gebner
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

mastus: use nginx module

This commit is contained in:
Gabriel Ebner 2019-08-25 18:04:33 +02:00
parent e0fc41f1cc
commit 156181518d
6 changed files with 68 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
mastus/gogs.nix
View File

@ -28,54 +28,18 @@
''; '';
}; };
services.nginx.httpConfig = '' services.nginx = {
server { recommendedProxySettings = true;
listen [::]:80; virtualHosts."git.gebner.org" = {
listen 80; forceSSL = true;
server_name git.gebner.org; useACMEHost = "gebner.org";
locations."/" = {
location /.well-known/acme-challenge { proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}";
default_type text/plain; extraConfig = ''
alias /var/lib/acme/www/.well-known/acme-challenge; proxy_buffering off;
} client_max_body_size 30M;
'';
location / { };
rewrite ^(.*) https://$host$1 permanent; };
} };
}
server {
listen [::]:443;
listen 443;
server_name git.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gogs;
client_max_body_size 30M;
break;
}
}
upstream gogs {
server 127.0.0.1:${toString config.services.gogs.httpPort};
}
'';
} }

63
mastus/radicale.nix
View File

@ -24,58 +24,15 @@ in
security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null; security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
services.nginx.httpConfig = '' services.nginx = {
server { recommendedProxySettings = true;
listen [::]:80; virtualHosts."radicale.gebner.org" = {
listen 80; forceSSL = true;
server_name radicale.gebner.org; useACMEHost = "gebner.org";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString radicalePort}";
};
};
};
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name radicale.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
send_timeout 900;
proxy_pass http://radicale;
client_max_body_size 30M;
break;
}
}
upstream radicale {
server 127.0.0.1:${toString radicalePort};
}
'';
} }

63
mastus/ttrss.nix
View File

@ -68,57 +68,24 @@
security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null; security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
services.nginx.httpConfig = '' services.nginx = {
server { virtualHosts."reader.gebner.org" = {
listen [::]:80; forceSSL = true;
listen 80; useACMEHost = "gebner.org";
server_name reader.gebner.org; locations."/" = {
root = "/var/lib/containers/ttrss/var/lib/tt-rss";
location /.well-known/acme-challenge { index = "index.php";
default_type text/plain; };
alias /var/lib/acme/www/.well-known/acme-challenge; locations."/cache".extraConfig = "deny all;";
} locations."= /config.php".extraConfig = "deny all;";
locations."~ \\.php$".extraConfig = ''
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name reader.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
root /var/lib/containers/ttrss/var/lib/tt-rss;
index index.php;
}
location /cache {
deny all;
}
location = /config.php {
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 192.168.100.11:9000; fastcgi_pass 192.168.100.11:9000;
fastcgi_index index.php; fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
} '';
} };
''; };
} }

2
mastus/vmtest.nix
View File

@ -24,7 +24,7 @@ let
environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ]; environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ];
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org 127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
# disable letsencrypt # disable letsencrypt
127.0.0.111 acme-v01.api.letsencrypt.org 127.0.0.111 acme-v01.api.letsencrypt.org

74
mastus/website.nix
View File

@ -1,65 +1,29 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
services.nginx.httpConfig = ''
server {
listen [::]:443;
listen 443;
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
ssl on; services.nginx = {
ssl_certificate_key /var/lib/acme/gebner.org/key.pem; virtualHosts."gebner.org" = {
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; useACMEHost = "gebner.org";
ssl_dhparam /etc/nginx/dhparam.pem; forceSSL = true;
ssl_protocols TLSv1.1 TLSv1.2; root = "/srv/www.gebner.org";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; extraConfig = ''
ssl_prefer_server_ciphers on; access_log logs/website_access.log;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / { error_page 404 403 /404.html;
rewrite ^(.*) https://gebner.org$1 permanent;
}
}
server { location / {
listen [::]:443; try_files $uri $uri/ @not_found;
listen 443; }
server_name gebner.org;
ssl on; location @not_found {
ssl_certificate_key /var/lib/acme/gebner.org/key.pem; try_files /404.cgi =404;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; fastcgi_intercept_errors on;
ssl_dhparam /etc/nginx/dhparam.pem; fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
ssl_protocols TLSv1.1 TLSv1.2; }
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; '';
ssl_prefer_server_ciphers on; };
add_header Strict-Transport-Security max-age=15768000; };
ssl_stapling on;
ssl_stapling_verify on;
root /srv/www.gebner.org;
error_page 404 403 /404.html;
gzip on;
gzip_types image/x-icon image/svg+xml text/css;
brotli on;
brotli_types image/x-icon image/svg+xml text/css;
access_log logs/website_access.log;
location / {
try_files $uri $uri/ @not_found;
}
location @not_found {
try_files /404.cgi =404;
fastcgi_intercept_errors on;
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
}
}
'';
services.fcgiwrap = { services.fcgiwrap = {
enable = true; enable = true;

27
mastus/www.nix
View File

@ -16,26 +16,17 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name _;
location /.well-known/acme-challenge { recommendedTlsSettings = true;
default_type text/plain; recommendedOptimisation = true;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / { sslDhparam = "/etc/nginx/dhparam.pem";
rewrite ^(.*) https://gebner.org$1 permanent;
} virtualHosts."_" = {
} default = true;
''; addSSL = true;
package = with pkgs; nginxMainline.override { useACMEHost = "gebner.org";
modules = [ globalRedirect = "gebner.org";
nginxModules.brotli
];
}; };
}; };
} }