From 1b8bdb013aa69fdf4cd836a6dcdf2e0a2dc67bf2 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Thu, 16 Dec 2021 16:51:43 +0300 Subject: [PATCH 1/5] Fix pleroma permissions --- files.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files.nix b/files.nix index 0083f70..1b3a66d 100644 --- a/files.nix +++ b/files.nix @@ -24,11 +24,11 @@ in [ (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") - (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "") + (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" - (if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") + (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "") (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "") From b5011cdd65b42401cc322260be089ffcdc54e8a9 Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Fri, 17 Dec 2021 19:17:23 +0200 Subject: [PATCH 2/5] Added Qualys A+ rated SSL/TLS settings --- webserver/nginx.nix | 115 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 110 insertions(+), 5 deletions(-) diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 6e925ad..10f13bd 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -1,32 +1,77 @@ -{ pkgs, config, ... }: +{ pkgs, config, lib, ... }: let domain = config.services.userdata.domain; in { services.nginx = { enable = true; - enableReload = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3"; + sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL"; clientMaxBodySize = "1024m"; + commonHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + ''; virtualHosts = { "${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; }; "vpn.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; }; "git.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; @@ -37,6 +82,19 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:80/"; @@ -50,6 +108,17 @@ in root = pkgs.jitsi-meet; extraConfig = '' ssi on; + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; ''; locations = { "@root_path" = { @@ -82,6 +151,19 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; @@ -92,6 +174,19 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:5050"; @@ -103,14 +198,24 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; root = "/var/www/social.${domain}"; forceSSL = true; + extraConfig = '' + limit_conn perip 25; + limit_conn perserver 1000; + limit_req zone=mylimit burst=35 delay=25; + add_header Strict-Transport-Security $hsts_header; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:4000"; }; }; - extraConfig = '' - client_max_body_size 1024m; - ''; }; }; }; From ae8e8b2c9b1d6edc54106970b9828a860f956fc6 Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Tue, 21 Dec 2021 08:18:38 +0200 Subject: [PATCH 3/5] Temporarily disabled CSP headers as they tend to break some of our applications --- webserver/nginx.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 10f13bd..8b06e3a 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -28,7 +28,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -46,7 +46,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -64,7 +64,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -87,7 +87,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -112,7 +112,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -156,7 +156,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -179,7 +179,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; @@ -203,7 +203,7 @@ in limit_conn perserver 1000; limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; From f5ec3014411cd316bf4aeb67e302eaf83971ee3e Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Tue, 21 Dec 2021 11:57:03 +0200 Subject: [PATCH 4/5] Resolved null limit zone memory allocation size --- webserver/nginx.nix | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 8b06e3a..4536c5f 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -24,9 +24,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -42,9 +39,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -60,9 +54,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -83,9 +74,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -108,9 +96,6 @@ in root = pkgs.jitsi-meet; extraConfig = '' ssi on; - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -152,9 +137,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -175,9 +157,6 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -199,9 +178,6 @@ in root = "/var/www/social.${domain}"; forceSSL = true; extraConfig = '' - limit_conn perip 25; - limit_conn perserver 1000; - limit_req zone=mylimit burst=35 delay=25; add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; From c3ee4d00fc45cfb22f837785c7050dd655bce469 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Fri, 14 Jan 2022 03:43:26 +0300 Subject: [PATCH 5/5] Add ability to skip migrations in API --- userdata/schema.json | 6 ++++++ variables-module.nix | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/userdata/schema.json b/userdata/schema.json index 5115459..778f5e0 100644 --- a/userdata/schema.json +++ b/userdata/schema.json @@ -43,6 +43,12 @@ }, "enableSwagger": { "type": "boolean" + }, + "skippedMigrations": { + "type": "array", + "items": { + "type": "string" + } } } }, diff --git a/variables-module.nix b/variables-module.nix index 2c465cc..47acdfb 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -84,6 +84,13 @@ in ''; type = types.bool; }; + skippedMigrations = mkOption { + default = [ ]; + description = '' + List of migrations that should be skipped + ''; + type = types.listOf types.str; + }; }; ############# # Secrets #