KokaKiwi/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

Compare commits

merge into: KokaKiwi:dathomir-update
Branches Tags
KokaKiwi:main
KokaKiwi:crytptpad-upgrade-2024.6.0
KokaKiwi:openssh-mitigation
KokaKiwi:dathomir-update
KokaKiwi:add-dathomir
KokaKiwi:update-cryptpad-2024.3.1
KokaKiwi:crytptpad-upgrade-1
KokaKiwi:prod-add-kokakiwi
KokaKiwi:telemetry-update
KokaKiwi:jitsi
KokaKiwi:feat/im-tls-proxy
KokaKiwi:simplify-network-config
KokaKiwi:plume-s3
KokaKiwi:wgautomesh-service-v2
KokaKiwi:refactor
Deuxfleurs:main
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor
...
pull from: Deuxfleurs:main
Branches Tags
Deuxfleurs:main
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor
KokaKiwi:main
KokaKiwi:crytptpad-upgrade-2024.6.0
KokaKiwi:openssh-mitigation
KokaKiwi:dathomir-update
KokaKiwi:add-dathomir
KokaKiwi:update-cryptpad-2024.3.1
KokaKiwi:crytptpad-upgrade-1
KokaKiwi:prod-add-kokakiwi
KokaKiwi:telemetry-update
KokaKiwi:jitsi
KokaKiwi:feat/im-tls-proxy
KokaKiwi:simplify-network-config
KokaKiwi:plume-s3
KokaKiwi:wgautomesh-service-v2
KokaKiwi:refactor

4 commits
dathomir-u ... main

Author SHA1 Message Date
ADRN 47d94b1ad0 intervention Jitsi 2024-07-02 19:09:34 +02:00
Jill 62ff09234d Merge pull request 'openssh: Temporary patch for CVE-2024-6387 mitigation' (#30) from KokaKiwi/nixcfg:openssh-mitigation into main 
Reviewed-on: Deuxfleurs/nixcfg#30
 2024-07-02 13:26:15 +00:00
Jill 98feb96d27 Merge pull request 'dathomir: Updates' (#29) from KokaKiwi/nixcfg:dathomir-update into main 
Reviewed-on: Deuxfleurs/nixcfg#29
Reviewed-by: maximilien <me@mricher.fr>
 2024-07-02 09:41:08 +00:00
Jill b89b625f46
openssh: Temporary patch for CVE-2024-6387 mitigation 2024-07-01 14:04:25 +02:00
3 changed files with 26 additions and 3 deletions
Show stats Expand all files Collapse all files

2
cluster/prod/app/jitsi/config/config.js
View file

@ -369,7 +369,7 @@ var config = {
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// Does only support plaintext. No line skip.
// noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID

10
cluster/prod/app/jitsi/config/nginx.conf
View file

@ -81,6 +81,12 @@ http {
alias /srv/jitsi-meet/$1/$2;
}
# Disallow robots indexation
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
# not used yet VVV
# colibri (JVB) websockets
#location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
@ -92,12 +98,12 @@ http {
#}
location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" {
location ~* {{ key "secrets/jitsi/blacklist_regex" }} {
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
}
location = /http-bind {
if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") {
if ($args ~* {{ key "secrets/jitsi/blacklist_regex" }}) {
return 403 'forbidden';
}

17
nix/configuration.nix
View file

@ -78,6 +78,23 @@ SystemMaxUse=1G
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
# FIXME: Temporary patch for OpenSSH (CVE-2024-6387)
# Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765
programs.ssh.package = pkgs.openssh.overrideAttrs(prev: {
patches = prev.patches ++ [
(pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
})
(pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch";
hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4=";
})
];
doCheck = false;
});
virtualisation.docker = {
enable = true;
extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {