From 666de2c8f4143cd67cb99e4a324a8f394cb326cd Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 15 Oct 2024 23:19:02 +0200 Subject: [PATCH 1/3] mastodon: switch files.pub.solar from storj to garage s3 backend --- modules/mastodon/default.nix | 6 +++--- modules/nginx-mastodon-files/default.nix | 12 ++++++++---- modules/nginx/default.nix | 7 +++++++ secrets/mastodon-extra-env-secrets.age | Bin 2878 -> 2663 bytes 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 01acf7a6..2f16e330 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -96,9 +96,9 @@ # S3 File storage (optional) # ----------------------- S3_ENABLED = "true"; - S3_BUCKET = "pub-solar-mastodon"; - S3_REGION = "europe-west-1"; - S3_ENDPOINT = "https://gateway.tardigradeshare.io"; + S3_BUCKET = "mastodon"; + S3_REGION = "eu-central"; + S3_ENDPOINT = "https://buckets.pub.solar"; S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}"; # Translation (optional) # ----------------------- diff --git a/modules/nginx-mastodon-files/default.nix b/modules/nginx-mastodon-files/default.nix index b5497468..a4ddca4e 100644 --- a/modules/nginx-mastodon-files/default.nix +++ b/modules/nginx-mastodon-files/default.nix @@ -1,8 +1,7 @@ { config, ... }: let - objStorHost = "link.tardigradeshare.io"; - objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon"; + objStorHost = "mastodon.web.pub.solar"; in { services.nginx.virtualHosts = { @@ -10,6 +9,12 @@ in enableACME = true; forceSSL = true; + # Use variable to force nginx to perform a DNS resolution on its value, + # the IP of the object storage provider may not always remain the same. + extraConfig = '' + set $s3_backend 'https://${objStorHost}'; + ''; + locations = { "= /" = { index = "index.html"; @@ -25,7 +30,6 @@ in deny all; } - resolver 8.8.8.8; proxy_set_header Host ${objStorHost}; proxy_set_header Connection \'\'; proxy_set_header Authorization \'\'; @@ -40,7 +44,7 @@ in proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amzn-requestid; proxy_ignore_headers Set-Cookie; - proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; + proxy_pass $s3_backend$uri; proxy_intercept_errors off; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_server_name on; diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 0122164d..46bec0ff 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -22,6 +22,13 @@ in recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + resolver.addresses = [ + # quad9.net + "9.9.9.9" + "149.112.112.112" + "[2620:fe::fe]" + "[2620:fe::9]" + ]; appendHttpConfig = '' # https://my.f5.com/manage/s/article/K51798430 proxy_headers_hash_bucket_size 128; diff --git a/secrets/mastodon-extra-env-secrets.age b/secrets/mastodon-extra-env-secrets.age index 14ad42713dc4552370b4f661043838718a37b4cb..c78b5b57a4084f3047084aa98baa223137fd33a5 100644 GIT binary patch literal 2663 zcmZXW>+9;+kAk@Aiz!a@=ZlHDzu*H8pXd30-7vTi z?7gZln)tB4`A~)976vZ7XH?hGg}_HJ3?@f0D05TIwnTx4l|6>2uqGnI7YRk zCP^0(&by>H#Y}az4}sO*TWcoTOm_M>=4fR>umZ`s?KnExE)=#wqa72_+D3l*|Fom+ zv2r)^a{lCqL7DS`EJo~#%b12eVO=Z<&!!+R#0?h)%!!c~k(wSBv1urw>*&)y&RPo3Im=QLoi5}Y6-H>wpHCX7whjintjqY5`QcBGOM zJvafmJ<>|5xi<5KKv>C+b`QylX}uNK0&zWdyrOiBp;y8ax-J;s999_T$-#UnSoWbY z6L2l`6;zj1TdE=2;k{##VpJ(g!A3x|!YTtBc2>M$X{4J*yU9U!C6)|}VP4^UwBB=a zwb0x-y|OsL3b2d!5;CC=wT$ni~&W!-kIs;3fWD@yUJT-@k28=8{>e7g?o)X17S41I+#^FP&gkyvES2-kzuq(3dQVM#q1AVRn^rKG>LW8#z6;aq8)3R}( z#C$l2E)@)ip-Mf_uC}yj{imNV-B6oTS9Lg=AHi`slml&sWp#+~4Nv%yNsz?qPy~T+ zI?Y3$nDV|B*TBZ3ww%ag>T?pZ010%B46*vhvHfhq$7cRWwrtvjYgTE+to>|uql4nM1Rr87jToh-vC zlpic*Gs8km*}9WrW3~(iy^Ka1b+1t)I-Sh1Sp&-TR`qsy?qvS7cP+0lHAwYE2ga5( zo=fvN-vL6)EQ0_#mSc?38Ds)DI@!^ZHF1h zfPz`9hd$6Lg>6%Mx!s{bj$<|C8B6!TTji+(5)opKOWk8r+}BIPn$NnN)v1|0<(qEd zaO5uIi=Ammle2H+!iABR%DqzXRVPEvuHrCF1$QKQ@b=QAAyK$z1;W(avQHfXc;s_W zUq1JnJ8ovqf9o5+yZpHG{&TlXZhhU&zx?K_Cjb2SVeu90>#u+A?&AwBas~S2;*Hmz zzw6rjEEKsUEhhi`i^tn zJs+Nr9{c%Me|Y!(?|bE?{BM)rKlm5%-W$NTe)j6~x848Ihrx^L#iyPap7{uN{#~D^ zul?SYOSk{&4=w%TQ|GR_5qj>1XP^H5<+oQqy?*tWcJ8LDuA8i0^V*O7`A0#0+k3Bp WZ+P~(E4RMczvZDHJjUE7UH2~|W0Z#g literal 2878 zcmZ9OjqfA{dB-KnwYOL8wNVVT;IEtkbvS2tW@l!H9zEt|XJ&VHW@l#S-L|?r?=QQv zJFh!~v_M}BVrh)^4bj9P7!_YmQ$$KjX;O%2P}EvuuP4{2gr13(M2{+o{j~{+C#TnIr1_(4STaT6Rk6x#W|L9(K^ zFdDVpYTiyv0ApjJrEyF zLAY|KK-e!rgpL$vfb6$!5O+?Ydr7J*>>Q900~x(Y%ZufKkEmQ0^row+Eg&=|F!Q=C zt$D%}nzIEpmp46DWP>uTs!|r$n!!s@7JE2G1n!Kr1Uz?|vBdNQUDjo4VobQTDLI(~ zTI$HH5Wpk$yupW|IYK;wm}}rt9M$#2bcJF$6q(tfKE#g4Nw4$;zb&T;1kQK7IyEQ2 zcIeZ>+N+#xhC54=8+YT;R2b~AO&>YVzB(Q0% zi*Cu$(y{^4$v}^DautR1RD=Lwhi8exB(p%MpZV3uH_qT;|3Ky{oBidJ^G#sMXiPrjcrPP_AZrPeDY31$EouE054DjvsqAK(?Zw z0Tuv4MYfp@qiKcj<=ja?nq;#bYa>t?jfM;yFYTVr2q3P}4Y2FfeZN2{(a&+uGzlh7 zDP%ZgnMH?)X;<|Fi`ejG)3~+Oj8-_q>=>@8dqrT6F%xl1UeC4=V|yAQ&xk6LZ-0G5Ej>X*yP zn@u^iO>K~r1!z@b;`Js`hT0++2P85RVUm;;URQiK z8*LHaT|k&XBnX)Fc0-J*C^>T0b&w}5(ohCp!z*vk4+v*s(Ds^PLJRXXb86d%0T**u zH>;$-8IpRYP+rfAiP^H1)@s(NjH|X5g4dl84i(-h_FXcxi*Xy|88T#sxLF)l1fv34 z?oCa+WanEu=oR}hnAbkD7UH;Vi#iLZF{s2fvahtPYMFr}(eA>@Vaql2aHZC>wj6em zC4@-kxlNqi{&K%i5NHCh~8w?@lWgrd$8q1{Eq7s=5 zN{yPu>$WG$%p&YGMTWF8Wu>tbBl>L3l>5w&Y;!PT0&UMUhTgQTD#Mh#?xJOlb0G*Q zJj-mo-X2ias*+VJQBgwFs}nrM`qhLURD5O`3xrY8kv9gqttv*fq2rNVrald2d^lYw zc82t3I>)g&IX70R&Ph_dLLm!p25B&?)|^F?g6C4&Oxx{e`F1d-_mibnxvd)L=B_9# z!|eGr+l3IiaKuHPPGc0@iA#!J5fE_hvtBZwmo14(;9{6AK=+kw#`YYhu#JeYw5*B{_pD-%tBZkb)*Nrz5_W=nIL zj+SUk_Z_X5@(#6_P;JESHz*0@xU9KDYan3DNQ=^R7AOlqc4=C!lNa~%#T#ldi+K?o z1cb`jO*?@}vu1XrBd@S*2~#E?Z3bOdLv0bRV8q;IEYX`-{C3Q`QO(vfV#`xh4p@52 zC<6iZXD!z>IfAtEB#)BuOKB0OqcCxhi`_`TXj`!+;bz)Z<-W%2kr!#CD=Diz)5X4} z`$Cb@!ycLJHhU>C%ZynHtZl?RHpS%~+yo;Fr%2f9&tPz;t?J_cJp0xEfYggtB@T9d z3gTwV*a|pBU!}Pf)j`~6Hl)AC40&O7+l@A@%4Vtzd#u16V`@#?6e_C2TyAfKBsKZ2+u8seB-fbPA*=A*895+pRbKoqpKy9;MZ?i5Oid0|Fz% z<_t*3JxGihx{oW>T-w768Q_*<%GErm8$~oUW~COyyQ#OPDG5)ApkwAXlldH|Rok^)XnXDc}M=(R<{f{pZd;9R1O^uRr+A{oklm3;o{0JHp-R zKKSenpE>vW$>R83pZ)LSA3u1@S04G{&tBdC*PC9EyylMI`@-=sdf=6-Uq1fKHTfrA zxb20DgQvRt2TyeG{mI$4-}KhkTz}%j&wus7@|!=dkKBCetBhYfclw&^&i~iXzVvhJ z^r@?lJ$>}s|KTmjIpaeQ|I6P(!Ob7M|E~Lg?frj~efrNY zKK8~xyA?cfhj`6(&%XIDzOJ9U_Uk)0h0mr-&bZ>@xoKyH5n(bw6PIyNS!cduRIGn{E#NZo&NH_kQ=C z=U$#a^PboJY4M*|=!SCTnMYrC;dfpO{D{{tJ#+cR$#4DfNc+%x|KW?t<-ZAC_V&BH zBl+F8{_}TUuikUwsc(_rKl<8tU48D@$1b^W!*$m_|J^rSbzk=-7<%C15&usL{N0~_ z_$D0q#Yb)|uYWRl^wBqbz}$9^f3z`rxQ>;ge5X`|2b2 zp1=2N$3FVk4;=j^!d!Uh$EVsW?)~y#J$mGhv&aAb*y;D2`rzuy_kI7j&-lw%p1kei z(SQ3~{i?yY-uM&h1FPGg{*m^+%Z@$s*)!ih{ZHV1&pofr-^M@w7<&7I$M3xH>?N07 zycGWE)y0+Xc-e29JO+F3yz9bMx1QHO{EGfr`kOD@c+G7GGV{~(KYjX^^UwYdxJ&g4 From 8a18ee452b3894e833ac4d53aba46c3796d94767 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 15 Oct 2024 23:20:12 +0200 Subject: [PATCH 2/3] garage: fix s3_api root_domain --- modules/garage/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/garage/default.nix b/modules/garage/default.nix index ac435a79..9f3dec4b 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -99,7 +99,7 @@ s3_api = { s3_region = "eu-central"; api_bind_addr = "[::]:3900"; - root_domain = ".s3.${config.pub-solar-os.networking.domain}"; + root_domain = ".buckets.${config.pub-solar-os.networking.domain}"; }; s3_web = { bind_addr = "[::]:3902"; From 5300f381b000417027c148f1de6596324fbca814 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 16 Oct 2024 15:37:44 +0200 Subject: [PATCH 3/3] nginx: use safer request_uri variable Fix >> Problem: [http_splitting] Possible HTTP-Splitting vulnerability. https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md --- modules/nginx-mastodon-files/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nginx-mastodon-files/default.nix b/modules/nginx-mastodon-files/default.nix index a4ddca4e..8a62d359 100644 --- a/modules/nginx-mastodon-files/default.nix +++ b/modules/nginx-mastodon-files/default.nix @@ -44,7 +44,7 @@ in proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amzn-requestid; proxy_ignore_headers Set-Cookie; - proxy_pass $s3_backend$uri; + proxy_pass $s3_backend$request_uri; proxy_intercept_errors off; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_server_name on;