swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 21:29:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: switch proxt host

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-12-05 02:25:45 +01:00 committed by Leon Schwarzäugl
parent f1c9eb4ae8
commit 669a512cdf
61 changed files with 1147 additions and 736 deletions
Download patch file Download diff file Expand all files Collapse all files

113
modules/nixos/server/nginx.nix
View file

@ -1,7 +1,6 @@
{ pkgs, lib, config, ... }:
{ pkgs, lib, config, globals, ... }:
let
inherit (config.repo.secrets.common) dnsProvider dnsBase;
inherit (config.repo.secrets.common.mail) address3;
inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
serviceUser = "nginx";
serviceGroup = serviceUser;
@ -18,42 +17,66 @@ in
options.swarselmodules.server.nginx = lib.mkEnableOption "enable nginx on server";
options.services.nginx = {
recommendedSecurityHeaders = lib.mkEnableOption "additional security headers by default in each location block.";
defaultStapling = lib.mkEnableOption "add ssl stapling in each location block..";
virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options.locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (submod: {
options = {
recommendedSecurityHeaders = lib.mkOption {
type = lib.types.bool;
default = config.services.nginx.recommendedSecurityHeaders;
description = "Whether to add additional security headers to this location.";
lib.types.submodule (topmod: {
options = {
defaultStapling = lib.mkOption {
type = lib.types.bool;
default = config.services.nginx.defaultStapling;
description = "Whether to add ssl stapling to this location.";
};
locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (submod: {
options = {
recommendedSecurityHeaders = lib.mkOption {
type = lib.types.bool;
default = config.services.nginx.recommendedSecurityHeaders;
description = "Whether to add additional security headers to this location.";
};
X-Frame-Options = lib.mkOption {
type = lib.types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
};
};
X-Frame-Options = lib.mkOption {
type = lib.types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
config = {
extraConfig = lib.mkIf submod.config.recommendedSecurityHeaders (lib.mkBefore ''
# Hide upstream's versions
proxy_hide_header Strict-Transport-Security;
proxy_hide_header Referrer-Policy;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Frame-Options;
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${submod.config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
''
);
};
};
config = lib.mkIf submod.config.recommendedSecurityHeaders {
extraConfig = lib.mkBefore ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${submod.config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
'';
};
})
);
})
);
};
};
}
config = {
extraConfig = lib.mkIf topmod.config.defaultStapling (lib.mkAfter ''
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
'');
};
})
);
};
};
@ -62,27 +85,30 @@ in
lego
];
sops = {
sops = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
secrets = {
acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
acme-creds = { format = "json"; key = ""; group = "acme"; sopsFile = config.node.secretsDir + "/acme.json"; mode = "0660"; };
};
templates."certs.secret".content = ''
ACME_DNS_API_BASE=${dnsBase}
ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
ACME_DNS_API_BASE = ${dnsBase}
ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
'';
};
users.groups.acme.members = [ "nginx" ];
security.acme = {
security.acme = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
acceptTerms = true;
defaults = {
inherit dnsProvider;
email = address3;
email = dnsMail;
environmentFile = "${config.sops.templates."certs.secret".path}";
reloadServices = [ "nginx" ];
dnsPropagationCheck = true;
};
certs."${globals.domains.main}" = {
domain = "*.${globals.domains.main}";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -103,6 +129,7 @@ in
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedSecurityHeaders = true;
defaultStapling = true;
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!aNULL";
sslDhparam = dhParamsPathBase;
virtualHosts.fallback = {
@ -129,11 +156,11 @@ in
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
if [ ! -f "${dhParamsPath}" ]; then
${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
chmod 0644 "${dhParamsPath}"
chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
chmod 0644 "${dhParamsPath}"
chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
else
echo 'Already generated DHParams'
echo 'Already generated DHParams'
fi
'';
};