derped/nixos
1
0
Fork 0
Code Releases Activity

Merge branch 'master' of ssh://git.ophanim.de/derped/nixos

Browse source
This commit is contained in:
Kevin Baensch 2019-04-07 21:23:32 +02:00
parent 91c957d131 3ea4cf2954
commit 0b3b1ba4af
4 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
machines/Ophanim/configuration.nix
View file

@ -19,11 +19,11 @@
# userlist = []; # userlist = [];
# }; # };
services.haveged.enable = true; services.haveged.enable = true;
programs.zsh.interactiveShellInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '" programs.zsh.promptInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '";
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you # servers. You should change this only after NixOS release notes say you
# should. # should.
system.stateVersion = "18.09"; system.stateVersion = "19.03";
} }

1
pkgs/pkgsets.nix
View file

@ -226,6 +226,7 @@ let
server = with pkgs; [ server = with pkgs; [
audit audit
(gitpkgs.jekyll.override { withOptionalDependencies = true; })
letsencrypt letsencrypt
php php
simp_le simp_le

2
services/hydra.nix
View file

@ -46,7 +46,7 @@ mkIf (elem "hydra" config.machine.services) rec {
services.nix-serve = { services.nix-serve = {
enable = true; enable = true;
bindAddress = "172.0.0.1"; bindAddress = "0.0.0.0";
port = 5000; port = 5000;
secretKeyFile = "/secret/hydra_cache"; secretKeyFile = "/secret/hydra_cache";
extraParams = '' extraParams = ''

14
services/nginx.nix
View file

@ -21,7 +21,14 @@ mkIf (elem "nginx" config.machine.services) {
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
sslProtocols = "TLSv1.3 TLSv1.2"; sslProtocols = "TLSv1.3 TLSv1.2";
commonHttpConfig = '' commonHttpConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
''; '';
virtualHosts = { virtualHosts = {
"${config.machine.domain}" = { "${config.machine.domain}" = {
@ -55,10 +62,10 @@ mkIf (elem "nginx" config.machine.services) {
} }
''; '';
}; };
"mail.${config.machine.domain}" = mkIf config.mailserver.enable { "${config.mailserver.fqdn}" = mkIf config.mailserver.enable {
serverName = config.mailserver.fqdn;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www";
}; };
"storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable { "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
@ -134,6 +141,7 @@ mkIf (elem "nginx" config.machine.services) {
''; '';
}; };
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;