Compare commits
11 Commits
36e7cb8c5e
...
8c8c1dc3cc
Author | SHA1 | Date |
---|---|---|
Izorkin | 8c8c1dc3cc | |
Izorkin | af773418dc | |
Izorkin | 91e15d61db | |
Izorkin | 46a277d96e | |
Izorkin | 549908e469 | |
Izorkin | a9cdfa708d | |
Izorkin | 568a3b4e17 | |
Illia Chub | f5ec301441 | |
Illia Chub | ae8e8b2c9b | |
Illia Chub | b7f49e52c0 | |
Illia Chub | b5011cdd65 |
|
@ -1,3 +1,7 @@
|
||||||
|
outputs
|
||||||
|
result
|
||||||
|
result-*
|
||||||
|
source
|
||||||
userdata/userdata.json
|
userdata/userdata.json
|
||||||
hardware-configuration.nix
|
hardware-configuration.nix
|
||||||
networking.nix
|
networking.nix
|
||||||
|
|
|
@ -6,27 +6,26 @@ in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
./generic/api/api.nix
|
||||||
./variables-module.nix
|
./generic/modules/api.nix
|
||||||
./variables.nix
|
./generic/modules/userdata.nix
|
||||||
./files.nix
|
./generic/services/backup/restic.nix
|
||||||
./users.nix
|
./generic/services/cloud/nextcloud.nix
|
||||||
./mailserver/system/mailserver.nix
|
./generic/services/git/gitea.nix
|
||||||
./mailserver/system/alps.nix
|
./generic/services/letsencrypt/acme.nix
|
||||||
./vpn/ocserv.nix
|
./generic/services/letsencrypt/resolve.nix
|
||||||
./api/api.nix
|
./generic/services/mail/alps.nix
|
||||||
./api/api-module.nix
|
./generic/services/mail/mailserver.nix
|
||||||
./social/pleroma.nix
|
./generic/services/passmgr/bitwarden.nix
|
||||||
./letsencrypt/acme.nix
|
./generic/services/social/pleroma.nix
|
||||||
./letsencrypt/resolve.nix
|
./generic/services/videomeet/jitsi.nix
|
||||||
./backup/restic.nix
|
./generic/services/vpn/ocserv.nix
|
||||||
./passmgr/bitwarden.nix
|
./generic/services/webserver/memcached.nix
|
||||||
./webserver/nginx.nix
|
./generic/services/webserver/nginx.nix
|
||||||
./webserver/memcached.nix
|
./generic/system/limits.nix
|
||||||
./nextcloud/nextcloud.nix
|
./generic/system/tmpfiles.nix
|
||||||
./resources/limits.nix
|
./generic/system/userdata.nix
|
||||||
./videomeet/jitsi.nix
|
./generic/system/users.nix
|
||||||
./git/gitea.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [ (nix-overlay) ];
|
nixpkgs.overlays = [ (nix-overlay) ];
|
||||||
|
|
|
@ -0,0 +1,198 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
let
|
||||||
|
domain = config.services.userdata.domain;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
|
||||||
|
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
|
||||||
|
clientMaxBodySize = "1024m";
|
||||||
|
commonHttpConfig = ''
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
"${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"vpn.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"git.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:3000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"cloud.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:80/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"meet.${domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
root = pkgs.jitsi-meet;
|
||||||
|
extraConfig = ''
|
||||||
|
ssi on;
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"@root_path" = {
|
||||||
|
extraConfig = ''
|
||||||
|
rewrite ^/(.*)$ / break;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ ^/([^/\\?&:'\"]+)$" = {
|
||||||
|
tryFiles = "$uri @root_path";
|
||||||
|
};
|
||||||
|
"=/http-bind" = {
|
||||||
|
proxyPass = "http://localhost:5280/http-bind";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"=/external_api.js" = {
|
||||||
|
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
|
||||||
|
};
|
||||||
|
"=/config.js" = {
|
||||||
|
alias = "${pkgs.jitsi-meet}/config.js";
|
||||||
|
};
|
||||||
|
"=/interface_config.js" = {
|
||||||
|
alias = "${pkgs.jitsi-meet}/interface_config.js";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"password.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"api.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:5050";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"social.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
root = "/var/www/social.${domain}";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:4000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
userdata = builtins.fromJSON (builtins.readFile ./../../userdata/userdata.json);
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
|
||||||
services = {
|
|
||||||
userdata = builtins.fromJSON (builtins.readFile ./userdata/userdata.json);
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,117 +0,0 @@
|
||||||
{ pkgs, config, ... }:
|
|
||||||
let
|
|
||||||
domain = config.services.userdata.domain;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
enableReload = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
clientMaxBodySize = "1024m";
|
|
||||||
|
|
||||||
virtualHosts = {
|
|
||||||
"${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
};
|
|
||||||
"vpn.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
};
|
|
||||||
"git.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"cloud.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:80/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"meet.${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
root = pkgs.jitsi-meet;
|
|
||||||
extraConfig = ''
|
|
||||||
ssi on;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"@root_path" = {
|
|
||||||
extraConfig = ''
|
|
||||||
rewrite ^/(.*)$ / break;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"~ ^/([^/\\?&:'\"]+)$" = {
|
|
||||||
tryFiles = "$uri @root_path";
|
|
||||||
};
|
|
||||||
"=/http-bind" = {
|
|
||||||
proxyPass = "http://localhost:5280/http-bind";
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"=/external_api.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
|
|
||||||
};
|
|
||||||
"=/config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/config.js";
|
|
||||||
};
|
|
||||||
"=/interface_config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/interface_config.js";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"password.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:8222";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"api.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:5050";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"social.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
root = "/var/www/social.${domain}";
|
|
||||||
forceSSL = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:4000";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 1024m;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in New Issue