move nginx exclusive virtualHosts to SP modules

2024-11-26 12:51:30 +00:00 · 2023-12-18 19:02:54 +04:00 · 2023-12-18 19:02:54 +04:00 · 365f027326
parent d881cc8ce5
commit 365f027326
5 changed files with 119 additions and 118 deletions
--- a/sp-modules/bitwarden/module.nix
+++ b/sp-modules/bitwarden/module.nix
@ -69,5 +69,25 @@ in
        <(printf "%s" "$bitwarden_env") ${bitwarden-env}
      '';
    };
    services.nginx.virtualHosts."password.${sp.domain}" = {
      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:8222";
        };
      };
    };
  };
 }
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@ -19,64 +19,82 @@ in
  };
  config = lib.mkIf config.selfprivacy.modules.gitea.enable {
-    services = {
+    services.gitea = {
-      gitea = {
+      enable = true;
-        enable = true;
+      inherit stateDir;
-        inherit stateDir;
+      #      log = {
-        #      log = {
+      #        rootPath = "/var/lib/gitea/log";
-        #        rootPath = "/var/lib/gitea/log";
+      #        level = "Warn";
-        #        level = "Warn";
+      #      };
-        #      };
+      user = "gitea";
      database = {
        type = "sqlite3";
        host = "127.0.0.1";
        name = "gitea";
        user = "gitea";
-        database = {
+        path = "${stateDir}/data/gitea.db";
-          type = "sqlite3";
+        createDatabase = true;
-          host = "127.0.0.1";
+      };
-          name = "gitea";
+      # ssh = {
-          user = "gitea";
+      #   enable = true;
-          path = "${stateDir}/data/gitea.db";
+      #   clonePort = 22;
-          createDatabase = true;
+      # };
      lfs = {
        enable = true;
        contentDir = "${stateDir}/lfs";
      };
      appName = "SelfPrivacy git Service";
      repositoryRoot = "${stateDir}/repositories";
      #      cookieSecure = true;
      settings = {
        server = {
          DOMAIN = "git.${sp.domain}";
          ROOT_URL = "https://git.${sp.domain}/";
          HTTP_ADDR = "0.0.0.0";
          HTTP_PORT = 3000;
        };
-        # ssh = {
+        mailer = {
-        #   enable = true;
+          ENABLED = false;
        #   clonePort = 22;
        # };
        lfs = {
          enable = true;
          contentDir = "${stateDir}/lfs";
        };
-        appName = "SelfPrivacy git Service";
+        ui = {
-        repositoryRoot = "${stateDir}/repositories";
+          DEFAULT_THEME = "arc-green";
-        #      cookieSecure = true;
+          SHOW_USER_EMAIL = false;
-        settings = {
+        };
-          server = {
+        picture = {
-            DOMAIN = "git.${sp.domain}";
+          DISABLE_GRAVATAR = true;
-            ROOT_URL = "https://git.${sp.domain}/";
+        };
-            HTTP_ADDR = "0.0.0.0";
+        admin = {
-            HTTP_PORT = 3000;
+          ENABLE_KANBAN_BOARD = true;
-          };
+        };
-          mailer = {
+        repository = {
-            ENABLED = false;
+          FORCE_PRIVATE = false;
-          };
+        };
-          ui = {
+        session = {
-            DEFAULT_THEME = "arc-green";
+          COOKIE_SECURE = true;
-            SHOW_USER_EMAIL = false;
+        };
-          };
+        log = {
-          picture = {
+          ROOT_PATH = "${stateDir}/log";
-            DISABLE_GRAVATAR = true;
+          LEVEL = "Warn";
-          };
+        };
-          admin = {
+      };
-            ENABLE_KANBAN_BOARD = true;
+    };
-          };
+    services.nginx.virtualHosts."git.${sp.domain}" = {
-          repository = {
+      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-            FORCE_PRIVATE = false;
+      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
-          };
+      forceSSL = true;
-          session = {
+      extraConfig = ''
-            COOKIE_SECURE = true;
+        add_header Strict-Transport-Security $hsts_header;
-          };
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          log = {
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
-            ROOT_PATH = "${stateDir}/log";
+        add_header X-Frame-Options DENY;
-            LEVEL = "Warn";
+        add_header X-Content-Type-Options nosniff;
-          };
+        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:3000";
        };
      };
    };
--- a/sp-modules/jitsi-meet/module.nix
+++ b/sp-modules/jitsi-meet/module.nix
@ -1,4 +1,7 @@
 { config, lib, ... }:
 let
  domain = config.selfprivacy.domain;
 in
 {
  options.selfprivacy.modules.jitsi-meet = {
    enable = lib.mkOption {
@ -10,12 +13,19 @@
  config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
    services.jitsi-meet = {
      enable = true;
-      hostName = "meet.${config.selfprivacy.domain}";
+      hostName = "meet.${domain}";
      nginx.enable = true;
      interfaceConfig = {
        SHOW_JITSI_WATERMARK = false;
        SHOW_WATERMARK_FOR_GUESTS = false;
      };
    };
    services.nginx.virtualHosts."meet.${domain}" = {
      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
      forceSSL = true;
      useACMEHost = domain;
      enableACME = false;
    };
  };
 }
--- a/sp-modules/ocserv/module.nix
+++ b/sp-modules/ocserv/module.nix
@ -55,5 +55,20 @@ in
        route = default
      '';
    };
    services.nginx.virtualHosts."vpn.${domain}" = {
      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
    };
  };
 }
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -36,61 +36,6 @@ in
          expires 10m;
        '';
      };
      "vpn.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
          add_header X-Frame-Options DENY;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
      };
      "git.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
          add_header X-Frame-Options DENY;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:3000";
          };
        };
      };
      "password.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
          add_header X-Frame-Options DENY;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:8222";
          };
        };
      };
      "api.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
@ -133,13 +78,6 @@ in
          };
        };
      };
      "meet.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        useACMEHost = domain;
        enableACME = false;
      };
    };
  };
 }