gebner
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

mastus: use nginx module

This commit is contained in:
Gabriel Ebner 2019-08-25 18:04:33 +02:00
parent e0fc41f1cc
commit 156181518d
6 changed files with 68 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
mastus/gogs.nix
View File

@ -28,54 +28,18 @@
'';
};
services.nginx.httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name git.gebner.org;
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name git.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gogs;
client_max_body_size 30M;
break;
}
}
upstream gogs {
server 127.0.0.1:${toString config.services.gogs.httpPort};
}
'';
services.nginx = {
recommendedProxySettings = true;
virtualHosts."git.gebner.org" = {
forceSSL = true;
useACMEHost = "gebner.org";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}";
extraConfig = ''
proxy_buffering off;
client_max_body_size 30M;
'';
};
};
};
}

63
mastus/radicale.nix
View File

@ -24,58 +24,15 @@ in
security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
services.nginx.httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name radicale.gebner.org;
services.nginx = {
recommendedProxySettings = true;
virtualHosts."radicale.gebner.org" = {
forceSSL = true;
useACMEHost = "gebner.org";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString radicalePort}";
};
};
};
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name radicale.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
send_timeout 900;
proxy_pass http://radicale;
client_max_body_size 30M;
break;
}
}
upstream radicale {
server 127.0.0.1:${toString radicalePort};
}
'';
}

63
mastus/ttrss.nix
View File

@ -68,57 +68,24 @@
security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
services.nginx.httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name reader.gebner.org;
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name reader.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
root /var/lib/containers/ttrss/var/lib/tt-rss;
index index.php;
}
location /cache {
deny all;
}
location = /config.php {
deny all;
}
location ~ \.php$ {
services.nginx = {
virtualHosts."reader.gebner.org" = {
forceSSL = true;
useACMEHost = "gebner.org";
locations."/" = {
root = "/var/lib/containers/ttrss/var/lib/tt-rss";
index = "index.php";
};
locations."/cache".extraConfig = "deny all;";
locations."= /config.php".extraConfig = "deny all;";
locations."~ \\.php$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 192.168.100.11:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
include ${pkgs.nginx}/conf/fastcgi_params;
}
}
'';
'';
};
};
}

2
mastus/vmtest.nix
View File

@ -24,7 +24,7 @@ let
environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ];
networking.extraHosts = ''
127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org
127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
# disable letsencrypt
127.0.0.111 acme-v01.api.letsencrypt.org

74
mastus/website.nix
View File

@ -1,65 +1,29 @@
{ config, pkgs, ... }:
{
services.nginx.httpConfig = ''
server {
listen [::]:443;
listen 443;
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
services.nginx = {
virtualHosts."gebner.org" = {
useACMEHost = "gebner.org";
forceSSL = true;
root = "/srv/www.gebner.org";
extraConfig = ''
access_log logs/website_access.log;
location / {
rewrite ^(.*) https://gebner.org$1 permanent;
}
}
error_page 404 403 /404.html;
server {
listen [::]:443;
listen 443;
server_name gebner.org;
location / {
try_files $uri $uri/ @not_found;
}
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
root /srv/www.gebner.org;
error_page 404 403 /404.html;
gzip on;
gzip_types image/x-icon image/svg+xml text/css;
brotli on;
brotli_types image/x-icon image/svg+xml text/css;
access_log logs/website_access.log;
location / {
try_files $uri $uri/ @not_found;
}
location @not_found {
try_files /404.cgi =404;
fastcgi_intercept_errors on;
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
}
}
'';
location @not_found {
try_files /404.cgi =404;
fastcgi_intercept_errors on;
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
}
'';
};
};
services.fcgiwrap = {
enable = true;

27
mastus/www.nix
View File

@ -16,26 +16,17 @@
services.nginx = {
enable = true;
httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name _;
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
recommendedTlsSettings = true;
recommendedOptimisation = true;
location / {
rewrite ^(.*) https://gebner.org$1 permanent;
}
}
'';
package = with pkgs; nginxMainline.override {
modules = [
nginxModules.brotli
];
sslDhparam = "/etc/nginx/dhparam.pem";
virtualHosts."_" = {
default = true;
addSSL = true;
useACMEHost = "gebner.org";
globalRedirect = "gebner.org";
};
};
}