Add Nginx, ACME

2025-07-30 11:37:44 +00:00 · 2024-01-10 11:30:52 +03:00 · 2024-01-10 11:30:52 +03:00 · 91df2a2736
commit 91df2a2736
parent ec8f5041d2
4 changed files with 66 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@ -691,11 +691,11 @@
        "tools": "tools"
      },
      "locked": {
-        "lastModified": 1704819298,
-        "narHash": "sha256-9HqMzusFFykwHkk+7R4WibzYZbaqIuqV0IswHrGn7rk=",
+        "lastModified": 1704875218,
+        "narHash": "sha256-Ag6DfxlMpt08ZQhpe7bt9Fhhj5WyUPnqVvz+01jp3fs=",
        "owner": "RGBCube",
        "repo": "Site",
-        "rev": "2cda7f1edc1f638f190c25d9f01277dd17bb87de",
+        "rev": "658b1f63e63f0f80313b3d5bc5e01c6e2f03704c",
        "type": "github"
      },
      "original": {
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -0,0 +1,16 @@
+{ ulib, ... }: with ulib;
+
+serverSystemConfiguration {
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      credentialsFile = "/home/cube/.credentials/acme";
+      dnsProvider     = "cloudflare";
+      dnsResolver     = "1.1.1.1";
+      email           = "rgbsphere@gmail.com";
+    };
+
+    certs."rgbcu.be".extraDomainNames = [ "*.rgbcu.be" ];
+  };
+}
--- a/hosts/cube/nginx.nix
+++ b/hosts/cube/nginx.nix
@ -0,0 +1,46 @@
+{ lib, ulib, pkgs, ... }: with ulib;
+
+serverSystemConfiguration {
+  services.nginx = enabled {
+    recommendedGzipSettings  = true;
+    recommendedOptimisation  = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings   = true;
+
+    commonHttpConfig = let
+      fileToList = file: lib.splitString "\n" (builtins.readFile file);
+
+      cloudflareIpsV4 = fileToList (pkgs.fetchurl {
+        url    = "https://www.cloudflare.com/ips-v4";
+        sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+      });
+      cloudflareIpsV6 = fileToList (pkgs.fetchurl {
+        url    = "https://www.cloudflare.com/ips-v6";
+        sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+      });
+
+      realIpsFromList = lib.concatMapStringsSep "\n" (ip: "set_real_ip_from ${ip};");
+    in ''
+      ${realIpsFromList cloudflareIpsV4}
+      ${realIpsFromList cloudflareIpsV6}
+      real_ip_header CF-Connecting-IP;
+    '';
+
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      add_header "Referrer-Policy" "no-referrer";
+
+      add_header X-Frame-Options DENY;
+
+      add_header X-Content-Type-Options nosniff;
+
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
--- a/hosts/cube/site.nix
+++ b/hosts/cube/site.nix
@ -2,8 +2,6 @@

 serverSystemConfiguration {
  services.site = enabled {
-    httpPort     = 80;
-    httpsPort    = 443;
-    openFirewall = true;
+    configureNginx = true;
  };
 }