RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-31 03:57:44 +00:00
Code Issues Activity

Add Nginx, ACME

Browse source
This commit is contained in:
RGBCube 2024-01-10 11:30:52 +03:00
parent ec8f5041d2
commit 91df2a2736
No known key found for this signature in database
4 changed files with 66 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -691,11 +691,11 @@
"tools": "tools" "tools": "tools"
}, },
"locked": { "locked": {
"lastModified": 1704819298, "lastModified": 1704875218,
"narHash": "sha256-9HqMzusFFykwHkk+7R4WibzYZbaqIuqV0IswHrGn7rk=", "narHash": "sha256-Ag6DfxlMpt08ZQhpe7bt9Fhhj5WyUPnqVvz+01jp3fs=",
"owner": "RGBCube", "owner": "RGBCube",
"repo": "Site", "repo": "Site",
"rev": "2cda7f1edc1f638f190c25d9f01277dd17bb87de", "rev": "658b1f63e63f0f80313b3d5bc5e01c6e2f03704c",
"type": "github" "type": "github"
}, },
"original": { "original": {

16
hosts/cube/acme.nix Normal file
View file

@ -0,0 +1,16 @@
{ ulib, ... }: with ulib;
serverSystemConfiguration {
security.acme = {
acceptTerms = true;
defaults = {
credentialsFile = "/home/cube/.credentials/acme";
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
email = "rgbsphere@gmail.com";
};
certs."rgbcu.be".extraDomainNames = [ "*.rgbcu.be" ];
};
}

46
hosts/cube/nginx.nix Normal file
View file

@ -0,0 +1,46 @@
{ lib, ulib, pkgs, ... }: with ulib;
serverSystemConfiguration {
services.nginx = enabled {
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = let
fileToList = file: lib.splitString "\n" (builtins.readFile file);
cloudflareIpsV4 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
});
cloudflareIpsV6 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
});
realIpsFromList = lib.concatMapStringsSep "\n" (ip: "set_real_ip_from ${ip};");
in ''
${realIpsFromList cloudflareIpsV4}
${realIpsFromList cloudflareIpsV6}
real_ip_header CF-Connecting-IP;
'';
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header "Referrer-Policy" "no-referrer";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
}

4
hosts/cube/site.nix
View file

@ -2,8 +2,6 @@
serverSystemConfiguration { serverSystemConfiguration {
services.site = enabled { services.site = enabled {
httpPort = 80; configureNginx = true;
httpsPort = 443;
openFirewall = true;
}; };
} }