mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-22 19:41:30 +00:00
move nginx exclusive virtualHosts to SP modules
This commit is contained in:
parent
d881cc8ce5
commit
365f027326
|
@ -69,5 +69,25 @@ in
|
|||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:8222";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -19,64 +19,82 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
|
||||
services = {
|
||||
gitea = {
|
||||
enable = true;
|
||||
inherit stateDir;
|
||||
# log = {
|
||||
# rootPath = "/var/lib/gitea/log";
|
||||
# level = "Warn";
|
||||
# };
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
inherit stateDir;
|
||||
# log = {
|
||||
# rootPath = "/var/lib/gitea/log";
|
||||
# level = "Warn";
|
||||
# };
|
||||
user = "gitea";
|
||||
database = {
|
||||
type = "sqlite3";
|
||||
host = "127.0.0.1";
|
||||
name = "gitea";
|
||||
user = "gitea";
|
||||
database = {
|
||||
type = "sqlite3";
|
||||
host = "127.0.0.1";
|
||||
name = "gitea";
|
||||
user = "gitea";
|
||||
path = "${stateDir}/data/gitea.db";
|
||||
createDatabase = true;
|
||||
path = "${stateDir}/data/gitea.db";
|
||||
createDatabase = true;
|
||||
};
|
||||
# ssh = {
|
||||
# enable = true;
|
||||
# clonePort = 22;
|
||||
# };
|
||||
lfs = {
|
||||
enable = true;
|
||||
contentDir = "${stateDir}/lfs";
|
||||
};
|
||||
appName = "SelfPrivacy git Service";
|
||||
repositoryRoot = "${stateDir}/repositories";
|
||||
# cookieSecure = true;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "git.${sp.domain}";
|
||||
ROOT_URL = "https://git.${sp.domain}/";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
};
|
||||
# ssh = {
|
||||
# enable = true;
|
||||
# clonePort = 22;
|
||||
# };
|
||||
lfs = {
|
||||
enable = true;
|
||||
contentDir = "${stateDir}/lfs";
|
||||
mailer = {
|
||||
ENABLED = false;
|
||||
};
|
||||
appName = "SelfPrivacy git Service";
|
||||
repositoryRoot = "${stateDir}/repositories";
|
||||
# cookieSecure = true;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "git.${sp.domain}";
|
||||
ROOT_URL = "https://git.${sp.domain}/";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
};
|
||||
mailer = {
|
||||
ENABLED = false;
|
||||
};
|
||||
ui = {
|
||||
DEFAULT_THEME = "arc-green";
|
||||
SHOW_USER_EMAIL = false;
|
||||
};
|
||||
picture = {
|
||||
DISABLE_GRAVATAR = true;
|
||||
};
|
||||
admin = {
|
||||
ENABLE_KANBAN_BOARD = true;
|
||||
};
|
||||
repository = {
|
||||
FORCE_PRIVATE = false;
|
||||
};
|
||||
session = {
|
||||
COOKIE_SECURE = true;
|
||||
};
|
||||
log = {
|
||||
ROOT_PATH = "${stateDir}/log";
|
||||
LEVEL = "Warn";
|
||||
};
|
||||
ui = {
|
||||
DEFAULT_THEME = "arc-green";
|
||||
SHOW_USER_EMAIL = false;
|
||||
};
|
||||
picture = {
|
||||
DISABLE_GRAVATAR = true;
|
||||
};
|
||||
admin = {
|
||||
ENABLE_KANBAN_BOARD = true;
|
||||
};
|
||||
repository = {
|
||||
FORCE_PRIVATE = false;
|
||||
};
|
||||
session = {
|
||||
COOKIE_SECURE = true;
|
||||
};
|
||||
log = {
|
||||
ROOT_PATH = "${stateDir}/log";
|
||||
LEVEL = "Warn";
|
||||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.jitsi-meet = {
|
||||
enable = lib.mkOption {
|
||||
|
@ -10,12 +13,19 @@
|
|||
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "meet.${config.selfprivacy.domain}";
|
||||
hostName = "meet.${domain}";
|
||||
nginx.enable = true;
|
||||
interfaceConfig = {
|
||||
SHOW_JITSI_WATERMARK = false;
|
||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."meet.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -55,5 +55,20 @@ in
|
|||
route = default
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -36,61 +36,6 @@ in
|
|||
expires 10m;
|
||||
'';
|
||||
};
|
||||
"vpn.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
};
|
||||
"git.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
};
|
||||
};
|
||||
};
|
||||
"password.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:8222";
|
||||
};
|
||||
};
|
||||
};
|
||||
"api.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
|
@ -133,13 +78,6 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
"meet.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue