mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-23 12:01:27 +00:00
Merge branch 'master' into rolling-testing
This commit is contained in:
commit
0784a1fe17
|
@ -43,6 +43,12 @@
|
||||||
},
|
},
|
||||||
"enableSwagger": {
|
"enableSwagger": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"skippedMigrations": {
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -84,6 +84,13 @@ in
|
||||||
'';
|
'';
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
};
|
};
|
||||||
|
skippedMigrations = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of migrations that should be skipped
|
||||||
|
'';
|
||||||
|
type = types.listOf types.str;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
#############
|
#############
|
||||||
# Secrets #
|
# Secrets #
|
||||||
|
|
|
@ -1,32 +1,68 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
let
|
let
|
||||||
domain = config.services.userdata.domain;
|
domain = config.services.userdata.domain;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableReload = true;
|
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
|
||||||
|
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
|
||||||
clientMaxBodySize = "1024m";
|
clientMaxBodySize = "1024m";
|
||||||
|
commonHttpConfig = ''
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"vpn.${domain}" = {
|
"vpn.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"git.${domain}" = {
|
"git.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
proxyPass = "http://127.0.0.1:3000";
|
||||||
|
@ -37,6 +73,16 @@ in
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:80/";
|
proxyPass = "http://127.0.0.1:80/";
|
||||||
|
@ -50,6 +96,14 @@ in
|
||||||
root = pkgs.jitsi-meet;
|
root = pkgs.jitsi-meet;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
ssi on;
|
ssi on;
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
'';
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"@root_path" = {
|
"@root_path" = {
|
||||||
|
@ -82,6 +136,16 @@ in
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:8222";
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
@ -92,6 +156,16 @@ in
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:5050";
|
proxyPass = "http://127.0.0.1:5050";
|
||||||
|
@ -103,14 +177,21 @@ in
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
root = "/var/www/social.${domain}";
|
root = "/var/www/social.${domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:4000";
|
proxyPass = "http://127.0.0.1:4000";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 1024m;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue