nixos/services/nginx.nix

##############################################################################################
# Includes:                                                                                  #
#   - Nginx + SSL config                                                                     #
#   - Gitea                                                                                  #
#   - Hydra                                                                                  #
#   - Nextcloud                                                                              #
#   - Mail ssl root                                                                          #
##############################################################################################

{ config, lib, pkgs, ... }:

with lib;

mkIf (elem "nginx" config.machine.services) {
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
    sslProtocols = "TLSv1.3 TLSv1.2";
    commonHttpConfig = ''
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    '';
    virtualHosts = {
      "${config.machine.domain}" = {
        enableACME = true;
        forceSSL = true;
        root = "/var/www";
      };
      "builder.${config.machine.domain}" = mkIf config.services.hydra.enable {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          location / {
            proxy_pass http://${config.services.hydra.listenHost}:${toString config.services.hydra.port};
            proxy_set_header Host $http_host;
            proxy_set_header REMOTE_ADDR $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
          }
        '';
      };
      "cache.${config.machine.domain}" = mkIf config.services.nix-serve.enable {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          location / {
            proxy_pass http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port};
            proxy_set_header Host $http_host;
            proxy_set_header REMOTE_ADDR $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
          }
        '';
      };
      "mail.${config.machine.domain}" = mkIf config.mailserver.enable {
        enableACME = true;
        forceSSL = true;
        root = "/var/www";
      };

      "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
        root = pkgs.nextcloud;
        enableACME = config.services.nextcloud.https;
        forceSSL = config.services.nextcloud.https;
        locations = {
          "= /robots.txt" = {
            priority = 100;
            extraConfig = ''
              allow all;
              log_not_found off;
              access_log off;
            '';
          };
          "/" = {
            priority = 200;
            extraConfig = "rewrite ^ /index.php$request_uri;";
          };
          "~ ^/store-apps" = {
            priority = 201;
            extraConfig = "root ${config.services.nextcloud.home};";
          };
          "= /.well-known/carddav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          "= /.well-known/caldav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = {
            priority = 300;
            extraConfig = "deny all;";
          };
          "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
            priority = 300;
            extraConfig = "deny all;";
          };
          "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = {
            priority = 500;
            extraConfig = ''
              include ${config.services.nginx.package}/conf/fastcgi.conf;
              fastcgi_split_path_info ^(.+\.php)(/.*)$;
              fastcgi_param PATH_INFO $fastcgi_path_info;
              fastcgi_param HTTPS ${if config.services.nextcloud.https then "on" else "off"};
              fastcgi_param modHeadersAvailable true;
              fastcgi_param front_controller_active true;
              fastcgi_pass unix:/run/phpfpm/nextcloud;
              fastcgi_intercept_errors on;
              fastcgi_request_buffering off;
              fastcgi_read_timeout 120s;
            '';
          };
          "~ ^/(?:updater|ocs-provider|ocm-provider)(?:$|\/)".extraConfig = ''
            try_files $uri/ =404;
            index index.php;
          '';
          "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header Referrer-Policy no-referrer;
            access_log off;
          '';
          "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = ''
            try_files $uri /index.php$request_uri;
            access_log off;
          '';
        };
        extraConfig = ''
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          add_header X-Robots-Tag none;
          add_header X-Download-Options noopen;
          add_header X-Permitted-Cross-Domain-Policies none;
          add_header Referrer-Policy no-referrer;
          error_page 403 /core/templates/403.php;
          error_page 404 /core/templates/404.php;
          client_max_body_size ${config.services.nextcloud.maxUploadSize};
          fastcgi_buffers 64 4K;
          fastcgi_hide_header X-Powered-By;
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
          ${optionalString config.services.nextcloud.webfinger ''
            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
          ''}
        '';
      };

      "git.${config.machine.domain}" = mkIf config.services.gitea.enable {
        enableACME = true;
        forceSSL = true;
        root = "${config.services.gitea.stateDir}/public";
        extraConfig = ''
          location / {
            try_files maintain.html $uri $uri/index.html @node;
          }

          location @node {
            client_max_body_size 0;
            proxy_pass http://${config.services.gitea.httpAddress}:${toString config.services.gitea.httpPort};
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_max_temp_file_size 0;
            proxy_redirect off;
            proxy_read_timeout 120;
          }
        '';
      };
    };
  };
}
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`##############################################################################################`
			`# Includes: #`
			`# - Nginx + SSL config #`
			`# - Gitea #`
More nginx config dehardcoding. Did some sshd hardening. 2019-03-24 22:55:17 +01:00			`# - Hydra #`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`# - Nextcloud #`
			`# - Mail ssl root #`
			`##############################################################################################`

Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. 2019-03-04 10:35:50 +01:00			`{ config, lib, pkgs, ... }:`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00
Modularized configuration now kind of works. (still need to do some refactoring) 2019-03-20 02:57:59 +01:00			`with lib;`

			`mkIf (elem "nginx" config.machine.services) {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`services.nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list. 2019-03-20 04:37:00 +01:00			`recommendedTlsSettings = true;`
			`sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";`
			`sslProtocols = "TLSv1.3 TLSv1.2";`
			`commonHttpConfig = ''`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`'';`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`virtualHosts = {`
Added domain option. Maybe fixed binary cache signing. 2019-03-23 02:50:48 +01:00			`"${config.machine.domain}" = {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`enableACME = true;`
			`forceSSL = true;`
			`root = "/var/www";`
			`};`
Added domain option. Maybe fixed binary cache signing. 2019-03-23 02:50:48 +01:00			`"builder.${config.machine.domain}" = mkIf config.services.hydra.enable {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`enableACME = true;`
			`forceSSL = true;`
			`extraConfig = ''`
			`location / {`
Port options in nginx configuration need to strings. 2019-03-25 00:55:34 +01:00			`proxy_pass http://${config.services.hydra.listenHost}:${toString config.services.hydra.port};`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`proxy_set_header Host $http_host;`
			`proxy_set_header REMOTE_ADDR $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`}`
			`'';`
			`};`
Binary Cache should almost work now. Switched to older Kernel on Lilim. 2019-03-27 13:48:09 +01:00			`"cache.${config.machine.domain}" = mkIf config.services.nix-serve.enable {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`enableACME = true;`
			`forceSSL = true;`
Binary Cache should almost work now. Switched to older Kernel on Lilim. 2019-03-27 13:48:09 +01:00			`extraConfig = ''`
			`location / {`
			`proxy_pass http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port};`
			`proxy_set_header Host $http_host;`
			`proxy_set_header REMOTE_ADDR $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto https;`
			`}`
			`'';`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`};`
Added domain option. Maybe fixed binary cache signing. 2019-03-23 02:50:48 +01:00			`"mail.${config.machine.domain}" = mkIf config.mailserver.enable {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`enableACME = true;`
			`forceSSL = true;`
Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. 2019-03-04 10:35:50 +01:00			`root = "/var/www";`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`};`

Added domain option. Maybe fixed binary cache signing. 2019-03-23 02:50:48 +01:00			`"storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {`
Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list. 2019-03-20 04:37:00 +01:00			`root = pkgs.nextcloud;`
			`enableACME = config.services.nextcloud.https;`
			`forceSSL = config.services.nextcloud.https;`
			`locations = {`
			`"= /robots.txt" = {`
			`priority = 100;`
Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. 2019-03-04 10:35:50 +01:00			`extraConfig = ''`
Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list. 2019-03-20 04:37:00 +01:00			`allow all;`
			`log_not_found off;`
			`access_log off;`
Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. 2019-03-04 10:35:50 +01:00			`'';`
			`};`
Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list. 2019-03-20 04:37:00 +01:00			`"/" = {`
			`priority = 200;`
			`extraConfig = "rewrite ^ /index.php$request_uri;";`
			`};`
			`"~ ^/store-apps" = {`
			`priority = 201;`
			`extraConfig = "root ${config.services.nextcloud.home};";`
			`};`
			`"= /.well-known/carddav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`
			`"= /.well-known/caldav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`
			`"~ ^/(?:build\|tests\|config\|lib\|3rdparty\|templates\|data)/" = {`
			`priority = 300;`
			`extraConfig = "deny all;";`
			`};`
			`"~ ^/(?:\\.\|autotest\|occ\|issue\|indie\|db_\|console)" = {`
			`priority = 300;`
			`extraConfig = "deny all;";`
			`};`
			`"~ ^/(?:index\|remote\|public\|cron\|core/ajax/update\|status\|ocs/v[12]\|updater/.+\|ocs-provider/.+)\\.php(?:$\|/)" = {`
			`priority = 500;`
			`extraConfig = ''`
			`include ${config.services.nginx.package}/conf/fastcgi.conf;`
			`fastcgi_split_path_info ^(.+\.php)(/.*)$;`
			`fastcgi_param PATH_INFO $fastcgi_path_info;`
			`fastcgi_param HTTPS ${if config.services.nextcloud.https then "on" else "off"};`
			`fastcgi_param modHeadersAvailable true;`
			`fastcgi_param front_controller_active true;`
			`fastcgi_pass unix:/run/phpfpm/nextcloud;`
			`fastcgi_intercept_errors on;`
			`fastcgi_request_buffering off;`
			`fastcgi_read_timeout 120s;`
			`'';`
			`};`
			`"~ ^/(?:updater\|ocs-provider\|ocm-provider)(?:$\|\/)".extraConfig = ''`
			`try_files $uri/ =404;`
			`index index.php;`
			`'';`
			`"~ \\.(?:css\|js\|woff2?\|svg\|gif)$".extraConfig = ''`
			`try_files $uri /index.php$request_uri;`
			`add_header Cache-Control "public, max-age=15778463";`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header X-Robots-Tag none;`
			`add_header X-Download-Options noopen;`
			`add_header X-Permitted-Cross-Domain-Policies none;`
			`add_header Referrer-Policy no-referrer;`
			`access_log off;`
			`'';`
			`"~ \\.(?:png\|html\|ttf\|ico\|jpg\|jpeg)$".extraConfig = ''`
			`try_files $uri /index.php$request_uri;`
			`access_log off;`
			`'';`
			`};`
			`extraConfig = ''`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header X-Robots-Tag none;`
			`add_header X-Download-Options noopen;`
			`add_header X-Permitted-Cross-Domain-Policies none;`
			`add_header Referrer-Policy no-referrer;`
			`error_page 403 /core/templates/403.php;`
			`error_page 404 /core/templates/404.php;`
			`client_max_body_size ${config.services.nextcloud.maxUploadSize};`
			`fastcgi_buffers 64 4K;`
			`fastcgi_hide_header X-Powered-By;`
			`gzip on;`
			`gzip_vary on;`
			`gzip_comp_level 4;`
			`gzip_min_length 256;`
			`gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;`
			`gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;`
			`${optionalString config.services.nextcloud.webfinger ''`
			`rewrite ^/.well-known/host-meta /public.php?service=host-meta last;`
			`rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;`
			`''}`
			`'';`
			`};`
Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. 2019-03-04 10:35:50 +01:00
Added domain option. Maybe fixed binary cache signing. 2019-03-23 02:50:48 +01:00			`"git.${config.machine.domain}" = mkIf config.services.gitea.enable {`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`enableACME = true;`
			`forceSSL = true;`
Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list. 2019-03-20 04:37:00 +01:00			`root = "${config.services.gitea.stateDir}/public";`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`extraConfig = ''`
			`location / {`
			`try_files maintain.html $uri $uri/index.html @node;`
			`}`

			`location @node {`
			`client_max_body_size 0;`
Port options in nginx configuration need to strings. 2019-03-25 00:55:34 +01:00			`proxy_pass http://${config.services.gitea.httpAddress}:${toString config.services.gitea.httpPort};`
Fresh repo without sensitive data. 2019-02-26 13:44:40 +01:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Forwarded-Ssl on;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_max_temp_file_size 0;`
			`proxy_redirect off;`
			`proxy_read_timeout 120;`
			`}`
			`'';`
			`};`
			`};`
			`};`
			`}`