forked from emily/nixfiles
153 lines
4.8 KiB
Nix
153 lines
4.8 KiB
Nix
|
{ pkgs, lib, ... }:
|
||
|
let
|
||
|
extraConfig = ''
|
||
|
add_header Strict-Transport-Security $hsts_header;
|
||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||
|
add_header X-Content-Type-Options "nosniff" always;
|
||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||
|
add_header Referrer-Policy "same-origin" always;
|
||
|
'';
|
||
|
virtHostCfg = {
|
||
|
forceSSL = true;
|
||
|
http3 = true;
|
||
|
quic = true;
|
||
|
};
|
||
|
createHost = builtins.mapAttrs (vhostName: vhostCfg:
|
||
|
with lib; let
|
||
|
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
|
||
|
then {
|
||
|
useACMEHost = vhostCfg.redirectTo;
|
||
|
globalRedirect = vhostCfg.redirectTo;
|
||
|
} else (
|
||
|
optionalAttrs !(builtins.hasAttr "useACMEHost" vhostCfg) {
|
||
|
enableACME = true;
|
||
|
});
|
||
|
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
|
||
|
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
||
|
else { inherit extraConfig; };
|
||
|
in
|
||
|
virtHostCfg // mkRedirect // extraCfg //
|
||
|
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
|
||
|
);
|
||
|
in {
|
||
|
networking = {
|
||
|
hostName = "web02";
|
||
|
firewall.allowedTCPPort = [ 80 443 ];
|
||
|
firewall.allowedUDPPort = [ 443 ];
|
||
|
};
|
||
|
systemd.network.networks."98-eth-default" = {
|
||
|
address = [
|
||
|
"2a0f:be01:0:100::1312/128"
|
||
|
];
|
||
|
};
|
||
|
users.users."lg" = {
|
||
|
isSystemUser = true;
|
||
|
createHome = true;
|
||
|
home = "/var/www/lg.kyouma.net";
|
||
|
group = "lg";
|
||
|
};
|
||
|
users.groups."lg" = {};
|
||
|
services.phpfpm.pools."lg" = {
|
||
|
user = "lg";
|
||
|
settings = {
|
||
|
"listen.owner" = config.services.nginx.user;
|
||
|
"pm" = "dynamic";
|
||
|
"pm.max_children" = 32;
|
||
|
"pm.max_requests" = 500;
|
||
|
"pm.start_servers" = 2;
|
||
|
"pm.min_spare_servers" = 2;
|
||
|
"pm.max_spare_servers" = 5;
|
||
|
"php_admin_value[error_log]" = "stderr";
|
||
|
"php_admin_flag[log_errors]" = true;
|
||
|
"catch_workers_output" = true;
|
||
|
};
|
||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||
|
};
|
||
|
services.nginx = {
|
||
|
package = pkgs.nginxQuic;
|
||
|
enable = true;
|
||
|
|
||
|
recommendedOptimisation = true;
|
||
|
recommendedTlsSettings = true;
|
||
|
recommendedGzipSettings = true;
|
||
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||
|
sslProtocols = "TLSv1.3";
|
||
|
clientMaxBodySize = "0";
|
||
|
|
||
|
appendHttpConfig = ''
|
||
|
map $scheme $hsts_header {
|
||
|
https "max-age=31536000; includeSubdomains; preload";
|
||
|
}
|
||
|
${extraConfig}
|
||
|
'';
|
||
|
|
||
|
virtualHosts = createHost {
|
||
|
"miau.zip" = { root = "/var/www/kyouma.net"; };
|
||
|
"www.miau.zip" = { redirectTo = "miau.zip"; };
|
||
|
"kyouma.net" = { root = "/var/www/kyouma.net"; };
|
||
|
"www.kyouma.net" = { redirectTo = "kyouma.net"; };
|
||
|
"emily.cat" = { root = "/var/www/emily.cat/_site"; };
|
||
|
"www.emily.cat" = { redirectTo = "kyouma.net"; };
|
||
|
"www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
|
||
|
|
||
|
"redirect" = {
|
||
|
default = true;
|
||
|
reuseport = true;
|
||
|
useACMEHost = "kyouma.net";
|
||
|
extraConfig = ''
|
||
|
return 403;
|
||
|
'';
|
||
|
};
|
||
|
"cocaine.trade" = {
|
||
|
root = "/var/www/cocaine.trade";
|
||
|
extraConfig = ''error_page 404 /404.html;'';
|
||
|
locations."/" = {
|
||
|
index = "index.html";
|
||
|
tryFiles = "$uri $uri.html =404";
|
||
|
};
|
||
|
locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
|
||
|
};
|
||
|
"files.cocaine.trade" = {
|
||
|
useACMEHost = "cocaine.trade";
|
||
|
root = "/mnt/basti/files.cocaine.trade";
|
||
|
locations."/".extraConfig = ''
|
||
|
autoindex on;
|
||
|
autoindex_exact_size off;
|
||
|
autoindex_format html;
|
||
|
autoindex_localtime on;
|
||
|
'';
|
||
|
};
|
||
|
"lg.kyouma.net" = {
|
||
|
root = "/var/www/lg.kyouma.net";
|
||
|
useACMEHost = "kyouma.net";
|
||
|
locations."/".tryFiles = "$uri /$uri /index.php$is_args$args";
|
||
|
locations."~ \\.php$".extraConfig = ''
|
||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||
|
fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket};
|
||
|
fastcgi_index index.php;
|
||
|
fastcgi_buffering on;
|
||
|
fastcgi_buffer_size 1k;
|
||
|
fastcgi_buffers 128 1k;
|
||
|
include ${pkgs.nginxQuic}/conf/fastcgi_params;
|
||
|
include ${pkgs.nginxQuic}/conf/fastcgi.conf;
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
security.acme = {
|
||
|
acceptTerms = true;
|
||
|
defaults = {
|
||
|
keyType = "ec384";
|
||
|
email = "noc@kyouma.net";
|
||
|
};
|
||
|
certs = {
|
||
|
"miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; };
|
||
|
"kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; };
|
||
|
"emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; };
|
||
|
"cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; };
|
||
|
};
|
||
|
};
|
||
|
}
|