strato-infra/nixos/machines/nginx/default.nix

168 lines
5.4 KiB
Nix
Raw Permalink Normal View History

2022-05-21 21:59:14 +02:00
{ config, pkgs, ... }:
let
proxy = path: {
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-21 21:59:14 +02:00
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = path;
proxyWebsockets = true;
};
};
bigProxy = path: {
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-21 21:59:14 +02:00
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = path;
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 0;
'';
};
};
2022-05-26 17:14:44 +02:00
redirect = dest: {
forceSSL = true;
enableACME = true;
http2 = true;
globalRedirect = dest;
};
2022-05-23 21:57:54 +02:00
k8sProxy = proxy "http://kubernetes.lxd:8080/";
2022-05-21 21:59:14 +02:00
in {
2022-05-19 17:47:41 +02:00
imports = [ ../../common ../../common/lxc.nix ];
networking.hostName = "nginx";
system.stateVersion = "21.11";
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];
2022-05-19 17:47:41 +02:00
services.nginx = {
enable = true;
commonHttpConfig = ''
log_format custom '$remote_addr - $remote_user [$time_local] '
'"$host" "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom;
# Below has been borrowed from
# https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# No CSP yet, this will break like 5 sites I'm sure.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
'';
2022-05-19 17:47:41 +02:00
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
2022-05-23 21:53:50 +02:00
recommendedGzipSettings = true;
2022-05-19 17:47:41 +02:00
package = pkgs.nginxMainline;
statusPage = true;
2022-05-23 21:46:53 +02:00
2022-05-19 17:47:41 +02:00
virtualHosts."asraphiel.dev" = {
forceSSL = true;
2022-05-23 21:53:50 +02:00
http2 = true;
2022-05-19 17:47:41 +02:00
enableACME = true;
default = true;
2022-05-19 17:47:41 +02:00
root = "/etc/main";
locations."/very/hidden/index.html" = {
return = "301 https://youtu.be/dQw4w9WgXcQ";
};
2022-05-19 17:47:41 +02:00
};
virtualHosts."auth.asraphiel.dev" = k8sProxy;
2022-05-21 21:59:14 +02:00
virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
virtualHosts."drone.asraphiel.dev" = k8sProxy;
2022-05-21 21:59:14 +02:00
virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";
2022-05-21 21:59:14 +02:00
virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
2022-05-26 17:14:44 +02:00
virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";
virtualHosts."cdn.asraphiel.dev" = k8sProxy;
2022-06-12 00:44:46 +02:00
virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/";
2022-05-23 21:46:53 +02:00
virtualHosts."vaultwarden.asraphiel.dev" =
proxy "http://vaultwarden.lxd:8000/";
2022-05-26 17:14:44 +02:00
virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";
virtualHosts."ikaros.asraphiel.dev" = k8sProxy;
2022-05-25 20:42:04 +02:00
virtualHosts."whoami.asraphiel.dev" = k8sProxy;
2022-06-12 00:17:24 +02:00
virtualHosts."tickets.asraphiel.dev" = k8sProxy;
virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";
virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;
virtualHosts."galerievanslagmaat.nl" = k8sProxy;
2022-05-24 09:38:44 +02:00
virtualHosts."galerie.asraphiel.dev" = k8sProxy;
virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;
2022-05-24 09:38:44 +02:00
virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;
2022-06-23 17:35:35 +02:00
virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl";
virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
2022-08-18 09:15:45 +02:00
2023-04-20 01:02:02 +02:00
virtualHosts."escalator.asraphiel.dev" = k8sProxy;
virtualHosts."escalator-admin.asraphiel.dev" = k8sProxy;
virtualHosts."escalator-api.asraphiel.dev" = k8sProxy;
2022-08-18 09:15:45 +02:00
virtualHosts."weg.asraphiel.dev" = k8sProxy;
2022-05-19 17:47:41 +02:00
};
2022-05-23 21:46:53 +02:00
services.prometheus.exporters.nginx.enable = true;
services.prometheus.exporters.nginxlog.enable = true;
services.prometheus.exporters.nginxlog.user = config.services.nginx.user;
services.prometheus.exporters.nginxlog.settings = {
consul = { enable = false; };
namespaces = [{
name = "asraphiel";
format = ''
$remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';
source = {
files = [ "/var/log/nginx/access.log" ];
};
relabel_configs = [
{
target_label = "remote_addr";
from = "remote_addr";
}
{
target_label = "host";
from = "host";
}
];
histogram_buckets =
[ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ];
}];
};
security.acme.defaults.email = "acme@voidcorp.nl";
2022-05-19 17:47:41 +02:00
security.acme.acceptTerms = true;
environment.etc."main/index.html" = {
enable = true;
source = ./index.html;
};
}