mirror of
https://github.com/RGBCube/ncc
synced 2025-07-27 18:17:44 +00:00
chore: migrate nginx and site
This commit is contained in:
parent
5a485ffa16
commit
0dd43e11e9
6 changed files with 129 additions and 11 deletions
7
hosts/disk/site.nix
Normal file
7
hosts/disk/site.nix
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
{ self, ... }: {
|
||||
imports = [
|
||||
(self + /modules/acme)
|
||||
(self + /modules/nginx.nix)
|
||||
(self + /modules/site.nix)
|
||||
];
|
||||
}
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
{ self, ... }: {
|
||||
imports = [
|
||||
# (self + /modules/acme)
|
||||
# (self + /modules/nginx.nix)
|
||||
# (self + /modules/site.nix)
|
||||
];
|
||||
}
|
||||
|
|
@ -2,10 +2,12 @@
|
|||
inherit (config.networking) domain;
|
||||
inherit (lib) mkValue;
|
||||
in {
|
||||
options.acmeGroup = mkValue "nginx";
|
||||
options.acmeUsers = mkValue [];
|
||||
|
||||
config.secrets.acmeEnvironment.file = ./environment.age;
|
||||
|
||||
config.users.groups.acme.members = config.acmeUsers;
|
||||
|
||||
config.security.acme = {
|
||||
acceptTerms = true;
|
||||
|
||||
|
|
@ -18,7 +20,7 @@ in {
|
|||
|
||||
certs.${domain} = {
|
||||
extraDomainNames = [ "*.${domain}" ];
|
||||
group = config.acmeGroup;
|
||||
group = "acme";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{ self, config, lib, ... }: let
|
||||
inherit (lib) const enabled genAttrs head mkDefault;
|
||||
inherit (config.networking) domain;
|
||||
inherit (lib) const enabled genAttrs head mkDefault;
|
||||
in {
|
||||
imports = [(self + /modules/acme)];
|
||||
|
||||
|
|
@ -14,7 +14,7 @@ in {
|
|||
paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
|
||||
};
|
||||
|
||||
acmeGroup = "mail";
|
||||
acmeUsers = [ "mail" ];
|
||||
|
||||
mailserver = enabled {
|
||||
domains = mkDefault [ domain ];
|
||||
|
|
|
|||
56
modules/nginx.nix
Normal file
56
modules/nginx.nix
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
{ config, lib, pkgs, ... }: let
|
||||
inherit (lib) enabled mkConst;
|
||||
in {
|
||||
options.nginxSslTemplate = mkConst {
|
||||
forceSSL = true;
|
||||
quic = true;
|
||||
useACMEHost = config.networking.domain;
|
||||
};
|
||||
|
||||
options.nginxHeaders = mkConst ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
add_header Referrer-Policy no-referrer;
|
||||
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
'';
|
||||
|
||||
config.networking.firewall = {
|
||||
allowedTCPPorts = [ 443 80 ];
|
||||
allowedUDPPorts = [ 443 ];
|
||||
};
|
||||
|
||||
config.services.prometheus.exporters.nginx = enabled {
|
||||
listenAddress = "[::]";
|
||||
};
|
||||
|
||||
config.acmeUsers = [ "nginx" ];
|
||||
|
||||
config.services.nginx = enabled {
|
||||
package = pkgs.nginxQuic;
|
||||
|
||||
statusPage = true;
|
||||
|
||||
recommendedBrotliSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
commonHttpConfig = ''
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
|
||||
${config.nginxHeaders}
|
||||
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
'';
|
||||
};
|
||||
}
|
||||
60
modules/site.nix
Normal file
60
modules/site.nix
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
{ config, lib, ... }: let
|
||||
inherit (config.networking) domain;
|
||||
inherit (lib) enabled merge;
|
||||
|
||||
sitePath = "/var/www/site";
|
||||
|
||||
notFoundLocationConfig = {
|
||||
extraConfig = "error_page 404 /404.html;";
|
||||
locations."/404".extraConfig = "internal;";
|
||||
};
|
||||
in {
|
||||
services.nginx = enabled {
|
||||
appendHttpConfig = ''
|
||||
map $http_origin $allow_origin {
|
||||
~^https://.+\.${domain}$ $http_origin;
|
||||
}
|
||||
|
||||
map $http_origin $allow_methods {
|
||||
~^https://.+\.${domain}$ "GET, HEAD, OPTIONS";
|
||||
}
|
||||
'';
|
||||
|
||||
virtualHosts.${domain} = merge config.nginxSslTemplate notFoundLocationConfig {
|
||||
root = sitePath;
|
||||
|
||||
locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
|
||||
|
||||
locations."/assets/".extraConfig = let
|
||||
nginxHeaders' = ''
|
||||
add_header Access-Control-Allow-Origin $allow_origin;
|
||||
add_header Access-Control-Allow-Methods $allow_methods;
|
||||
'';
|
||||
in ''
|
||||
${config.nginxHeaders}
|
||||
${nginxHeaders'}
|
||||
|
||||
if ($request_method = OPTIONS) {
|
||||
${config.nginxHeaders}
|
||||
${nginxHeaders'}
|
||||
add_header Content-Type text/plain;
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
expires 24h;
|
||||
'';
|
||||
};
|
||||
|
||||
virtualHosts."www.${domain}" = merge config.nginxSslTemplate {
|
||||
locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
|
||||
};
|
||||
|
||||
virtualHosts._ = merge config.nginxSslTemplate notFoundLocationConfig {
|
||||
root = sitePath;
|
||||
|
||||
locations."/".extraConfig = "return 404;";
|
||||
locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue