Compare commits
17 Commits
master
...
3f726cdf60
Author | SHA1 | Date |
---|---|---|
Izorkin | 3f726cdf60 | |
Inex Code | a0a6c99fe8 | |
Inex Code | 8cb55168eb | |
Illia Chub | 896600bf52 | |
Illia Chub | c03fd25959 | |
Inex Code | b583340e1d | |
Inex Code | dc767677d8 | |
Illia Chub | 163afde7cf | |
Inex Code | d4bb381693 | |
Inex Code | c3ee4d00fc | |
Illia Chub | f5ec301441 | |
Illia Chub | ae8e8b2c9b | |
Illia Chub | b7f49e52c0 | |
Illia Chub | b5011cdd65 | |
Inex Code | 1b8bdb013a | |
Inex Code | 3f42ad5c68 | |
Inex Code | 63aaeec08c |
|
@ -27,6 +27,7 @@ in
|
||||||
./resources/limits.nix
|
./resources/limits.nix
|
||||||
./videomeet/jitsi.nix
|
./videomeet/jitsi.nix
|
||||||
./git/gitea.nix
|
./git/gitea.nix
|
||||||
|
./local/services/wiki-js.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [ (nix-overlay) ];
|
nixpkgs.overlays = [ (nix-overlay) ];
|
||||||
|
@ -35,8 +36,8 @@ in
|
||||||
networking = {
|
networking = {
|
||||||
hostName = config.services.userdata.hostname;
|
hostName = config.services.userdata.hostname;
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 8443 ];
|
allowedUDPPorts = lib.mkForce [ 8443 10000 ];
|
||||||
};
|
};
|
||||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -24,11 +24,11 @@ in
|
||||||
[
|
[
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||||
"d /var/lib/restic 0600 restic - - -"
|
"d /var/lib/restic 0600 restic - - -"
|
||||||
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
||||||
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
||||||
(if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
|
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
|
||||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
|
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.userdata;
|
cfg = config.services.userdata;
|
||||||
in
|
in
|
||||||
|
@ -9,7 +9,7 @@ in
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
email = "${cfg.username}@${cfg.domain}";
|
email = "${cfg.username}@${cfg.domain}";
|
||||||
certs = {
|
certs = lib.mkForce {
|
||||||
"${cfg.domain}" = {
|
"${cfg.domain}" = {
|
||||||
domain = "*.${cfg.domain}";
|
domain = "*.${cfg.domain}";
|
||||||
extraDomainNames = [ "${cfg.domain}" ];
|
extraDomainNames = [ "${cfg.domain}" ];
|
||||||
|
@ -17,6 +17,12 @@ in
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
};
|
};
|
||||||
|
"meet.${cfg.domain}" = {
|
||||||
|
domain = "meet.${cfg.domain}";
|
||||||
|
group = "acmerecievers";
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
systemd.services.wiki-js = {
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = lib.mkOverride 1100 true;
|
||||||
|
ensureDatabases = [ "wiki" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{ name = "wiki-js";
|
||||||
|
ensurePermissions."DATABASE wiki" = "ALL PRIVILEGES";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.wiki-js = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
bindIP = "127.0.0.1";
|
||||||
|
port = 3010;
|
||||||
|
db = {
|
||||||
|
host = "/run/postgresql";
|
||||||
|
user = "wiki-js";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
stateDirectoryName = "wiki-js";
|
||||||
|
};
|
||||||
|
}
|
|
@ -13,11 +13,6 @@ in
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
services.dovecot2 = {
|
|
||||||
enablePAM = lib.mkForce true;
|
|
||||||
showPAMFailure = lib.mkForce true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
virtualMail = {
|
virtualMail = {
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
|
@ -34,7 +29,6 @@ in
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"${cfg.username}@${cfg.domain}" = {
|
"${cfg.username}@${cfg.domain}" = {
|
||||||
hashedPassword = cfg.hashedMasterPassword;
|
hashedPassword = cfg.hashedMasterPassword;
|
||||||
catchAll = [ cfg.domain ];
|
|
||||||
sieveScript = ''
|
sieveScript = ''
|
||||||
require ["fileinto", "mailbox"];
|
require ["fileinto", "mailbox"];
|
||||||
if header :contains "Chat-Version" "1.0"
|
if header :contains "Chat-Version" "1.0"
|
||||||
|
@ -49,7 +43,6 @@ in
|
||||||
name = "${user.username}@${cfg.domain}";
|
name = "${user.username}@${cfg.domain}";
|
||||||
value = {
|
value = {
|
||||||
hashedPassword = user.hashedPassword;
|
hashedPassword = user.hashedPassword;
|
||||||
catchAll = [ cfg.domain ];
|
|
||||||
sieveScript = ''
|
sieveScript = ''
|
||||||
require ["fileinto", "mailbox"];
|
require ["fileinto", "mailbox"];
|
||||||
if header :contains "Chat-Version" "1.0"
|
if header :contains "Chat-Version" "1.0"
|
||||||
|
|
|
@ -43,6 +43,12 @@
|
||||||
},
|
},
|
||||||
"enableSwagger": {
|
"enableSwagger": {
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
|
},
|
||||||
|
"skippedMigrations": {
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -17,7 +17,7 @@ in
|
||||||
value = {
|
value = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
hashedPassword = user.hashedPassword;
|
hashedPassword = user.hashedPassword;
|
||||||
openssh.authorizedKeys.keys = user.sshKeys;
|
openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else []);
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
cfg.users);
|
cfg.users);
|
||||||
|
|
|
@ -84,6 +84,13 @@ in
|
||||||
'';
|
'';
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
};
|
};
|
||||||
|
skippedMigrations = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of migrations that should be skipped
|
||||||
|
'';
|
||||||
|
type = types.listOf types.str;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
#############
|
#############
|
||||||
# Secrets #
|
# Secrets #
|
||||||
|
|
|
@ -6,7 +6,7 @@ in
|
||||||
services.jitsi-meet = {
|
services.jitsi-meet = {
|
||||||
enable = config.services.userdata.jitsi.enable;
|
enable = config.services.userdata.jitsi.enable;
|
||||||
hostName = "meet.${domain}";
|
hostName = "meet.${domain}";
|
||||||
nginx.enable = false;
|
nginx.enable = true;
|
||||||
interfaceConfig = {
|
interfaceConfig = {
|
||||||
SHOW_JITSI_WATERMARK = false;
|
SHOW_JITSI_WATERMARK = false;
|
||||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||||
|
|
|
@ -1,32 +1,68 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
let
|
let
|
||||||
domain = config.services.userdata.domain;
|
domain = config.services.userdata.domain;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableReload = true;
|
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
|
||||||
|
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
|
||||||
clientMaxBodySize = "1024m";
|
clientMaxBodySize = "1024m";
|
||||||
|
commonHttpConfig = ''
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"vpn.${domain}" = {
|
"vpn.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"git.${domain}" = {
|
"git.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
proxyPass = "http://127.0.0.1:3000";
|
||||||
|
@ -37,51 +73,36 @@ in
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:80/";
|
proxyPass = "http://127.0.0.1:80/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"meet.${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
root = pkgs.jitsi-meet;
|
|
||||||
extraConfig = ''
|
|
||||||
ssi on;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"@root_path" = {
|
|
||||||
extraConfig = ''
|
|
||||||
rewrite ^/(.*)$ / break;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"~ ^/([^/\\?&:'\"]+)$" = {
|
|
||||||
tryFiles = "$uri @root_path";
|
|
||||||
};
|
|
||||||
"=/http-bind" = {
|
|
||||||
proxyPass = "http://localhost:5280/http-bind";
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"=/external_api.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
|
|
||||||
};
|
|
||||||
"=/config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/config.js";
|
|
||||||
};
|
|
||||||
"=/interface_config.js" = {
|
|
||||||
alias = "${pkgs.jitsi-meet}/interface_config.js";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"password.${domain}" = {
|
"password.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:8222";
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
@ -92,6 +113,16 @@ in
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:5050";
|
proxyPass = "http://127.0.0.1:5050";
|
||||||
|
@ -103,14 +134,56 @@ in
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
root = "/var/www/social.${domain}";
|
root = "/var/www/social.${domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:4000";
|
proxyPass = "http://127.0.0.1:4000";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
"wiki.${domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
|
root = "/var/empty";
|
||||||
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 1024m;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
'';
|
'';
|
||||||
|
locations = {
|
||||||
|
"/_assets/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
alias ${pkgs.wiki-js}/assets/;
|
||||||
|
try_files $uri =404;
|
||||||
|
expires 7d;
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:3010";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue