Izorkin
/
selfprivacy-nixos-config
forked from SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: Izorkin:36e7cb8c5ea865cf8581db699de39ee2d0278ae5
Branches Tags
Izorkin:add-wiki
Izorkin:fix-hyperscan
Izorkin:cleanup-stage-01
Izorkin:fix-pleroma
Izorkin:nginx-add-modsecurity
Izorkin:master
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
...
compare: Izorkin:8c8c1dc3ccc5d468d107a41200947d12e6889584
Branches Tags
Izorkin:add-wiki
Izorkin:fix-hyperscan
Izorkin:cleanup-stage-01
Izorkin:fix-pleroma
Izorkin:nginx-add-modsecurity
Izorkin:master
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

11 Commits
36e7cb8c5e ... 8c8c1dc3cc

Author SHA1 Message Date
Izorkin 8c8c1dc3cc update gitignore 2021-12-27 10:57:09 +02:00
Izorkin af773418dc move users to generic subfolder 2021-12-27 10:57:09 +02:00
Izorkin 91e15d61db move files to generic subfolder 2021-12-27 10:57:09 +02:00
Izorkin 46a277d96e move variables to generic subfolder 2021-12-27 10:57:09 +02:00
Izorkin 549908e469 move api to generic subfolder 2021-12-27 10:57:09 +02:00
Izorkin a9cdfa708d move limits to generic subfolder 2021-12-27 10:57:09 +02:00
Izorkin 568a3b4e17 move all services to subfolder 2021-12-27 10:57:09 +02:00
Illia Chub f5ec301441 Resolved null limit zone memory allocation size 2021-12-21 11:57:03 +02:00
Illia Chub ae8e8b2c9b Temporarily disabled CSP headers as they tend to break some of our applications 2021-12-21 08:18:38 +02:00
Illia Chub b7f49e52c0 Merge pull request 'Added Qualys A+ rated SSL/TLS settings' (#8) from security-improvements into master 
Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#8
 2021-12-20 19:18:58 +02:00
Illia Chub b5011cdd65
Added Qualys A+ rated SSL/TLS settings 2021-12-17 19:17:23 +02:00
28 changed files with 229 additions and 145 deletions
Show Stats Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,7 @@
outputs
result
result-*
source
userdata/userdata.json
hardware-configuration.nix
networking.nix
networking.nix

41
configuration.nix
View File

@ -6,27 +6,26 @@ in
{
imports = [
./hardware-configuration.nix
./variables-module.nix
./variables.nix
./files.nix
./users.nix
./mailserver/system/mailserver.nix
./mailserver/system/alps.nix
./vpn/ocserv.nix
./api/api.nix
./api/api-module.nix
./social/pleroma.nix
./letsencrypt/acme.nix
./letsencrypt/resolve.nix
./backup/restic.nix
./passmgr/bitwarden.nix
./webserver/nginx.nix
./webserver/memcached.nix
./nextcloud/nextcloud.nix
./resources/limits.nix
./videomeet/jitsi.nix
./git/gitea.nix
./generic/api/api.nix
./generic/modules/api.nix
./generic/modules/userdata.nix
./generic/services/backup/restic.nix
./generic/services/cloud/nextcloud.nix
./generic/services/git/gitea.nix
./generic/services/letsencrypt/acme.nix
./generic/services/letsencrypt/resolve.nix
./generic/services/mail/alps.nix
./generic/services/mail/mailserver.nix
./generic/services/passmgr/bitwarden.nix
./generic/services/social/pleroma.nix
./generic/services/videomeet/jitsi.nix
./generic/services/vpn/ocserv.nix
./generic/services/webserver/memcached.nix
./generic/services/webserver/nginx.nix
./generic/system/limits.nix
./generic/system/tmpfiles.nix
./generic/system/userdata.nix
./generic/system/users.nix
];
nixpkgs.overlays = [ (nix-overlay) ];

0
api/api.nix → generic/api/api.nix
View File

0
api/api-module.nix → generic/modules/api.nix
View File

0
variables-module.nix → generic/modules/userdata.nix
View File

0
backup/restic.nix → generic/services/backup/restic.nix
View File

0
nextcloud/nextcloud.nix → generic/services/cloud/nextcloud.nix
View File

0
git/gitea.nix → generic/services/git/gitea.nix
View File

0
letsencrypt/acme.nix → generic/services/letsencrypt/acme.nix
View File

0
letsencrypt/resolve.nix → generic/services/letsencrypt/resolve.nix
View File

0
mailserver/system/alps-package.nix → generic/services/mail/alps-package.nix
View File

0
mailserver/system/alps.nix → generic/services/mail/alps.nix
View File

0
mailserver/system/mailserver.nix → generic/services/mail/mailserver.nix
View File

0
passmgr/bitwarden.nix → generic/services/passmgr/bitwarden.nix
View File

0
social/config.exs → generic/services/social/config.exs
View File

0
social/pleroma-module.nix → generic/services/social/pleroma-module.nix
View File

0
social/pleroma-package.nix → generic/services/social/pleroma-package.nix
View File

0
social/pleroma.nix → generic/services/social/pleroma.nix
View File

0
videomeet/jitsi.nix → generic/services/videomeet/jitsi.nix
View File

0
vpn/ocserv.nix → generic/services/vpn/ocserv.nix
View File

0
webserver/memcached.nix → generic/services/webserver/memcached.nix
View File

198
generic/services/webserver/nginx.nix Normal file
View File

@ -0,0 +1,198 @@
{ pkgs, config, lib, ... }:
let
domain = config.services.userdata.domain;
in
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
clientMaxBodySize = "1024m";
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
'';
virtualHosts = {
"${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
};
"vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
};
"git.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
"cloud.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
};
"meet.${domain}" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = pkgs.jitsi-meet;
extraConfig = ''
ssi on;
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"@root_path" = {
extraConfig = ''
rewrite ^/(.*)$ / break;
'';
};
"~ ^/([^/\\?&:'\"]+)$" = {
tryFiles = "$uri @root_path";
};
"=/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"=/external_api.js" = {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
"=/config.js" = {
alias = "${pkgs.jitsi-meet}/config.js";
};
"=/interface_config.js" = {
alias = "${pkgs.jitsi-meet}/interface_config.js";
};
};
};
"password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8222";
};
};
};
"api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:5050";
};
};
};
"social.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
};
};
};
}

0
resources/limits.nix → generic/system/limits.nix
View File

0
files.nix → generic/system/tmpfiles.nix
View File

6
generic/system/userdata.nix Normal file
View File

@ -0,0 +1,6 @@
{ pkgs, ... }:
{
services = {
userdata = builtins.fromJSON (builtins.readFile ./../../userdata/userdata.json);
};
}

0
users.nix → generic/system/users.nix
View File

6
variables.nix
View File

@ -1,6 +0,0 @@
{ pkgs, ... }:
{
services = {
userdata = builtins.fromJSON (builtins.readFile ./userdata/userdata.json);
};
}

117
webserver/nginx.nix
View File

@ -1,117 +0,0 @@
{ pkgs, config, ... }:
let
domain = config.services.userdata.domain;
in
{
services.nginx = {
enable = true;
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "1024m";
virtualHosts = {
"${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
};
"vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
};
"git.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
"cloud.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
};
"meet.${domain}" = {
forceSSL = true;
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = pkgs.jitsi-meet;
extraConfig = ''
ssi on;
'';
locations = {
"@root_path" = {
extraConfig = ''
rewrite ^/(.*)$ / break;
'';
};
"~ ^/([^/\\?&:'\"]+)$" = {
tryFiles = "$uri @root_path";
};
"=/http-bind" = {
proxyPass = "http://localhost:5280/http-bind";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"=/external_api.js" = {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
"=/config.js" = {
alias = "${pkgs.jitsi-meet}/config.js";
};
"=/interface_config.js" = {
alias = "${pkgs.jitsi-meet}/interface_config.js";
};
};
};
"password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8222";
};
};
};
"api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:5050";
};
};
};
"social.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
extraConfig = ''
client_max_body_size 1024m;
'';
};
};
};
}