diff --git a/modules/nginx-acme-base/default.nix b/modules/nginx-acme-base/default.nix index 3b971d0..4ec9887 100644 --- a/modules/nginx-acme-base/default.nix +++ b/modules/nginx-acme-base/default.nix @@ -1,6 +1,7 @@ { ... }: { networking.firewall.allowedTCPPorts = [ + 80 443 ]; security.acme = { @@ -9,8 +10,31 @@ }; services.nginx = { enable = true; + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=63072000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; recommendedOptimisation = true; - recommendedProxySettings = true; recommendedTlsSettings = true; }; } diff --git a/modules/nginx-acme/default.nix b/modules/nginx-acme/default.nix deleted file mode 100644 index f6fb357..0000000 --- a/modules/nginx-acme/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ domain, inputs, port ? "8080", ... }: -{ - imports = [ - "${inputs.self}/modules/nginx-acme-base" - ]; - services.nginx = { - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=63072000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${port}"; - proxyWebsockets = true; # needed if you need to use WebSocket - }; - }; - }; -} diff --git a/modules/nginx-fpm/default.nix b/modules/nginx-fpm/default.nix new file mode 100644 index 0000000..1d95210 --- /dev/null +++ b/modules/nginx-fpm/default.nix @@ -0,0 +1,28 @@ +{ dataDir, documentRoot ? "/var/www/html", domain, inputs, pkgs, port ? "9000", ... }: +{ + imports = [ + "${inputs.self}/modules/nginx-acme-base" + ]; + services.nginx = { + appendHttpConfig = '' + index index.php; + ''; + virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + root = dataDir; + locations = { + "~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param SCRIPT_FILENAME ${documentRoot}$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass 127.0.0.1:${port}; + ''; + }; + }; + }; + }; +} diff --git a/modules/nginx-proxy/default.nix b/modules/nginx-proxy/default.nix new file mode 100644 index 0000000..1b1a140 --- /dev/null +++ b/modules/nginx-proxy/default.nix @@ -0,0 +1,20 @@ +{ domain, inputs, port ? "8080", ... }: { + imports = [ + "${inputs.self}/modules/nginx-acme-base" + ]; + services.nginx = { + appendHttpConfig = '' + # Disable embedding as a frame + add_header X-Frame-Options DENY; + ''; + recommendedProxySettings = true; + virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${port}"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + }; +} diff --git a/systems/git/default.nix b/systems/git/default.nix index 3df1418..eb16400 100644 --- a/systems/git/default.nix +++ b/systems/git/default.nix @@ -8,7 +8,7 @@ (import "${inputs.self}/modules/restic-server-mysql-client" { time = "03:00"; inherit custom hostname inputs pkgs; }) - (import "${inputs.self}/modules/nginx-acme" { + (import "${inputs.self}/modules/nginx-proxy" { domain = "git.2li.ch"; inherit inputs; }) "${inputs.self}/modules/docker" diff --git a/systems/mail/default.nix b/systems/mail/default.nix index d8df0dc..b740d9c 100644 --- a/systems/mail/default.nix +++ b/systems/mail/default.nix @@ -8,7 +8,7 @@ (import "${inputs.self}/modules/restic-server-client" { time = "04:30"; inherit custom hostname inputs pkgs; }) - (import "${inputs.self}/modules/nginx-acme" { + (import "${inputs.self}/modules/nginx-proxy" { domain = "mail.zweili.org"; inherit inputs; }) "${inputs.self}/modules/docker" diff --git a/systems/nextcloud/default.nix b/systems/nextcloud/default.nix index 0008f08..28fb742 100644 --- a/systems/nextcloud/default.nix +++ b/systems/nextcloud/default.nix @@ -14,34 +14,11 @@ ]; services.nginx = { - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=63072000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - + appendHttpConfig = '' # Allow embedding from same domain add_header X-Frame-Options SAMEORIGIN; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; + clientMaxBodySize = "20G"; virtualHosts."nextcloud.2li.ch" = { enableACME = true; forceSSL = true; @@ -52,7 +29,6 @@ extraConfig = '' # Required for large downloads proxy_buffering off; - client_max_body_size 20G; ''; }; }; diff --git a/systems/raspi-test/default.nix b/systems/raspi-test/default.nix index f036b81..f7be7b2 100644 --- a/systems/raspi-test/default.nix +++ b/systems/raspi-test/default.nix @@ -1,15 +1,30 @@ { hostname, inputs, pkgs, ... }: +let + domain = "test.2li.ch"; +in { imports = [ (import "${inputs.self}/systems/raspi4" { ip = "10.7.89.150"; inherit hostname inputs pkgs; }) - (import "${inputs.self}/modules/nginx-acme" { - domain = "test.2li.ch"; - inherit inputs; + (import "${inputs.self}/modules/nginx-fpm" { + dataDir = "/var/www/ttrss/app"; + inherit domain inputs pkgs; }) "${inputs.self}/modules/docker" "${inputs.self}/modules/tmux" ]; + services.nginx.virtualHosts."${domain}".locations = { + "/".extraConfig = '' + try_files $uri $uri/ = 404; + ''; + "/tt-rss/cache".extraConfig = '' + aio threads; + internal; + ''; + "/tt-rss/backups".extraConfig = '' + internal; + ''; + }; } diff --git a/systems/ttrss/default.nix b/systems/ttrss/default.nix index e2fc591..62f122e 100644 --- a/systems/ttrss/default.nix +++ b/systems/ttrss/default.nix @@ -5,7 +5,7 @@ ip = "10.7.89.115"; inherit hostname inputs; }) - (import "${inputs.self}/modules/nginx-acme" { + (import "${inputs.self}/modules/nginx-proxy" { domain = "ttrss.2li.ch"; inherit inputs; }) (import "${inputs.self}/modules/restic-server-mysql-client" {