mastus: harden SSL config.
This commit is contained in:
parent
31c9a9e833
commit
8f031c79ca
@ -8,6 +8,7 @@
|
||||
./backup.nix
|
||||
|
||||
./mail.nix
|
||||
./www.nix
|
||||
./gogs.nix
|
||||
];
|
||||
|
||||
@ -39,8 +40,6 @@
|
||||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "15.09";
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
# http
|
||||
|
||||
@ -72,8 +72,7 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.appendConfig = ''
|
||||
http {
|
||||
services.nginx.httpConfig = ''
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
@ -90,6 +89,13 @@ in
|
||||
ssl on;
|
||||
ssl_certificate_key /etc/sslcerts/mastus.key;
|
||||
ssl_certificate /etc/sslcerts/git.cert;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
@ -108,6 +114,5 @@ in
|
||||
upstream gogs {
|
||||
server 127.0.0.1:${toString gogsPort};
|
||||
}
|
||||
}
|
||||
'';
|
||||
}
|
||||
|
||||
@ -29,6 +29,11 @@
|
||||
|
||||
extraConfig = ''
|
||||
mailbox_command = ${pkgs.procmail}/bin/procmail
|
||||
|
||||
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||
'';
|
||||
};
|
||||
|
||||
@ -39,6 +44,9 @@
|
||||
sslCACert = "/etc/sslcerts/startssl.cert";
|
||||
sslServerCert = "/etc/sslcerts/mail.cert";
|
||||
sslServerKey = "/etc/sslcerts/mail-dovecot.key";
|
||||
extraConfig = ''
|
||||
ssl_protocols = !SSLv2 !SSLv3
|
||||
'';
|
||||
};
|
||||
|
||||
services.spamassassin.enable = true;
|
||||
|
||||
19
mastus/www.nix
Normal file
19
mastus/www.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
systemd.services.createNginxDH = {
|
||||
path = [ pkgs.openssl ];
|
||||
serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
|
||||
wantedBy = [ "nginx.service" ];
|
||||
script = ''
|
||||
if [ ! -f /etc/nginx/dhparam.pem ]; then
|
||||
mkdir -p /etc/nginx/
|
||||
openssl dhparam 2048 >/etc/nginx/dhparam.pem
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user