Merge branch 'master' into rolling-testing

2022-01-14 04:00:31 +03:00 · 2022-01-14 04:00:31 +03:00 · 0784a1fe17
parent cab6153c5e d4bb381693
commit 0784a1fe17
3 changed files with 99 additions and 5 deletions
--- a/userdata/schema.json
+++ b/userdata/schema.json
@ -43,6 +43,12 @@
                },
                "enableSwagger": {
                    "type": "boolean"
+                },
+                "skippedMigrations": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                }
            }
        },
--- a/variables-module.nix
+++ b/variables-module.nix
@ -84,6 +84,13 @@ in
        '';
        type = types.bool;
      };
+      skippedMigrations = mkOption {
+        default = [ ];
+        description = ''
+          List of migrations that should be skipped
+        '';
+        type = types.listOf types.str;
+      };
    };
    #############
    #  Secrets  #
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -1,32 +1,68 @@
-{ pkgs, config, ... }:
+{ pkgs, config, lib, ... }:
 let
  domain = config.services.userdata.domain;
 in
 {
  services.nginx = {
    enable = true;
-    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+    sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
+    sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
    clientMaxBodySize = "1024m";
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+    '';

    virtualHosts = {
      "${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "vpn.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
      };
      "git.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:3000";
@ -37,6 +73,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:80/";
@ -50,6 +96,14 @@ in
        root = pkgs.jitsi-meet;
        extraConfig = ''
          ssi on;
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
        '';
        locations = {
          "@root_path" = {
@ -82,6 +136,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:8222";
@ -92,6 +156,16 @@ in
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:5050";
@ -103,14 +177,21 @@ in
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:4000";
          };
        };
-        extraConfig = ''
-          client_max_body_size 1024m;
-        '';
      };
    };
  };