gebner/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

mastus: harden SSL config.

Browse Source
This commit is contained in:
Gabriel Ebner 2015-10-25 09:29:49 +01:00
parent 31c9a9e833
commit 8f031c79ca
4 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mastus/configuration.nix
View File

@ -8,6 +8,7 @@
./backup.nix ./backup.nix
./mail.nix ./mail.nix
./www.nix
./gogs.nix ./gogs.nix
]; ];
@ -39,8 +40,6 @@
# The NixOS release to be compatible with for stateful data such as databases. # The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09"; system.stateVersion = "15.09";
services.nginx.enable = true;
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
# http # http

11
mastus/gogs.nix
View File

@ -72,8 +72,7 @@ in
}; };
}; };
services.nginx.appendConfig = '' services.nginx.httpConfig = ''
http {
server { server {
listen [::]:80; listen [::]:80;
listen 80; listen 80;
@ -90,6 +89,13 @@ in
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/mastus.key; ssl_certificate_key /etc/sslcerts/mastus.key;
ssl_certificate /etc/sslcerts/git.cert; ssl_certificate /etc/sslcerts/git.cert;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / { location / {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@ -108,6 +114,5 @@ in
upstream gogs { upstream gogs {
server 127.0.0.1:${toString gogsPort}; server 127.0.0.1:${toString gogsPort};
} }
}
''; '';
} }

8
mastus/mail.nix
View File

@ -29,6 +29,11 @@
extraConfig = '' extraConfig = ''
mailbox_command = ${pkgs.procmail}/bin/procmail mailbox_command = ${pkgs.procmail}/bin/procmail
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
''; '';
}; };
@ -39,6 +44,9 @@
sslCACert = "/etc/sslcerts/startssl.cert"; sslCACert = "/etc/sslcerts/startssl.cert";
sslServerCert = "/etc/sslcerts/mail.cert"; sslServerCert = "/etc/sslcerts/mail.cert";
sslServerKey = "/etc/sslcerts/mail-dovecot.key"; sslServerKey = "/etc/sslcerts/mail-dovecot.key";
extraConfig = ''
ssl_protocols = !SSLv2 !SSLv3
'';
}; };
services.spamassassin.enable = true; services.spamassassin.enable = true;

19
mastus/www.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, pkgs, ... }:
{
systemd.services.createNginxDH = {
path = [ pkgs.openssl ];
serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
wantedBy = [ "nginx.service" ];
script = ''
if [ ! -f /etc/nginx/dhparam.pem ]; then
mkdir -p /etc/nginx/
openssl dhparam 2048 >/etc/nginx/dhparam.pem
fi
'';
};
services.nginx = {
enable = true;
};
}