3 changed files with 32 additions and 41 deletions
|
|
@ -13,7 +13,7 @@
|
|||
./nur.nix
|
||||
# ./factorio.nix # TODO
|
||||
./nginx.nix
|
||||
# ./cryptpad.nix
|
||||
./cryptpad.nix
|
||||
./hedgedoc.nix
|
||||
./secrets
|
||||
# TODO monitoring
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module.exports = {
|
|||
* cryptpad/docs/example.nginx.conf (see the $main_domain variable)
|
||||
*
|
||||
*/
|
||||
httpUnsafeOrigin: 'http://localhost:3000/',
|
||||
httpUnsafeOrigin: 'https://pads.beta.rz.ens.wtf/',
|
||||
|
||||
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
|
||||
* If you're testing or developing with CryptPad on your local machine then
|
||||
|
|
@ -58,7 +58,7 @@ module.exports = {
|
|||
*
|
||||
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
|
||||
*/
|
||||
// httpSafeOrigin: "https://some-other-domain.xyz",
|
||||
httpSafeOrigin: "https://sandbox.pads.beta.rz.ens.wtf",
|
||||
|
||||
/* httpAddress specifies the address on which the nodejs server
|
||||
* should be accessible. By default it will listen on 127.0.0.1
|
||||
|
|
@ -102,11 +102,11 @@ module.exports = {
|
|||
* which can be found on the settings page for registered users.
|
||||
* Entries should be strings separated by a comma.
|
||||
*/
|
||||
/*
|
||||
|
||||
adminKeys: [
|
||||
//"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=",
|
||||
"https://pads.beta.rz.ens.wtf/user/#/1/raito/W1vJY5Mq+8+5SveZAYe0wYRthS88jQIV-Fwf0s36uas="
|
||||
],
|
||||
*/
|
||||
|
||||
|
||||
/* CryptPad's administration panel includes a "support" tab
|
||||
* wherein administrators with a secret key can view messages
|
||||
|
|
@ -154,7 +154,7 @@ module.exports = {
|
|||
*
|
||||
* hint: 50MB is 50 * 1024 * 1024
|
||||
*/
|
||||
//defaultStorageLimit: 50 * 1024 * 1024,
|
||||
defaultStorageLimit: 50 * 1024 * 1024,
|
||||
|
||||
|
||||
/* =====================
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
{ ... }:
|
||||
{ pkgs, ... }:
|
||||
let
|
||||
subZone = "beta.rz.ens.wtf";
|
||||
main_domain = "pads." + subZone;
|
||||
api_domain = "api." + main_domain;
|
||||
files_domain = "files." + main_domain;
|
||||
sandbox_domain = "sandbox." + main_domain;
|
||||
main_domain = "pads.${subZone}";
|
||||
sandbox_domain = "sandbox.${main_domain}";
|
||||
# TODO: later
|
||||
api_domain = "api.${main_domain}";
|
||||
files_domain = "files.${main_domain}";
|
||||
port = 3000;
|
||||
in
|
||||
{
|
||||
services.cryptpad = {
|
||||
|
|
@ -13,17 +15,21 @@ in
|
|||
};
|
||||
environment.etc."cryptpad/config.js".source = ./cryptpad.js;
|
||||
|
||||
systemd.services.nginx = {
|
||||
serviceConfig.BindReadOnlyPaths = [
|
||||
"/var/lib/private/cryptpad:/www/cryptpad"
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"pads.beta.rz.ens.wtf" = {
|
||||
"${main_domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://localhost:3000";
|
||||
};
|
||||
};
|
||||
/*
|
||||
serverAliases = [ sandbox_domain ];
|
||||
extraConfig = ''
|
||||
root ${pkgs.cryptpad}/lib/node_modules/cryptpad;
|
||||
index index.html;
|
||||
|
||||
# CryptPad serves static assets over these two domains.
|
||||
# `main_domain` is what users will enter in their address bar.
|
||||
# Privileged computation such as key management is handled in this scope
|
||||
|
|
@ -42,27 +48,12 @@ in
|
|||
# if you find that a single machine cannot handle all of your users.
|
||||
# If you don't use dedicated domains, this can be the same as $main_domain
|
||||
# If you do, they'll be added as exceptions to any rules which block connections to remote domains.
|
||||
set $api_domain ${api_domain};
|
||||
set $files_domain ${files_domain};
|
||||
set $api_domain ${main_domain};
|
||||
set $files_domain ${main_domain};
|
||||
|
||||
|
||||
server_name ${main_domain} ${sandbox_domain};
|
||||
|
||||
# diffie-hellman parameters are used to negotiate keys for your session
|
||||
# generate strong parameters using the following command
|
||||
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
|
||||
# Speeds things up a little bit when resuming a session
|
||||
ssl_session_timeout 5m;
|
||||
ssl_session_cache shared:SSL:5m;
|
||||
|
||||
# You'll need nginx 1.13.0 or better to support TLSv1.3
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
# https://cipherli.st/
|
||||
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
|
||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
||||
|
||||
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
|
||||
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
|
||||
|
||||
|
|
@ -112,7 +103,7 @@ in
|
|||
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
||||
# the dynamic content that only it can manage. This is primarily an optimization
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_pass http://localhost:${toString port};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
|
@ -138,7 +129,7 @@ in
|
|||
# the caching variable which is applied to every other resource
|
||||
# which is loaded during that session.
|
||||
location = /api/config {
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_pass http://localhost:${toString port};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
|
@ -146,6 +137,7 @@ in
|
|||
|
||||
# encrypted blobs are immutable and are thus cached for a year
|
||||
location ^~ /blob/ {
|
||||
root /www/cryptpad;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
|
|
@ -155,7 +147,6 @@ in
|
|||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
add_header Cache-Control max-age=31536000;
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||
|
|
@ -167,6 +158,7 @@ in
|
|||
# these payloads are unlocked via login credentials. They are mutable
|
||||
# and are thus never cached. They're small enough that it doesn't matter, in any case.
|
||||
location ^~ /block/ {
|
||||
root /www/cryptpad;
|
||||
add_header Cache-Control max-age=0;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
|
@ -189,9 +181,8 @@ in
|
|||
# Finally, serve anything the above exceptions don't govern.
|
||||
try_files /www/$uri /www/$uri/index.html /customize/$uri;
|
||||
'';
|
||||
*/
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 433 80 ];
|
||||
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue