diff options
| -rw-r--r-- | hosts/p-body/default.nix | 81 | ||||
| -rw-r--r-- | hosts/p-body/nginx.nix | 73 |
2 files changed, 80 insertions, 74 deletions
diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 56ba2a6..16128e4 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -7,6 +7,7 @@ }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") + ./nginx.nix ]; _module.args.nixinate = { @@ -17,84 +18,16 @@ hermetic = false; }; - networking.hostName = "p-body"; + networking = { + domain = "167.99.145.73"; + hostName = "p-body"; + }; services = { - #caddy = { - # enable = true; - - # email = "[email protected]"; - - # logFormat = '' - # output stdout - # format json - # ''; - - # extraConfig = '' - # (strip-www) { - # redir https://{args.0}{uri} - # } - - # (common_domain) { - # encode gzip - - # handle { - # try_files {path} {path}/ - # } - - # handle_errors { - # @404 { - # expression {http.error.status_code} == 404 - # } - # rewrite @404 /404.html - # file_server - # } - # } - - # (no_embeds) { - # header /{args.0} X-Frame-Options DENY - # } - - # (container_proxy) { - # handle_path /{args.0}/* { - # reverse_proxy {args.1} - # } - # } - # ''; - - # globalConfig = '' - # auto_https off - # ''; - - # virtualHosts = { - # guzzle = rec { - # hostName = "167.99.145.73"; - - # serverAliases = [ - # "www.${hostName}" - # ]; - - # extraConfig = '' - # root * /var/www - # import common_domain - - # file_server - - # import container_proxy api :8000 - # ''; - - # listenAddresses = [ - # "127.0.0.1" - # "::1" - # ]; - # }; - # }; - #}; - guzzle-api = { enable = true; - url = "http://167.99.145.73"; - port = "80"; + url = "http://" + config.networking.domain; + port = "8080"; package = guzzle_api.packages.x86_64-linux.guzzle-api-server; }; }; diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix new file mode 100644 index 0000000..328e6e4 --- /dev/null +++ b/hosts/p-body/nginx.nix @@ -0,0 +1,73 @@ +{config, ...}: let + inherit (config.networking) domain; +in { + security.acme = { + acceptTerms = true; + defaults.email = "[email protected]"; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + commonHttpConfig = '' + + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + ''; + + virtualHosts = let + common = { + forceSSL = false; + enableACME = false; + }; + + mkProxy = endpoint: port: { + "${endpoint}".proxyPass = "http://127.0.0.1:${port}"; + }; + in { + "${domain}" = { + inherit (common) enableACME forceSSL; + + default = true; + serverAliases = ["www.${domain}"]; + + locations = mkProxy "/" config.services.guzzle-api.port; + #{ + # "/" = { + # root = "/var/www"; + # }; + #}; + #// mkProxy "/api" config.services.guzzle-api.port; + }; + }; + }; +} |