SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 7
Code Issues 20 Pull Requests 2 Projects Releases Wiki Activity

move nginx exclusive virtualHosts to SP modules

pull/55/head
Alexander 2023-12-18 19:02:54 +04:00
parent d881cc8ce5
commit 365f027326
5 changed files with 119 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sp-modules/bitwarden/module.nix
View File

@ -69,5 +69,25 @@ in
<(printf "%s" "$bitwarden_env") ${bitwarden-env} <(printf "%s" "$bitwarden_env") ${bitwarden-env}
''; '';
}; };
services.nginx.virtualHosts."password.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8222";
};
};
};
}; };
} }

128
sp-modules/gitea/module.nix
View File

@ -19,64 +19,82 @@ in
}; };
config = lib.mkIf config.selfprivacy.modules.gitea.enable { config = lib.mkIf config.selfprivacy.modules.gitea.enable {
services = { services.gitea = {
gitea = { enable = true;
enable = true; inherit stateDir;
inherit stateDir; # log = {
# log = { # rootPath = "/var/lib/gitea/log";
# rootPath = "/var/lib/gitea/log"; # level = "Warn";
# level = "Warn"; # };
# }; user = "gitea";
database = {
type = "sqlite3";
host = "127.0.0.1";
name = "gitea";
user = "gitea"; user = "gitea";
database = { path = "${stateDir}/data/gitea.db";
type = "sqlite3"; createDatabase = true;
host = "127.0.0.1"; };
name = "gitea"; # ssh = {
user = "gitea"; # enable = true;
path = "${stateDir}/data/gitea.db"; # clonePort = 22;
createDatabase = true; # };
lfs = {
enable = true;
contentDir = "${stateDir}/lfs";
};
appName = "SelfPrivacy git Service";
repositoryRoot = "${stateDir}/repositories";
# cookieSecure = true;
settings = {
server = {
DOMAIN = "git.${sp.domain}";
ROOT_URL = "https://git.${sp.domain}/";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
}; };
# ssh = { mailer = {
# enable = true; ENABLED = false;
# clonePort = 22;
# };
lfs = {
enable = true;
contentDir = "${stateDir}/lfs";
}; };
appName = "SelfPrivacy git Service"; ui = {
repositoryRoot = "${stateDir}/repositories"; DEFAULT_THEME = "arc-green";
# cookieSecure = true; SHOW_USER_EMAIL = false;
settings = { };
server = { picture = {
DOMAIN = "git.${sp.domain}"; DISABLE_GRAVATAR = true;
ROOT_URL = "https://git.${sp.domain}/"; };
HTTP_ADDR = "0.0.0.0"; admin = {
HTTP_PORT = 3000; ENABLE_KANBAN_BOARD = true;
}; };
mailer = { repository = {
ENABLED = false; FORCE_PRIVATE = false;
}; };
ui = { session = {
DEFAULT_THEME = "arc-green"; COOKIE_SECURE = true;
SHOW_USER_EMAIL = false; };
}; log = {
picture = { ROOT_PATH = "${stateDir}/log";
DISABLE_GRAVATAR = true; LEVEL = "Warn";
}; };
admin = { };
ENABLE_KANBAN_BOARD = true; };
}; services.nginx.virtualHosts."git.${sp.domain}" = {
repository = { sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
FORCE_PRIVATE = false; sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
}; forceSSL = true;
session = { extraConfig = ''
COOKIE_SECURE = true; add_header Strict-Transport-Security $hsts_header;
}; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
log = { add_header 'Referrer-Policy' 'origin-when-cross-origin';
ROOT_PATH = "${stateDir}/log"; add_header X-Frame-Options DENY;
LEVEL = "Warn"; add_header X-Content-Type-Options nosniff;
}; add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
}; };
}; };
}; };

12
sp-modules/jitsi-meet/module.nix
View File

@ -1,4 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
let
domain = config.selfprivacy.domain;
in
{ {
options.selfprivacy.modules.jitsi-meet = { options.selfprivacy.modules.jitsi-meet = {
enable = lib.mkOption { enable = lib.mkOption {
@ -10,12 +13,19 @@
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable { config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
services.jitsi-meet = { services.jitsi-meet = {
enable = true; enable = true;
hostName = "meet.${config.selfprivacy.domain}"; hostName = "meet.${domain}";
nginx.enable = true; nginx.enable = true;
interfaceConfig = { interfaceConfig = {
SHOW_JITSI_WATERMARK = false; SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false; SHOW_WATERMARK_FOR_GUESTS = false;
}; };
}; };
services.nginx.virtualHosts."meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
}; };
} }

15
sp-modules/ocserv/module.nix
View File

@ -55,5 +55,20 @@ in
route = default route = default
''; '';
}; };
services.nginx.virtualHosts."vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
};
}; };
} }

62
webserver/nginx.nix
View File

@ -36,61 +36,6 @@ in
expires 10m; expires 10m;
''; '';
}; };
"vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
};
"git.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
"password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8222";
};
};
};
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
@ -133,13 +78,6 @@ in
}; };
}; };
}; };
"meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
}; };
}; };
} }