move nextcloud nginx configuration part to SP module

This commit is contained in:
Alexander Tomokhov 2023-11-15 23:43:59 +04:00
parent 41c3a0fc00
commit f4fb0a9ce8
2 changed files with 22 additions and 21 deletions

View file

@ -17,6 +17,7 @@
secrets-filepath = "/etc/nixos/userdata/userdata.json"; secrets-filepath = "/etc/nixos/userdata/userdata.json";
db-pass-filepath = "/var/lib/nextcloud/db-pass"; db-pass-filepath = "/var/lib/nextcloud/db-pass";
admin-pass-filepath = "/var/lib/nextcloud/admin-pass"; admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
hostName = "cloud.${cfg.domain}";
in in
lib.mkIf cfg.nextcloud.enable lib.mkIf cfg.nextcloud.enable
{ {
@ -39,7 +40,7 @@
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud25; package = pkgs.nextcloud25;
hostName = "cloud.${cfg.domain}"; inherit hostName;
# Use HTTPS for links # Use HTTPS for links
https = false; https = false;
@ -62,6 +63,26 @@
adminuser = "admin"; adminuser = "admin";
}; };
}; };
services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
};
} }
# FIXME do we really want to delete passwords on module deactivation!? # FIXME do we really want to delete passwords on module deactivation!?
// //

View file

@ -69,26 +69,6 @@ in
}; };
}; };
}; };
"cloud.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
};
"password.${domain}" = { "password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";