diff --git a/modules/matrix.nix b/modules/matrix.nix index e824fd3..fd6568d 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,7 +1,7 @@ { pkgs, ... }: let - livekitKeyFile = "/run/livekit.key"; + livekitKeyFile = "/var/lib/livekit/livekit.key"; serverName = "atri.dad"; matrixDomain = "matrix.atri.dad"; matrixRtcDomain = "matrixrtc.atri.dad"; @@ -116,9 +116,14 @@ in ]; script = '' echo "Key missing, generating key" + install -d -m 0700 "$(dirname "${livekitKeyFile}")" + install -m 0600 /dev/null "${livekitKeyFile}" echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" ''; - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + UMask = "0177"; + }; unitConfig.ConditionPathExists = "!${livekitKeyFile}"; }; diff --git a/modules/nginx.nix b/modules/nginx.nix index e55dc69..ab80e60 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -35,6 +35,9 @@ let locations."/" = { proxyPass = "http://${upstream}:${toString port}"; proxyWebsockets = true; + # NOTE: `if` inside a location block is unsafe in general (nginx docs warn + # against it), but is safe here because the only statement is `return`. + # Do NOT add any other directives inside this if block. extraConfig = "if ($fuckai) { return 444; }"; }; }; @@ -44,6 +47,8 @@ let listen ${toString port}; listen ${toString port} udp; proxy_pass ${upstream}:${toString port}; + proxy_timeout 300s; + proxy_connect_timeout 10s; } ''; in @@ -61,16 +66,11 @@ in recommendedProxySettings = true; recommendedTlsSettings = true; - # Fuck AI clientMaxBodySize = "3g"; commonHttpConfig = '' more_clear_headers Server; more_clear_headers X-Powered-By; - add_header X-fuckai "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86" always; - sub_filter '' ''; - sub_filter_once on; - sub_filter_types text/html; map $http_user_agent $fuckai { default 0; @@ -150,11 +150,14 @@ in forceSSL = true; locations."/" = { proxyPass = "http://${upstream}:3000"; + # NOTE: `if` is safe here because the only statement is `return`. + # Do NOT add other directives inside this if block. extraConfig = "if ($fuckai) { return 444; }"; }; locations."= /.well-known/matrix/server" = { extraConfig = '' default_type application/json; + add_header X-Content-Type-Options nosniff; return 200 '${wellKnownServer}'; ''; }; @@ -162,6 +165,8 @@ in extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin "*"; + add_header Vary Origin; + add_header X-Content-Type-Options nosniff; return 200 '${wellKnownClient}'; ''; }; @@ -194,12 +199,14 @@ in enableACME = true; forceSSL = true; extraConfig = '' - client_max_body_size 0; + client_max_body_size 20g; ''; locations."/" = { proxyPass = "http://${upstream}:30013"; proxyWebsockets = true; extraConfig = '' + # NOTE: `if` is safe here because the only statement is `return`. + # Do NOT add other directives inside this if block. if ($fuckai) { return 444; } proxy_buffering off; proxy_request_buffering off; @@ -220,8 +227,15 @@ in client_max_body_size 100M; ''; }; + # Only forward the three known lk-jwt-service endpoints; reject everything + # else (including path traversal sequences) with 404. locations."^~ /livekit/jwt/" = { priority = 400; + extraConfig = '' + if ($uri !~ "^/livekit/jwt/(sfu/get|get_token|healthz)$") { + return 404; + } + ''; proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; }; }; @@ -236,7 +250,6 @@ in proxy_send_timeout 120; proxy_read_timeout 120; proxy_buffering off; - proxy_set_header Accept-Encoding gzip; ''; }; };