Nebucatnetzer
/
nixos
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move acme-base into options

This commit is contained in:
Andreas Zweili 2023-06-05 15:58:28 +02:00
parent a2d1bc1fb5
commit 4652cae1d7
7 changed files with 79 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/default.nix
View File

@ -29,6 +29,7 @@
./services/mariadb-for-containers
./services/media-share
./services/nextcloud
./nginx-acme-base
./services/pipewire
./services/rclone-webdav
./services/rdp

71
modules/nginx-acme-base/default.nix
View File

@ -1,40 +1,49 @@
{ ... }:
{ config, lib, ... }:
let
cfg = config.services.az-acme-base;
in
{
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@zweili.ch";
options = {
services.az-acme-base.enable = lib.mkEnableOption "All the common options I need for ACME certs.";
};
services.nginx = {
enable = true;
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=63072000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@zweili.ch";
};
services.nginx = {
enable = true;
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=63072000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
recommendedOptimisation = true;
recommendedTlsSettings = true;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
};
}

42
modules/nginx-fpm/default.nix
View File

@ -1,27 +1,27 @@
{ dataDir, documentRoot ? "/var/www/html", domain, port ? "9000", }:
{ inputs, pkgs, ... }:
{
imports = [
"${inputs.self}/modules/nginx-acme-base"
];
services.nginx = {
appendHttpConfig = ''
index index.php;
'';
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
root = dataDir;
locations = {
"~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME ${documentRoot}$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:${port};
'';
services = {
az-acme-base.enable = true;
nginx = {
appendHttpConfig = ''
index index.php;
'';
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
root = dataDir;
locations = {
"~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME ${documentRoot}$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:${port};
'';
};
};
};
};

30
modules/nginx-proxy/default.nix
View File

@ -1,19 +1,19 @@
{ domain, port ? "8080" }: { inputs, ... }: {
imports = [
"${inputs.self}/modules/nginx-acme-base"
];
services.nginx = {
appendHttpConfig = ''
# Disable embedding as a frame
add_header X-Frame-Options DENY;
'';
recommendedProxySettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${port}";
proxyWebsockets = true; # needed if you need to use WebSocket
services = {
az-acme-base.enable = true;
nginx = {
appendHttpConfig = ''
# Disable embedding as a frame
add_header X-Frame-Options DENY;
'';
recommendedProxySettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${port}";
proxyWebsockets = true; # needed if you need to use WebSocket
};
};
};
};

1
modules/services/nextcloud/default.nix
View File

@ -30,6 +30,7 @@ in
age.secrets.nextcloudEnv.file = "${inputs.self}/scrts/nextcloud_env.age";
services = {
az-acme-base.enable = true;
az-docker.enable = true;
az-mariadb-for-containers.enable = true;
mysql.settings = {

1
systems/nextcloud/default.nix
View File

@ -5,7 +5,6 @@
ip = "10.7.89.103";
inherit hostname;
})
"${inputs.self}/modules/nginx-acme-base"
(import "${inputs.self}/modules/restic-client-server-mysql" {
path = "/home/andreas";
time = "01:30";

2
systems/proxy/default.nix
View File

@ -9,10 +9,10 @@
path = "/home/andreas";
time = "00:00";
})
"${inputs.self}/modules/nginx-acme-base"
];
services = {
az-acme-base.enable = true;
az-grav.enable = true;
az-haproxy.enable = true;
az-heimdall.enable = true;