162 lines
5.2 KiB
Nix
162 lines
5.2 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
proxy = path: {
|
|
http2 = true;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = path;
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
bigProxy = path: {
|
|
http2 = true;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = path;
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
client_max_body_size 0;
|
|
'';
|
|
};
|
|
};
|
|
redirect = dest: {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
http2 = true;
|
|
globalRedirect = dest;
|
|
};
|
|
k8sProxy = proxy "http://kubernetes.lxd:8080/";
|
|
in {
|
|
imports = [ ../../common ../../common/lxc.nix ];
|
|
networking.hostName = "nginx";
|
|
system.stateVersion = "21.11";
|
|
networking.firewall.enable = true;
|
|
networking.firewall.allowedTCPPorts = [ 80 443 9113 9117 ];
|
|
services.nginx = {
|
|
enable = true;
|
|
commonHttpConfig = ''
|
|
log_format custom '$remote_addr - $remote_user [$time_local] '
|
|
'"$host" "$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log custom;
|
|
|
|
# Below has been borrowed from
|
|
# https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
|
|
|
|
# Add HSTS header with preloading to HTTPS requests.
|
|
# Adding this header to HTTP requests is discouraged
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
# No CSP yet, this will break like 5 sites I'm sure.
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
|
|
|
|
# Disable embedding as a frame
|
|
add_header X-Frame-Options DENY;
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
# Enable XSS protection of the browser.
|
|
# May be unnecessary when CSP is configured properly (see above)
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
'';
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
package = pkgs.nginxMainline;
|
|
statusPage = true;
|
|
|
|
virtualHosts."asraphiel.dev" = {
|
|
forceSSL = true;
|
|
http2 = true;
|
|
enableACME = true;
|
|
default = true;
|
|
root = "/etc/main";
|
|
locations."/very/hidden/index.html" = {
|
|
return = "301 https://youtu.be/dQw4w9WgXcQ";
|
|
};
|
|
};
|
|
virtualHosts."auth.asraphiel.dev" = k8sProxy;
|
|
|
|
virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
|
|
virtualHosts."drone.asraphiel.dev" = k8sProxy;
|
|
|
|
virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";
|
|
|
|
virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
|
|
virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
|
|
virtualHosts."cdn.voidcorp.nl" = redirect "s3.asraphiel.dev";
|
|
virtualHosts."cdn.asraphiel.dev" = k8sProxy;
|
|
|
|
virtualHosts."registry.asraphiel.dev" = bigProxy "http://registry.lxd:5000/";
|
|
virtualHosts."vaultwarden.asraphiel.dev" =
|
|
proxy "http://vaultwarden.lxd:8000/";
|
|
virtualHosts."analytics.asraphiel.dev" = redirect "ikaros.asraphiel.dev";
|
|
virtualHosts."ikaros.asraphiel.dev" = k8sProxy;
|
|
virtualHosts."whoami.asraphiel.dev" = k8sProxy;
|
|
virtualHosts."tickets.asraphiel.dev" = k8sProxy;
|
|
|
|
virtualHosts."stats.asraphiel.dev" = proxy "http://grafana.lxd:2345/";
|
|
|
|
virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
|
|
virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;
|
|
|
|
virtualHosts."galerievanslagmaat.nl" = k8sProxy;
|
|
virtualHosts."galerie.asraphiel.dev" = k8sProxy;
|
|
virtualHosts."staging.galerievanslagmaat.nl" = k8sProxy;
|
|
virtualHosts."galerie-staging.asraphiel.dev" = k8sProxy;
|
|
virtualHosts."www.galerievanslagmaat.nl" = redirect "galerievanslagmaat.nl";
|
|
virtualHosts."galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
|
|
virtualHosts."www.galeriewoerden.nl" = redirect "galerievanslagmaat.nl";
|
|
};
|
|
|
|
services.prometheus.exporters.nginx.enable = true;
|
|
services.prometheus.exporters.nginxlog.enable = true;
|
|
services.prometheus.exporters.nginxlog.user = config.services.nginx.user;
|
|
services.prometheus.exporters.nginxlog.settings = {
|
|
consul = { enable = false; };
|
|
|
|
namespaces = [{
|
|
name = "asraphiel";
|
|
format = ''
|
|
$remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'';
|
|
source = {
|
|
|
|
files = [ "/var/log/nginx/access.log" ];
|
|
};
|
|
relabel_configs = [
|
|
{
|
|
target_label = "remote_addr";
|
|
from = "remote_addr";
|
|
}
|
|
{
|
|
target_label = "host";
|
|
from = "host";
|
|
}
|
|
];
|
|
histogram_buckets =
|
|
[ 5.0e-3 1.0e-2 2.5e-2 5.0e-2 0.1 0.25 0.5 1 2.5 5 10 ];
|
|
|
|
}];
|
|
};
|
|
|
|
security.acme.defaults.email = "acme@voidcorp.nl";
|
|
security.acme.acceptTerms = true;
|
|
environment.etc."main/index.html" = {
|
|
enable = true;
|
|
source = ./index.html;
|
|
};
|
|
|
|
}
|