From 3ea4cf295406772939cd0bbf25ce08c5b53bc5ec Mon Sep 17 00:00:00 2001 From: derped Date: Wed, 3 Apr 2019 00:06:08 +0200 Subject: [PATCH] Changed shell color for Ophanim. Fixed nix-serve. Improved nginx security. --- machines/Ophanim/configuration.nix | 4 ++-- pkgs/pkgsets.nix | 1 + services/hydra.nix | 2 +- services/nginx.nix | 14 +++++++++++--- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/machines/Ophanim/configuration.nix b/machines/Ophanim/configuration.nix index 8e0d6d8..af98748 100644 --- a/machines/Ophanim/configuration.nix +++ b/machines/Ophanim/configuration.nix @@ -19,11 +19,11 @@ # userlist = []; # }; services.haveged.enable = true; - programs.zsh.interactiveShellInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '" + programs.zsh.promptInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '"; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "18.09"; + system.stateVersion = "19.03"; } diff --git a/pkgs/pkgsets.nix b/pkgs/pkgsets.nix index 1c0bd06..8d67e60 100644 --- a/pkgs/pkgsets.nix +++ b/pkgs/pkgsets.nix @@ -223,6 +223,7 @@ let server = with pkgs; [ audit + (gitpkgs.jekyll.override { withOptionalDependencies = true; }) letsencrypt php simp_le diff --git a/services/hydra.nix b/services/hydra.nix index 03ad59c..739bad1 100644 --- a/services/hydra.nix +++ b/services/hydra.nix @@ -46,7 +46,7 @@ mkIf (elem "hydra" config.machine.services) rec { services.nix-serve = { enable = true; - bindAddress = "172.0.0.1"; + bindAddress = "0.0.0.0"; port = 5000; secretKeyFile = "/secret/hydra_cache"; extraParams = '' diff --git a/services/nginx.nix b/services/nginx.nix index a1d4b76..8b0393e 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -21,7 +21,14 @@ mkIf (elem "nginx" config.machine.services) { sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslProtocols = "TLSv1.3 TLSv1.2"; commonHttpConfig = '' - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; ''; virtualHosts = { "${config.machine.domain}" = { @@ -55,10 +62,10 @@ mkIf (elem "nginx" config.machine.services) { } ''; }; - "mail.${config.machine.domain}" = mkIf config.mailserver.enable { + "${config.mailserver.fqdn}" = mkIf config.mailserver.enable { + serverName = config.mailserver.fqdn; enableACME = true; forceSSL = true; - root = "/var/www"; }; "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable { @@ -134,6 +141,7 @@ mkIf (elem "nginx" config.machine.services) { ''; }; extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;