From 0edf0177705abd57d9cfc65f86ecb8c05acf3a63 Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Tue, 21 Oct 2025 21:36:15 +0300 Subject: [PATCH 1/6] misskey --- hosts/server/configuration.nix | 1 + hosts/server/modules/misskey.nix | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 hosts/server/modules/misskey.nix diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 35639ab..7f9117e 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -5,6 +5,7 @@ ./modules/atproto-pds.nix ./modules/cloudflare.nix ./modules/knot.nix + ./modules/misskey.nix ../../modules/force.nix ]; diff --git a/hosts/server/modules/misskey.nix b/hosts/server/modules/misskey.nix new file mode 100644 index 0000000..7800441 --- /dev/null +++ b/hosts/server/modules/misskey.nix @@ -0,0 +1,31 @@ +{ config, pkgs, lib, ... }: + +{ + services.misskey = { + enable = true; + + settings = { + maxFileSize = 20 * 1024 * 1024; + port = 8089; + url = "https://m.ocbwoy3.dev"; + publishTarballInsteadOfProvideRepositoryUrl = false; + }; + + database = { + # passwordFile = "/private/misskey-db.pw"; + createLocally = true; + }; + + redis = { + # passwordFile = "/private/misskey-db.pw"; + createLocally = true; + }; + + reverseProxy.webserver.nginx.listen = lib.mkForce []; + + }; + + systemd.tmpfiles.rules = [ + "d /misskey 0755 root root -" + ]; +} From c42016728ad93bdd434a86438d281bf8565cd512 Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Tue, 21 Oct 2025 21:36:42 +0300 Subject: [PATCH 2/6] rename atproto pds --- hosts/server/modules/atproto-pds.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/server/modules/atproto-pds.nix b/hosts/server/modules/atproto-pds.nix index 53ee46f..9c78b25 100644 --- a/hosts/server/modules/atproto-pds.nix +++ b/hosts/server/modules/atproto-pds.nix @@ -6,7 +6,7 @@ # Upload PDS backup to /var/lib/pds # and specify secrets in /private/atproto-pds.env - services.pds = { + services.atproto-pds = { enable = true; pdsadmin.enable = true; environmentFiles = [ "/private/atproto-pds.env" ]; @@ -14,7 +14,7 @@ PDS_CRAWLERS = "https://bsky.network"; LOG_ENABLED = "true"; PDS_HOSTNAME = "pds.ocbwoy3.dev"; - PDS_VERSION = "\"ATProto PDS v69420\""; + # PDS_VERSION = "\"ATProto PDS v69420\""; PDS_DID_PLC_URL = "https://plc.directory"; PDS_CONTACT_EMAIL_ADDRESS = "ocbwoy3@ocbwoy3.dev"; PDS_PRIVACY_POLICY_URL = "https://ocbwoy3.dev"; From 4d5fccc5309e632a2d9f0a979651e3eb64c1c5c6 Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Tue, 21 Oct 2025 21:37:14 +0300 Subject: [PATCH 3/6] ok wait wtf --- hosts/server/modules/atproto-pds.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server/modules/atproto-pds.nix b/hosts/server/modules/atproto-pds.nix index 9c78b25..58f2c2d 100644 --- a/hosts/server/modules/atproto-pds.nix +++ b/hosts/server/modules/atproto-pds.nix @@ -6,7 +6,7 @@ # Upload PDS backup to /var/lib/pds # and specify secrets in /private/atproto-pds.env - services.atproto-pds = { + services.bluesky-pds = { enable = true; pdsadmin.enable = true; environmentFiles = [ "/private/atproto-pds.env" ]; From 7357a5553cb46d3bb7c96881e5b3b3584a5fc1ab Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Tue, 21 Oct 2025 22:53:19 +0300 Subject: [PATCH 4/6] what --- hosts/server/modules/misskey.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/server/modules/misskey.nix b/hosts/server/modules/misskey.nix index 7800441..da78d69 100644 --- a/hosts/server/modules/misskey.nix +++ b/hosts/server/modules/misskey.nix @@ -7,8 +7,11 @@ settings = { maxFileSize = 20 * 1024 * 1024; port = 8089; - url = "https://m.ocbwoy3.dev"; + url = "https://ocbwoy3.dev"; publishTarballInsteadOfProvideRepositoryUrl = false; + db = { + db = "misskey-ocbwoy3dev"; + } }; database = { @@ -21,7 +24,7 @@ createLocally = true; }; - reverseProxy.webserver.nginx.listen = lib.mkForce []; + reverseProxy.enable = lib.mkDefault false; # shit, we already have cloudflared }; From 08b68d6c537372d267fc6d0985a826ad4ffeb1ea Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Tue, 21 Oct 2025 22:58:42 +0300 Subject: [PATCH 5/6] fixxxxxxxxxx --- hosts/server/modules/misskey.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/hosts/server/modules/misskey.nix b/hosts/server/modules/misskey.nix index da78d69..9660ce7 100644 --- a/hosts/server/modules/misskey.nix +++ b/hosts/server/modules/misskey.nix @@ -9,9 +9,6 @@ port = 8089; url = "https://ocbwoy3.dev"; publishTarballInsteadOfProvideRepositoryUrl = false; - db = { - db = "misskey-ocbwoy3dev"; - } }; database = { From c226c1bdb39a9bb86cc89bee99725ff9012d46f5 Mon Sep 17 00:00:00 2001 From: OCbwoy3 Date: Fri, 24 Oct 2025 16:14:05 +0300 Subject: [PATCH 6/6] ssh: add security --- modules/nixos/programs.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/nixos/programs.nix b/modules/nixos/programs.nix index 7dfa8f0..1d9ae1f 100644 --- a/modules/nixos/programs.nix +++ b/modules/nixos/programs.nix @@ -26,9 +26,24 @@ c-ares ffmpeg gtk3 http-parser libevent libvpx libxslt minizip nss re2 snappy libnotify libappindicator-gtk3 ]; + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" + ]; + }; + services.openssh = { enable = true; ports = [ 22 ]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + AllowUsers = [ "ocbwoy3" "git" ]; + }; # fucks up ssh connections from iphone if you enable this # settings = { # KexAlgorithms = [ "curve25519-sha256@libssh.org" ];