forked from emily/nixfiles
nginx worky??
This commit is contained in:
parent
4dca4b43b5
commit
64fdb01b9b
8 changed files with 236 additions and 96 deletions
|
@ -1,11 +1,8 @@
|
|||
{ config, ... }: {
|
||||
networking = {
|
||||
hostName = "web02";
|
||||
domain = "kyouma.net";
|
||||
useHostResolvConf = false;
|
||||
dhcpcd.enable = false;
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
firewall.allowedUDPPorts = [ 80 443 ];
|
||||
};
|
||||
systemd.network.enable = true;
|
||||
|
||||
|
@ -17,15 +14,13 @@
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.network.networks."98-eth0" = {
|
||||
matchConfig.Name = "eth0";
|
||||
systemd.network.networks."98-eth-default" = {
|
||||
matchConfig.Tyoe = "ether";
|
||||
matchConfig.Name = "e*";
|
||||
networkConfig = {
|
||||
DHCP = "ipv4";
|
||||
IPv6AcceptRA = false;
|
||||
};
|
||||
address = [
|
||||
"2a0f:be01:0:100::1312/128"
|
||||
];
|
||||
routes = [
|
||||
{ routeConfig.Gateway = "fe80::1"; }
|
||||
];
|
152
config/hosts/web02/configuration.nix
Normal file
152
config/hosts/web02/configuration.nix
Normal file
|
@ -0,0 +1,152 @@
|
|||
{ pkgs, lib, ... }:
|
||||
let
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
virtHostCfg = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
quic = true;
|
||||
};
|
||||
createHost = builtins.mapAttrs (vhostName: vhostCfg:
|
||||
with lib; let
|
||||
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
|
||||
then {
|
||||
useACMEHost = vhostCfg.redirectTo;
|
||||
globalRedirect = vhostCfg.redirectTo;
|
||||
} else (
|
||||
optionalAttrs !(builtins.hasAttr "useACMEHost" vhostCfg) {
|
||||
enableACME = true;
|
||||
});
|
||||
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
|
||||
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
||||
else { inherit extraConfig; };
|
||||
in
|
||||
virtHostCfg // mkRedirect // extraCfg //
|
||||
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
|
||||
);
|
||||
in {
|
||||
networking = {
|
||||
hostName = "web02";
|
||||
firewall.allowedTCPPort = [ 80 443 ];
|
||||
firewall.allowedUDPPort = [ 443 ];
|
||||
};
|
||||
systemd.network.networks."98-eth-default" = {
|
||||
address = [
|
||||
"2a0f:be01:0:100::1312/128"
|
||||
];
|
||||
};
|
||||
users.users."lg" = {
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = "/var/www/lg.kyouma.net";
|
||||
group = "lg";
|
||||
};
|
||||
users.groups."lg" = {};
|
||||
services.phpfpm.pools."lg" = {
|
||||
user = "lg";
|
||||
settings = {
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 32;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 2;
|
||||
"pm.max_spare_servers" = 5;
|
||||
"php_admin_value[error_log]" = "stderr";
|
||||
"php_admin_flag[log_errors]" = true;
|
||||
"catch_workers_output" = true;
|
||||
};
|
||||
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||
};
|
||||
services.nginx = {
|
||||
package = pkgs.nginxQuic;
|
||||
enable = true;
|
||||
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
sslProtocols = "TLSv1.3";
|
||||
clientMaxBodySize = "0";
|
||||
|
||||
appendHttpConfig = ''
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
${extraConfig}
|
||||
'';
|
||||
|
||||
virtualHosts = createHost {
|
||||
"miau.zip" = { root = "/var/www/kyouma.net"; };
|
||||
"www.miau.zip" = { redirectTo = "miau.zip"; };
|
||||
"kyouma.net" = { root = "/var/www/kyouma.net"; };
|
||||
"www.kyouma.net" = { redirectTo = "kyouma.net"; };
|
||||
"emily.cat" = { root = "/var/www/emily.cat/_site"; };
|
||||
"www.emily.cat" = { redirectTo = "kyouma.net"; };
|
||||
"www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
|
||||
|
||||
"redirect" = {
|
||||
default = true;
|
||||
reuseport = true;
|
||||
useACMEHost = "kyouma.net";
|
||||
extraConfig = ''
|
||||
return 403;
|
||||
'';
|
||||
};
|
||||
"cocaine.trade" = {
|
||||
root = "/var/www/cocaine.trade";
|
||||
extraConfig = ''error_page 404 /404.html;'';
|
||||
locations."/" = {
|
||||
index = "index.html";
|
||||
tryFiles = "$uri $uri.html =404";
|
||||
};
|
||||
locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
|
||||
};
|
||||
"files.cocaine.trade" = {
|
||||
useACMEHost = "cocaine.trade";
|
||||
root = "/mnt/basti/files.cocaine.trade";
|
||||
locations."/".extraConfig = ''
|
||||
autoindex on;
|
||||
autoindex_exact_size off;
|
||||
autoindex_format html;
|
||||
autoindex_localtime on;
|
||||
'';
|
||||
};
|
||||
"lg.kyouma.net" = {
|
||||
root = "/var/www/lg.kyouma.net";
|
||||
useACMEHost = "kyouma.net";
|
||||
locations."/".tryFiles = "$uri /$uri /index.php$is_args$args";
|
||||
locations."~ \\.php$".extraConfig = ''
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket};
|
||||
fastcgi_index index.php;
|
||||
fastcgi_buffering on;
|
||||
fastcgi_buffer_size 1k;
|
||||
fastcgi_buffers 128 1k;
|
||||
include ${pkgs.nginxQuic}/conf/fastcgi_params;
|
||||
include ${pkgs.nginxQuic}/conf/fastcgi.conf;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
keyType = "ec384";
|
||||
email = "noc@kyouma.net";
|
||||
};
|
||||
certs = {
|
||||
"miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; };
|
||||
"kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; };
|
||||
"emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; };
|
||||
"cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; };
|
||||
};
|
||||
};
|
||||
}
|
19
config/lxc.nix
Normal file
19
config/lxc.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ config, pkgs, lib, modulesPath, ... }:
|
||||
|
||||
with lib; {
|
||||
imports = [
|
||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
||||
];
|
||||
proxmoxLXC = {
|
||||
manageNetwork = true;
|
||||
manageHostName = true;
|
||||
};
|
||||
|
||||
time.timeZone = mkDefault "Europe/Berlin";
|
||||
|
||||
system.autoUpgrade.enable = true;
|
||||
system.stateVersion = "23.05";
|
||||
nix.optimise.automatic = true;
|
||||
nix.gc.automatic = true;
|
||||
nix.gc.options = "--delete-older-than 2d";
|
||||
}
|
|
@ -1,71 +0,0 @@
|
|||
{ pkgs, lib, ... }:
|
||||
let
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
virtHostCfg = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
quic = true;
|
||||
};
|
||||
mkRedirect = domain: virtHostCfg // {
|
||||
useACMEHost = domain;
|
||||
globalRedirect = domain;
|
||||
inherit extraConfig;
|
||||
};
|
||||
mkHost = webroot: virtHostCfg // {
|
||||
enableACME = true;
|
||||
root = webroot;
|
||||
inherit extraConfig;
|
||||
};
|
||||
in {
|
||||
services.nginx = {
|
||||
package = pkgs.nginxQuic;
|
||||
enable = true;
|
||||
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
sslProtocols = "TLSv1.3";
|
||||
clientMaxBodySize = "0";
|
||||
|
||||
appendHttpConfig = ''
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
${extraConfig}
|
||||
'';
|
||||
|
||||
virtualHosts."redirect" = virtHostCfg // {
|
||||
serverName = null;
|
||||
default = true;
|
||||
reuseport = true;
|
||||
useACMEHost = "miau.zip";
|
||||
extraConfig = ''
|
||||
return 403;
|
||||
${extraConfig}
|
||||
'';
|
||||
};
|
||||
|
||||
virtualHosts = {
|
||||
"miau.zip" = (mkHost "/var/www/kyouma.net");
|
||||
"www.miau.zip" = (mkRedirect "miau.zip");
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
keyType = "ec384";
|
||||
email = "noc@kyouma.net";
|
||||
};
|
||||
certs."miau.zip" = {
|
||||
extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,15 +2,10 @@
|
|||
|
||||
with lib; {
|
||||
imports = [
|
||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
||||
./config/networking.nix
|
||||
./config/nginx.nix
|
||||
./config/openssh.nix
|
||||
./config/common/networking.nix
|
||||
./config/common/openssh.nix
|
||||
./config/hosts/web02/configuration.nix
|
||||
];
|
||||
proxmoxLXC = {
|
||||
manageNetwork = true;
|
||||
manageHostName = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
|
@ -18,14 +13,5 @@ with lib; {
|
|||
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCQN+h27GP95p6+1wH8E5Tq5h1Ua/PUW4Xd8JPAo0Wy root@web01"
|
||||
];
|
||||
|
||||
time.timeZone = mkDefault "CET";
|
||||
|
||||
system.autoUpgrade.enable = true;
|
||||
system.stateVersion = "23.05";
|
||||
nix.optimise.automatic = true;
|
||||
nix.gc.automatic = true;
|
||||
nix.gc.options = "--delete-older-than 2d";
|
||||
}
|
||||
|
|
11
flake.nix
Normal file
11
flake.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
description = "nixfiles";
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixos-hardware, ... }@attrs: {
|
||||
|
||||
};
|
||||
}
|
48
test.nix
Normal file
48
test.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
let
|
||||
extraConfig = ''
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
func = builtins.mapAttrs (vhostName: vhostCfg:
|
||||
let
|
||||
def = {
|
||||
forceSSL = true;
|
||||
http3 = true;
|
||||
quic = true;
|
||||
};
|
||||
conf = if builtins.hasAttr "redirectTo" vhostCfg
|
||||
then {
|
||||
useACMEHost = vhostCfg.redirectTo;
|
||||
globalRedirect = vhostCfg.redirectTo;
|
||||
}
|
||||
else if builtins.hasAttr "ACMEHost" vhostCfg
|
||||
then {
|
||||
useACMEHost = vhostCfg.ACMEHost;
|
||||
root = vhostCfg.webroot;
|
||||
}
|
||||
else {
|
||||
enableACME = true;
|
||||
root = vhostCfg.webroot;
|
||||
};
|
||||
otherCfg = (builtins.removeAttrs vhostCfg [ "redirectTo" "ACMEHost" "webroot" "extraConfig" ] // (
|
||||
if builtins.hasAttr "extraConfig" vhostCfg
|
||||
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
||||
else { inherit extraConfig; }
|
||||
));
|
||||
in
|
||||
conf // def // otherCfg
|
||||
);
|
||||
in {
|
||||
test = func {
|
||||
"www.miau.zip" = {
|
||||
redirectTo = "miau.zip";
|
||||
};
|
||||
"miau.zip" = {
|
||||
ACMEHost = "miau.zip";
|
||||
webroot = "/skgj";
|
||||
locations."/".extraConfig = "fsfs";
|
||||
extraConfig = ''
|
||||
skfdsjf
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue