mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-22 19:41:30 +00:00
Merge branch 'flakes' into flakes-test
This commit is contained in:
commit
e8842e455b
|
@ -3,5 +3,4 @@ config: rec {
|
||||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||||
db-pass-filepath = "/var/lib/nextcloud/db-pass";
|
db-pass-filepath = "/var/lib/nextcloud/db-pass";
|
||||||
admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
|
admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
|
||||||
hostName = "cloud.${sp.domain}";
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,8 @@
|
||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
inherit (import ./common.nix config)
|
inherit (import ./common.nix config)
|
||||||
sp secrets-filepath db-pass-filepath admin-pass-filepath hostName;
|
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
||||||
|
hostName = "cloud.${sp.domain}";
|
||||||
in
|
in
|
||||||
lib.mkIf sp.modules.nextcloud.enable {
|
lib.mkIf sp.modules.nextcloud.enable {
|
||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
|
@ -52,7 +53,7 @@
|
||||||
inherit hostName;
|
inherit hostName;
|
||||||
|
|
||||||
# Use HTTPS for links
|
# Use HTTPS for links
|
||||||
https = false;
|
https = true;
|
||||||
|
|
||||||
# auto-update Nextcloud Apps
|
# auto-update Nextcloud Apps
|
||||||
autoUpdateApps.enable = true;
|
autoUpdateApps.enable = true;
|
||||||
|
@ -65,7 +66,6 @@
|
||||||
|
|
||||||
dbtype = "sqlite";
|
dbtype = "sqlite";
|
||||||
dbuser = "nextcloud";
|
dbuser = "nextcloud";
|
||||||
dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
|
|
||||||
dbname = "nextcloud";
|
dbname = "nextcloud";
|
||||||
dbpassFile = db-pass-filepath;
|
dbpassFile = db-pass-filepath;
|
||||||
adminpassFile = admin-pass-filepath;
|
adminpassFile = admin-pass-filepath;
|
||||||
|
@ -73,23 +73,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts.${hostName} = {
|
services.nginx.virtualHosts.${hostName} = {
|
||||||
useACMEHost = config.selfprivacy.domain;
|
useACMEHost = sp.domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
||||||
expires 10m;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:80/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue