{ config, pkgs, ... }: let proxy = path: { http2 = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = path; proxyWebsockets = true; }; }; bigProxy = path: { http2 = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = path; proxyWebsockets = true; extraConfig = '' client_max_body_size 0; ''; }; }; redirect = dest: { forceSSL = true; enableACME = true; http2 = true; globalRedirect = dest; }; k8sProxy = proxy "http://kubernetes.lxd:8080/"; in { imports = [ ../../common ../../common/lxc.nix ]; networking.hostName = "nginx"; system.stateVersion = "21.11"; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ]; services.nginx = { enable = true; commonHttpConfig = '' log_format custom '$remote_addr - $remote_user [$time_local] ' '"$host" "$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log custom; # Below has been borrowed from # https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # No CSP yet, this will break like 5 sites I'm sure. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) add_header X-XSS-Protection "1; mode=block"; ''; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; package = pkgs.nginxMainline; statusPage = true; virtualHosts."asraphiel.dev" = { forceSSL = true; http2 = true; enableACME = true; default = true; root = "/etc/main"; locations."/very/hidden/index.html" = { return = "301 https://youtu.be/dQw4w9WgXcQ"; }; }; virtualHosts."auth.asraphiel.dev" = k8sProxy; virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/"; virtualHosts."drone.asraphiel.dev" = k8sProxy; virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/"; virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/"; virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/"; virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev"; virtualHosts."cdn.asraphiel.dev" = k8sProxy; virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/"; virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/"; virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev"; virtualHosts."ikaros.asraphiel.dev" = k8sProxy; virtualHosts."whoami.asraphiel.dev" = k8sProxy; virtualHosts."tickets.asraphiel.dev" = k8sProxy; virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/"; virtualHosts."groenehartansichtkaarten.nl" = k8sProxy; virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy; virtualHosts."galerievanslagmaat.nl" = k8sProxy; virtualHosts."galerie.asraphiel.dev" = k8sProxy; virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy; virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy; virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl"; virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl"; virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl"; virtualHosts."escalator.asraphiel.dev" = k8sProxy; virtualHosts."escalator-admin.asraphiel.dev" = k8sProxy; virtualHosts."escalator-api.asraphiel.dev" = k8sProxy; virtualHosts."weg.asraphiel.dev" = k8sProxy; }; services.prometheus.exporters.nginx.enable = true; services.prometheus.exporters.nginxlog.enable = true; services.prometheus.exporters.nginxlog.user = config.services.nginx.user; services.prometheus.exporters.nginxlog.settings = { consul = { enable = false; }; namespaces = [{ name = "asraphiel"; format = '' $remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"''; source = { files = [ "/var/log/nginx/access.log" ]; }; relabel_configs = [ { target_label = "remote_addr"; from = "remote_addr"; } { target_label = "host"; from = "host"; } ]; histogram_buckets = [ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ]; }]; }; security.acme.defaults.email = "acme@voidcorp.nl"; security.acme.acceptTerms = true; environment.etc."main/index.html" = { enable = true; source = ./index.html; }; }