emily/nixfiles
emily/nixfiles
1
0
Fork 1
Code Issues Pull requests Activity

nginx worky??

Browse source
This commit is contained in:
emily 2023-12-06 10:21:07 +01:00
parent 4dca4b43b5
commit 64fdb01b9b
Signed by: emily
GPG key ID: F6F4C66207FCF995
8 changed files with 236 additions and 96 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
config/networking.nix → config/common/networking.nix
View file

@ -1,11 +1,8 @@
{ config, ... }: {
networking = {
hostName = "web02";
domain = "kyouma.net";
useHostResolvConf = false;
dhcpcd.enable = false;
firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedUDPPorts = [ 80 443 ];
};
systemd.network.enable = true;
@ -17,15 +14,13 @@
'';
};
systemd.network.networks."98-eth0" = {
matchConfig.Name = "eth0";
systemd.network.networks."98-eth-default" = {
matchConfig.Tyoe = "ether";
matchConfig.Name = "e*";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = false;
};
address = [
"2a0f:be01:0:100::1312/128"
];
routes = [
{ routeConfig.Gateway = "fe80::1"; }
];

0
config/openssh.nix → config/common/openssh.nix
View file

152
config/hosts/web02/configuration.nix Normal file
View file

@ -0,0 +1,152 @@
{ pkgs, lib, ... }:
let
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
http3 = true;
quic = true;
};
createHost = builtins.mapAttrs (vhostName: vhostCfg:
with lib; let
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} else (
optionalAttrs !(builtins.hasAttr "useACMEHost" vhostCfg) {
enableACME = true;
});
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; };
in
virtHostCfg // mkRedirect // extraCfg //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
);
in {
networking = {
hostName = "web02";
firewall.allowedTCPPort = [ 80 443 ];
firewall.allowedUDPPort = [ 443 ];
};
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::1312/128"
];
};
users.users."lg" = {
isSystemUser = true;
createHome = true;
home = "/var/www/lg.kyouma.net";
group = "lg";
};
users.groups."lg" = {};
services.phpfpm.pools."lg" = {
user = "lg";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.nginx = {
package = pkgs.nginxQuic;
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
sslProtocols = "TLSv1.3";
clientMaxBodySize = "0";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
${extraConfig}
'';
virtualHosts = createHost {
"miau.zip" = { root = "/var/www/kyouma.net"; };
"www.miau.zip" = { redirectTo = "miau.zip"; };
"kyouma.net" = { root = "/var/www/kyouma.net"; };
"www.kyouma.net" = { redirectTo = "kyouma.net"; };
"emily.cat" = { root = "/var/www/emily.cat/_site"; };
"www.emily.cat" = { redirectTo = "kyouma.net"; };
"www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
"redirect" = {
default = true;
reuseport = true;
useACMEHost = "kyouma.net";
extraConfig = ''
return 403;
'';
};
"cocaine.trade" = {
root = "/var/www/cocaine.trade";
extraConfig = ''error_page 404 /404.html;'';
locations."/" = {
index = "index.html";
tryFiles = "$uri $uri.html =404";
};
locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
};
"files.cocaine.trade" = {
useACMEHost = "cocaine.trade";
root = "/mnt/basti/files.cocaine.trade";
locations."/".extraConfig = ''
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
'';
};
"lg.kyouma.net" = {
root = "/var/www/lg.kyouma.net";
useACMEHost = "kyouma.net";
locations."/".tryFiles = "$uri /$uri /index.php$is_args$args";
locations."~ \\.php$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket};
fastcgi_index index.php;
fastcgi_buffering on;
fastcgi_buffer_size 1k;
fastcgi_buffers 128 1k;
include ${pkgs.nginxQuic}/conf/fastcgi_params;
include ${pkgs.nginxQuic}/conf/fastcgi.conf;
'';
};
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
keyType = "ec384";
email = "noc@kyouma.net";
};
certs = {
"miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; };
"kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; };
"emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; };
"cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; };
};
};
}

19
config/lxc.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, pkgs, lib, modulesPath, ... }:
with lib; {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
proxmoxLXC = {
manageNetwork = true;
manageHostName = true;
};
time.timeZone = mkDefault "Europe/Berlin";
system.autoUpgrade.enable = true;
system.stateVersion = "23.05";
nix.optimise.automatic = true;
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
}

71
config/nginx.nix
View file

@ -1,71 +0,0 @@
{ pkgs, lib, ... }:
let
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
http3 = true;
quic = true;
};
mkRedirect = domain: virtHostCfg // {
useACMEHost = domain;
globalRedirect = domain;
inherit extraConfig;
};
mkHost = webroot: virtHostCfg // {
enableACME = true;
root = webroot;
inherit extraConfig;
};
in {
services.nginx = {
package = pkgs.nginxQuic;
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
sslProtocols = "TLSv1.3";
clientMaxBodySize = "0";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
${extraConfig}
'';
virtualHosts."redirect" = virtHostCfg // {
serverName = null;
default = true;
reuseport = true;
useACMEHost = "miau.zip";
extraConfig = ''
return 403;
${extraConfig}
'';
};
virtualHosts = {
"miau.zip" = (mkHost "/var/www/kyouma.net");
"www.miau.zip" = (mkRedirect "miau.zip");
};
};
security.acme = {
acceptTerms = true;
defaults = {
keyType = "ec384";
email = "noc@kyouma.net";
};
certs."miau.zip" = {
extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
};
};
}

20
configuration.nix
View file

@ -2,15 +2,10 @@
with lib; {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./config/networking.nix
./config/nginx.nix
./config/openssh.nix
./config/common/networking.nix
./config/common/openssh.nix
./config/hosts/web02/configuration.nix
];
proxmoxLXC = {
manageNetwork = true;
manageHostName = true;
};
environment.systemPackages = with pkgs; [
vim
@ -18,14 +13,5 @@ with lib; {
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCQN+h27GP95p6+1wH8E5Tq5h1Ua/PUW4Xd8JPAo0Wy root@web01"
];
time.timeZone = mkDefault "CET";
system.autoUpgrade.enable = true;
system.stateVersion = "23.05";
nix.optimise.automatic = true;
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
}

11
flake.nix Normal file
View file

@ -0,0 +1,11 @@
{
description = "nixfiles";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
};
outputs = { self, nixpkgs, nixos-hardware, ... }@attrs: {
};
}

48
test.nix Normal file
View file

@ -0,0 +1,48 @@
let
extraConfig = ''
add_header Referrer-Policy "same-origin" always;
'';
func = builtins.mapAttrs (vhostName: vhostCfg:
let
def = {
forceSSL = true;
http3 = true;
quic = true;
};
conf = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
}
else if builtins.hasAttr "ACMEHost" vhostCfg
then {
useACMEHost = vhostCfg.ACMEHost;
root = vhostCfg.webroot;
}
else {
enableACME = true;
root = vhostCfg.webroot;
};
otherCfg = (builtins.removeAttrs vhostCfg [ "redirectTo" "ACMEHost" "webroot" "extraConfig" ] // (
if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; }
));
in
conf // def // otherCfg
);
in {
test = func {
"www.miau.zip" = {
redirectTo = "miau.zip";
};
"miau.zip" = {
ACMEHost = "miau.zip";
webroot = "/skgj";
locations."/".extraConfig = "fsfs";
extraConfig = ''
skfdsjf
'';
};
};
}