1
0
Fork 0
forked from emily/nixfiles
nixfiles-emily/config/hosts/web02/configuration.nix

153 lines
4.8 KiB
Nix
Raw Normal View History

2023-12-06 10:21:07 +01:00
{ pkgs, lib, ... }:
let
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
http3 = true;
quic = true;
};
createHost = builtins.mapAttrs (vhostName: vhostCfg:
with lib; let
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} else (
optionalAttrs !(builtins.hasAttr "useACMEHost" vhostCfg) {
enableACME = true;
});
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; };
in
virtHostCfg // mkRedirect // extraCfg //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
);
in {
networking = {
hostName = "web02";
firewall.allowedTCPPort = [ 80 443 ];
firewall.allowedUDPPort = [ 443 ];
};
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::1312/128"
];
};
users.users."lg" = {
isSystemUser = true;
createHome = true;
home = "/var/www/lg.kyouma.net";
group = "lg";
};
users.groups."lg" = {};
services.phpfpm.pools."lg" = {
user = "lg";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.nginx = {
package = pkgs.nginxQuic;
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
sslProtocols = "TLSv1.3";
clientMaxBodySize = "0";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
${extraConfig}
'';
virtualHosts = createHost {
"miau.zip" = { root = "/var/www/kyouma.net"; };
"www.miau.zip" = { redirectTo = "miau.zip"; };
"kyouma.net" = { root = "/var/www/kyouma.net"; };
"www.kyouma.net" = { redirectTo = "kyouma.net"; };
"emily.cat" = { root = "/var/www/emily.cat/_site"; };
"www.emily.cat" = { redirectTo = "kyouma.net"; };
"www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
"redirect" = {
default = true;
reuseport = true;
useACMEHost = "kyouma.net";
extraConfig = ''
return 403;
'';
};
"cocaine.trade" = {
root = "/var/www/cocaine.trade";
extraConfig = ''error_page 404 /404.html;'';
locations."/" = {
index = "index.html";
tryFiles = "$uri $uri.html =404";
};
locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
};
"files.cocaine.trade" = {
useACMEHost = "cocaine.trade";
root = "/mnt/basti/files.cocaine.trade";
locations."/".extraConfig = ''
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
'';
};
"lg.kyouma.net" = {
root = "/var/www/lg.kyouma.net";
useACMEHost = "kyouma.net";
locations."/".tryFiles = "$uri /$uri /index.php$is_args$args";
locations."~ \\.php$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket};
fastcgi_index index.php;
fastcgi_buffering on;
fastcgi_buffer_size 1k;
fastcgi_buffers 128 1k;
include ${pkgs.nginxQuic}/conf/fastcgi_params;
include ${pkgs.nginxQuic}/conf/fastcgi.conf;
'';
};
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
keyType = "ec384";
email = "noc@kyouma.net";
};
certs = {
"miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; };
"kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; };
"emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; };
"cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; };
};
};
}