mirror of
https://github.com/RGBCube/ncc
synced 2025-07-30 11:37:44 +00:00
Add Nginx, ACME
This commit is contained in:
RGBCube
parent
ec8f5041d2
commit
91df2a2736
4 changed files with 66 additions and 6 deletions
16
hosts/cube/acme.nix
Normal file
16
hosts/cube/acme.nix
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
{ ulib, ... }: with ulib;
|
||||
|
||||
serverSystemConfiguration {
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
||||
defaults = {
|
||||
credentialsFile = "/home/cube/.credentials/acme";
|
||||
dnsProvider = "cloudflare";
|
||||
dnsResolver = "1.1.1.1";
|
||||
email = "rgbsphere@gmail.com";
|
||||
};
|
||||
|
||||
certs."rgbcu.be".extraDomainNames = [ "*.rgbcu.be" ];
|
||||
};
|
||||
}
|
||||
46
hosts/cube/nginx.nix
Normal file
46
hosts/cube/nginx.nix
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
{ lib, ulib, pkgs, ... }: with ulib;
|
||||
|
||||
serverSystemConfiguration {
|
||||
services.nginx = enabled {
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
commonHttpConfig = let
|
||||
fileToList = file: lib.splitString "\n" (builtins.readFile file);
|
||||
|
||||
cloudflareIpsV4 = fileToList (pkgs.fetchurl {
|
||||
url = "https://www.cloudflare.com/ips-v4";
|
||||
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
||||
});
|
||||
cloudflareIpsV6 = fileToList (pkgs.fetchurl {
|
||||
url = "https://www.cloudflare.com/ips-v6";
|
||||
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
||||
});
|
||||
|
||||
realIpsFromList = lib.concatMapStringsSep "\n" (ip: "set_real_ip_from ${ip};");
|
||||
in ''
|
||||
${realIpsFromList cloudflareIpsV4}
|
||||
${realIpsFromList cloudflareIpsV6}
|
||||
real_ip_header CF-Connecting-IP;
|
||||
'';
|
||||
|
||||
appendHttpConfig = ''
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
add_header "Referrer-Policy" "no-referrer";
|
||||
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
serverSystemConfiguration {
|
||||
services.site = enabled {
|
||||
httpPort = 80;
|
||||
httpsPort = 443;
|
||||
openFirewall = true;
|
||||
configureNginx = true;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue