Merge branch 'master' into rolling-testing

This commit is contained in:
Inex Code 2022-01-14 04:00:31 +03:00
commit 0784a1fe17
3 changed files with 99 additions and 5 deletions

View file

@ -43,6 +43,12 @@
}, },
"enableSwagger": { "enableSwagger": {
"type": "boolean" "type": "boolean"
},
"skippedMigrations": {
"type": "array",
"items": {
"type": "string"
}
} }
} }
}, },

View file

@ -84,6 +84,13 @@ in
''; '';
type = types.bool; type = types.bool;
}; };
skippedMigrations = mkOption {
default = [ ];
description = ''
List of migrations that should be skipped
'';
type = types.listOf types.str;
};
}; };
############# #############
# Secrets # # Secrets #

View file

@ -1,32 +1,68 @@
{ pkgs, config, ... }: { pkgs, config, lib, ... }:
let let
domain = config.services.userdata.domain; domain = config.services.userdata.domain;
in in
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
clientMaxBodySize = "1024m"; clientMaxBodySize = "1024m";
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
'';
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
}; };
"vpn.${domain}" = { "vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
}; };
"git.${domain}" = { "git.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
@ -37,6 +73,16 @@ in
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:80/"; proxyPass = "http://127.0.0.1:80/";
@ -50,6 +96,14 @@ in
root = pkgs.jitsi-meet; root = pkgs.jitsi-meet;
extraConfig = '' extraConfig = ''
ssi on; ssi on;
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
''; '';
locations = { locations = {
"@root_path" = { "@root_path" = {
@ -82,6 +136,16 @@ in
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8222"; proxyPass = "http://127.0.0.1:8222";
@ -92,6 +156,16 @@ in
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:5050"; proxyPass = "http://127.0.0.1:5050";
@ -103,14 +177,21 @@ in
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}"; root = "/var/www/social.${domain}";
forceSSL = true; forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:4000"; proxyPass = "http://127.0.0.1:4000";
}; };
}; };
extraConfig = ''
client_max_body_size 1024m;
'';
}; };
}; };
}; };