diff --git a/userdata/schema.json b/userdata/schema.json index 5115459..778f5e0 100644 --- a/userdata/schema.json +++ b/userdata/schema.json @@ -43,6 +43,12 @@ }, "enableSwagger": { "type": "boolean" + }, + "skippedMigrations": { + "type": "array", + "items": { + "type": "string" + } } } }, diff --git a/variables-module.nix b/variables-module.nix index 2c465cc..47acdfb 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -84,6 +84,13 @@ in ''; type = types.bool; }; + skippedMigrations = mkOption { + default = [ ]; + description = '' + List of migrations that should be skipped + ''; + type = types.listOf types.str; + }; }; ############# # Secrets # diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 6e925ad..4536c5f 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -1,32 +1,68 @@ -{ pkgs, config, ... }: +{ pkgs, config, lib, ... }: let domain = config.services.userdata.domain; in { services.nginx = { enable = true; - enableReload = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3"; + sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL"; clientMaxBodySize = "1024m"; + commonHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + ''; virtualHosts = { "${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; }; "vpn.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; }; "git.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; @@ -37,6 +73,16 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:80/"; @@ -50,6 +96,14 @@ in root = pkgs.jitsi-meet; extraConfig = '' ssi on; + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; ''; locations = { "@root_path" = { @@ -82,6 +136,16 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; @@ -92,6 +156,16 @@ in sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:5050"; @@ -103,14 +177,21 @@ in sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; root = "/var/www/social.${domain}"; forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; locations = { "/" = { proxyPass = "http://127.0.0.1:4000"; }; }; - extraConfig = '' - client_max_body_size 1024m; - ''; }; }; };