mastus: use nginx module
This commit is contained in:
parent
e0fc41f1cc
commit
156181518d
@ -28,54 +28,18 @@
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.httpConfig = ''
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name git.gebner.org;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443;
|
||||
listen 443;
|
||||
server_name git.gebner.org;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_redirect off;
|
||||
services.nginx = {
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."git.gebner.org" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "gebner.org";
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
proxy_pass http://gogs;
|
||||
client_max_body_size 30M;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
upstream gogs {
|
||||
server 127.0.0.1:${toString config.services.gogs.httpPort};
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -24,58 +24,15 @@ in
|
||||
|
||||
security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
|
||||
|
||||
services.nginx.httpConfig = ''
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name radicale.gebner.org;
|
||||
services.nginx = {
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."radicale.gebner.org" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "gebner.org";
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString radicalePort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443;
|
||||
listen 443;
|
||||
server_name radicale.gebner.org;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_redirect off;
|
||||
proxy_buffering off;
|
||||
proxy_connect_timeout 900;
|
||||
proxy_send_timeout 900;
|
||||
proxy_read_timeout 900;
|
||||
send_timeout 900;
|
||||
proxy_pass http://radicale;
|
||||
client_max_body_size 30M;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
upstream radicale {
|
||||
server 127.0.0.1:${toString radicalePort};
|
||||
}
|
||||
'';
|
||||
}
|
||||
|
@ -68,57 +68,24 @@
|
||||
|
||||
security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
|
||||
|
||||
services.nginx.httpConfig = ''
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name reader.gebner.org;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443;
|
||||
listen 443;
|
||||
server_name reader.gebner.org;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
root /var/lib/containers/ttrss/var/lib/tt-rss;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
location /cache {
|
||||
deny all;
|
||||
}
|
||||
location = /config.php {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
services.nginx = {
|
||||
virtualHosts."reader.gebner.org" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "gebner.org";
|
||||
locations."/" = {
|
||||
root = "/var/lib/containers/ttrss/var/lib/tt-rss";
|
||||
index = "index.php";
|
||||
};
|
||||
locations."/cache".extraConfig = "deny all;";
|
||||
locations."= /config.php".extraConfig = "deny all;";
|
||||
locations."~ \\.php$".extraConfig = ''
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass 192.168.100.11:9000;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -24,7 +24,7 @@ let
|
||||
environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ];
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org
|
||||
127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
|
||||
|
||||
# disable letsencrypt
|
||||
127.0.0.111 acme-v01.api.letsencrypt.org
|
||||
|
@ -1,54 +1,17 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.nginx.httpConfig = ''
|
||||
server {
|
||||
listen [::]:443;
|
||||
listen 443;
|
||||
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://gebner.org$1 permanent;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443;
|
||||
listen 443;
|
||||
server_name gebner.org;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
root /srv/www.gebner.org;
|
||||
error_page 404 403 /404.html;
|
||||
|
||||
gzip on;
|
||||
gzip_types image/x-icon image/svg+xml text/css;
|
||||
brotli on;
|
||||
brotli_types image/x-icon image/svg+xml text/css;
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts."gebner.org" = {
|
||||
useACMEHost = "gebner.org";
|
||||
forceSSL = true;
|
||||
root = "/srv/www.gebner.org";
|
||||
extraConfig = ''
|
||||
access_log logs/website_access.log;
|
||||
|
||||
error_page 404 403 /404.html;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @not_found;
|
||||
}
|
||||
@ -58,8 +21,9 @@
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.fcgiwrap = {
|
||||
enable = true;
|
||||
|
@ -16,26 +16,17 @@
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
httpConfig = ''
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name _;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||
}
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://gebner.org$1 permanent;
|
||||
}
|
||||
}
|
||||
'';
|
||||
package = with pkgs; nginxMainline.override {
|
||||
modules = [
|
||||
nginxModules.brotli
|
||||
];
|
||||
sslDhparam = "/etc/nginx/dhparam.pem";
|
||||
|
||||
virtualHosts."_" = {
|
||||
default = true;
|
||||
addSSL = true;
|
||||
useACMEHost = "gebner.org";
|
||||
globalRedirect = "gebner.org";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user