From 365f0273264c8bb7ed8c4c7b13a565cce805eae9 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Mon, 18 Dec 2023 19:02:54 +0400 Subject: [PATCH] move nginx exclusive virtualHosts to SP modules --- sp-modules/bitwarden/module.nix | 20 +++++ sp-modules/gitea/module.nix | 128 ++++++++++++++++++------------- sp-modules/jitsi-meet/module.nix | 12 ++- sp-modules/ocserv/module.nix | 15 ++++ webserver/nginx.nix | 62 --------------- 5 files changed, 119 insertions(+), 118 deletions(-) diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index 4e2cb0c..f7bf090 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -69,5 +69,25 @@ in <(printf "%s" "$bitwarden_env") ${bitwarden-env} ''; }; + services.nginx.virtualHosts."password.${sp.domain}" = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8222"; + }; + }; + }; }; } diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index ffb4c96..d03b6fd 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -19,64 +19,82 @@ in }; config = lib.mkIf config.selfprivacy.modules.gitea.enable { - services = { - gitea = { - enable = true; - inherit stateDir; - # log = { - # rootPath = "/var/lib/gitea/log"; - # level = "Warn"; - # }; + services.gitea = { + enable = true; + inherit stateDir; + # log = { + # rootPath = "/var/lib/gitea/log"; + # level = "Warn"; + # }; + user = "gitea"; + database = { + type = "sqlite3"; + host = "127.0.0.1"; + name = "gitea"; user = "gitea"; - database = { - type = "sqlite3"; - host = "127.0.0.1"; - name = "gitea"; - user = "gitea"; - path = "${stateDir}/data/gitea.db"; - createDatabase = true; + path = "${stateDir}/data/gitea.db"; + createDatabase = true; + }; + # ssh = { + # enable = true; + # clonePort = 22; + # }; + lfs = { + enable = true; + contentDir = "${stateDir}/lfs"; + }; + appName = "SelfPrivacy git Service"; + repositoryRoot = "${stateDir}/repositories"; + # cookieSecure = true; + settings = { + server = { + DOMAIN = "git.${sp.domain}"; + ROOT_URL = "https://git.${sp.domain}/"; + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = 3000; }; - # ssh = { - # enable = true; - # clonePort = 22; - # }; - lfs = { - enable = true; - contentDir = "${stateDir}/lfs"; + mailer = { + ENABLED = false; }; - appName = "SelfPrivacy git Service"; - repositoryRoot = "${stateDir}/repositories"; - # cookieSecure = true; - settings = { - server = { - DOMAIN = "git.${sp.domain}"; - ROOT_URL = "https://git.${sp.domain}/"; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = 3000; - }; - mailer = { - ENABLED = false; - }; - ui = { - DEFAULT_THEME = "arc-green"; - SHOW_USER_EMAIL = false; - }; - picture = { - DISABLE_GRAVATAR = true; - }; - admin = { - ENABLE_KANBAN_BOARD = true; - }; - repository = { - FORCE_PRIVATE = false; - }; - session = { - COOKIE_SECURE = true; - }; - log = { - ROOT_PATH = "${stateDir}/log"; - LEVEL = "Warn"; - }; + ui = { + DEFAULT_THEME = "arc-green"; + SHOW_USER_EMAIL = false; + }; + picture = { + DISABLE_GRAVATAR = true; + }; + admin = { + ENABLE_KANBAN_BOARD = true; + }; + repository = { + FORCE_PRIVATE = false; + }; + session = { + COOKIE_SECURE = true; + }; + log = { + ROOT_PATH = "${stateDir}/log"; + LEVEL = "Warn"; + }; + }; + }; + services.nginx.virtualHosts."git.${sp.domain}" = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3000"; }; }; }; diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index 238dffc..d23207a 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -1,4 +1,7 @@ { config, lib, ... }: +let + domain = config.selfprivacy.domain; +in { options.selfprivacy.modules.jitsi-meet = { enable = lib.mkOption { @@ -10,12 +13,19 @@ config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable { services.jitsi-meet = { enable = true; - hostName = "meet.${config.selfprivacy.domain}"; + hostName = "meet.${domain}"; nginx.enable = true; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; }; }; + services.nginx.virtualHosts."meet.${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + forceSSL = true; + useACMEHost = domain; + enableACME = false; + }; }; } diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index 9cf4fb5..d33369a 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -55,5 +55,20 @@ in route = default ''; }; + services.nginx.virtualHosts."vpn.${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; + }; }; } diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 774d499..b4e8dc7 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -36,61 +36,6 @@ in expires 10m; ''; }; - "vpn.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - forceSSL = true; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - expires 10m; - ''; - }; - "git.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - forceSSL = true; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - expires 10m; - ''; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:3000"; - }; - }; - }; - "password.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - forceSSL = true; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - expires 10m; - ''; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8222"; - }; - }; - }; "api.${domain}" = { sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; @@ -133,13 +78,6 @@ in }; }; }; - "meet.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - forceSSL = true; - useACMEHost = domain; - enableACME = false; - }; }; }; }