strato-infra/nixos/machines/nginx/default.nix

{ config, pkgs, ... }:
let
  proxy = path: {
    http2 = true;
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = path;
      proxyWebsockets = true;
    };
  };
  bigProxy = path: {
    http2 = true;
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = path;
      proxyWebsockets = true;
      extraConfig = ''
        client_max_body_size 0;
      '';
    };
  };
  redirect = dest: {
    forceSSL = true;
    enableACME = true;
    http2 = true;
    globalRedirect = dest;
  };
  k8sProxy = proxy "http://kubernetes.lxd:8080/";
in {
  imports = [ ../../common ../../common/lxc.nix ];
  networking.hostName = "nginx";
  system.stateVersion = "21.11";
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];
  services.nginx = {
    enable = true;
    commonHttpConfig = ''
      log_format custom   '$remote_addr - $remote_user [$time_local] '
                          '"$host" "$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

      access_log /var/log/nginx/access.log custom;

      # Below has been borrowed from 
      # https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading

      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # No CSP yet, this will break like 5 sites I'm sure.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

    '';
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    package = pkgs.nginxMainline;
    statusPage = true;

    virtualHosts."asraphiel.dev" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      default = true;
      root = "/etc/main";
      locations."/very/hidden/index.html" = {
        return = "301 https://youtu.be/dQw4w9WgXcQ";
      };
    };
    virtualHosts."auth.asraphiel.dev" = k8sProxy;

    virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
    virtualHosts."drone.asraphiel.dev" = k8sProxy;

    virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";

    virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
    virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
    virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";
    virtualHosts."cdn.asraphiel.dev" = k8sProxy;

    virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/";
    virtualHosts."vaultwarden.asraphiel.dev" =
      proxy "http://vaultwarden.lxd:8000/";
    virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";
    virtualHosts."ikaros.asraphiel.dev" = k8sProxy;
    virtualHosts."whoami.asraphiel.dev" = k8sProxy;
    virtualHosts."tickets.asraphiel.dev" = k8sProxy;

    virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";

    virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
    virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;

    virtualHosts."galerievanslagmaat.nl" = k8sProxy;
    virtualHosts."galerie.asraphiel.dev" = k8sProxy;
    virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;
    virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;
    virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl";
    virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
    virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
  };

  services.prometheus.exporters.nginx.enable = true;
  services.prometheus.exporters.nginxlog.enable = true;
  services.prometheus.exporters.nginxlog.user = config.services.nginx.user;
  services.prometheus.exporters.nginxlog.settings = {
    consul = { enable = false; };

    namespaces = [{
      name = "asraphiel";
      format = ''
        $remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';
      source = {

        files = [ "/var/log/nginx/access.log" ];
      };
      relabel_configs = [
        {
          target_label = "remote_addr";
          from = "remote_addr";
        }
        {
          target_label = "host";
          from = "host";
        }
      ];
      histogram_buckets =
        [ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ];

    }];
  };

  security.acme.defaults.email = "acme@voidcorp.nl";
  security.acme.acceptTerms = true;
  environment.etc."main/index.html" = {
    enable = true;
    source = ./index.html;
  };

}
Minio, move to different host 2022-05-21 21:59:14 +02:00			`{ config, pkgs, ... }:`
			`let`
			`proxy = path: {`
Add files from previous commit 2022-05-23 21:53:50 +02:00			`http2 = true;`
Minio, move to different host 2022-05-21 21:59:14 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = path;`
			`proxyWebsockets = true;`
			`};`
			`};`
			`bigProxy = path: {`
Add files from previous commit 2022-05-23 21:53:50 +02:00			`http2 = true;`
Minio, move to different host 2022-05-21 21:59:14 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = path;`
			`proxyWebsockets = true;`
			`extraConfig = ''`
			`client_max_body_size 0;`
			`'';`
			`};`
			`};`
Change umami url and add middleware 2022-05-26 17:14:44 +02:00			`redirect = dest: {`
			`forceSSL = true;`
			`enableACME = true;`
			`http2 = true;`
			`globalRedirect = dest;`
			`};`
Fix port 2022-05-23 21:57:54 +02:00			`k8sProxy = proxy "http://kubernetes.lxd:8080/";`
Minio, move to different host 2022-05-21 21:59:14 +02:00			`in {`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`imports = [ ../../common ../../common/lxc.nix ];`
			`networking.hostName = "nginx";`
			`system.stateVersion = "21.11";`
			`networking.firewall.enable = true;`
Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`services.nginx = {`
			`enable = true;`
Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`commonHttpConfig = ''`
			`log_format custom '$remote_addr - $remote_user [$time_local] '`
			`'"$host" "$request" $status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';`

			`access_log /var/log/nginx/access.log custom;`
Add some more security settings for all sites 2022-06-29 14:27:04 +02:00
			`# Below has been borrowed from`
			`# https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading`

			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# No CSP yet, this will break like 5 sites I'm sure.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`'';`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
Add files from previous commit 2022-05-23 21:53:50 +02:00			`recommendedGzipSettings = true;`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`package = pkgs.nginxMainline;`
Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`statusPage = true;`
new ingress time! 2022-05-23 21:46:53 +02:00
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`virtualHosts."asraphiel.dev" = {`
			`forceSSL = true;`
Add files from previous commit 2022-05-23 21:53:50 +02:00			`http2 = true;`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`enableACME = true;`
Add more logging, set asraphiel.dev as default 2022-06-08 09:11:13 +02:00			`default = true;`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`root = "/etc/main";`
Add more logging, set asraphiel.dev as default 2022-06-08 09:11:13 +02:00			`locations."/very/hidden/index.html" = {`
			`return = "301 https://youtu.be/dQw4w9WgXcQ";`
			`};`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`};`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00			`virtualHosts."auth.asraphiel.dev" = k8sProxy;`

Minio, move to different host 2022-05-21 21:59:14 +02:00			`virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00			`virtualHosts."drone.asraphiel.dev" = k8sProxy;`

Minio, move to different host 2022-05-21 21:59:14 +02:00			`virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00
Minio, move to different host 2022-05-21 21:59:14 +02:00			`virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";`
			`virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";`
Change umami url and add middleware 2022-05-26 17:14:44 +02:00			`virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00			`virtualHosts."cdn.asraphiel.dev" = k8sProxy;`

Make registry be a bigProxy 2022-06-12 00:44:46 +02:00			`virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/";`
new ingress time! 2022-05-23 21:46:53 +02:00			`virtualHosts."vaultwarden.asraphiel.dev" =`
			`proxy "http://vaultwarden.lxd:8000/";`
Change umami url and add middleware 2022-05-26 17:14:44 +02:00			`virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";`
			`virtualHosts."ikaros.asraphiel.dev" = k8sProxy;`
Add whoami 2022-05-25 20:42:04 +02:00			`virtualHosts."whoami.asraphiel.dev" = k8sProxy;`
Fix secret, update nginx 2022-06-12 00:17:24 +02:00			`virtualHosts."tickets.asraphiel.dev" = k8sProxy;`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00
Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";`

Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00			`virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;`
			`virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;`

			`virtualHosts."galerievanslagmaat.nl" = k8sProxy;`
Add galerie test path to nginx 2022-05-24 09:38:44 +02:00			`virtualHosts."galerie.asraphiel.dev" = k8sProxy;`
Add galerie subdomains and make cdn point to s3 2022-05-25 00:42:05 +02:00			`virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;`
Add galerie test path to nginx 2022-05-24 09:38:44 +02:00			`virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;`
Fix drone, update nginx 2022-06-23 17:35:35 +02:00			`virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl";`
			`virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl";`
			`virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl";`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`};`
new ingress time! 2022-05-23 21:46:53 +02:00
Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`services.prometheus.exporters.nginx.enable = true;`
			`services.prometheus.exporters.nginxlog.enable = true;`
			`services.prometheus.exporters.nginxlog.user = config.services.nginx.user;`
			`services.prometheus.exporters.nginxlog.settings = {`
			`consul = { enable = false; };`

			`namespaces = [{`
			`name = "asraphiel";`
			`format = ''`
			`$remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';`
			`source = {`

			`files = [ "/var/log/nginx/access.log" ];`
			`};`
			`relabel_configs = [`
			`{`
			`target_label = "remote_addr";`
			`from = "remote_addr";`
			`}`
			`{`
			`target_label = "host";`
			`from = "host";`
			`}`
			`];`
Add more logging, set asraphiel.dev as default 2022-06-08 09:11:13 +02:00			`histogram_buckets =`
			`[ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ];`

Update to nixpkgs 22.05 Add grafana and prometheus as well Remove glitch-soc, maybe I'll try mastodon sometime in the future but not now. 2022-06-06 19:19:45 +02:00			`}];`
			`};`

			`security.acme.defaults.email = "acme@voidcorp.nl";`
Nginx landing page and postgres 2022-05-19 17:47:41 +02:00			`security.acme.acceptTerms = true;`
			`environment.etc."main/index.html" = {`
			`enable = true;`
			`source = ./index.html;`
			`};`

			`}`