Changed shell color for Ophanim. Fixed nix-serve. Improved nginx security.

2019-04-03 00:06:08 +02:00 · 2019-04-03 00:06:08 +02:00 · 3ea4cf2954
parent 782cd1efae
commit 3ea4cf2954
4 changed files with 15 additions and 6 deletions
--- a/machines/Ophanim/configuration.nix
+++ b/machines/Ophanim/configuration.nix
@ -19,11 +19,11 @@
 #      userlist = [];
 #    };
  services.haveged.enable = true;
-  programs.zsh.interactiveShellInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '"
+  programs.zsh.promptInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '";
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
-  system.stateVersion = "18.09";
+  system.stateVersion = "19.03";

 }
--- a/pkgs/pkgsets.nix
+++ b/pkgs/pkgsets.nix
@ -223,6 +223,7 @@ let

  server = with pkgs; [
    audit
+    (gitpkgs.jekyll.override { withOptionalDependencies = true; })
    letsencrypt
    php
    simp_le
--- a/services/hydra.nix
+++ b/services/hydra.nix
@ -46,7 +46,7 @@ mkIf (elem "hydra" config.machine.services) rec {

  services.nix-serve = {
    enable = true;
-    bindAddress = "172.0.0.1";
+    bindAddress = "0.0.0.0";
    port = 5000;
    secretKeyFile = "/secret/hydra_cache";
    extraParams = ''
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -21,7 +21,14 @@ mkIf (elem "nginx" config.machine.services) {
    sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
    sslProtocols = "TLSv1.3 TLSv1.2";
    commonHttpConfig = ''
-      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
    '';
    virtualHosts = {
      "${config.machine.domain}" = {
@ -55,10 +62,10 @@ mkIf (elem "nginx" config.machine.services) {
          }
        '';
      };
-      "mail.${config.machine.domain}" = mkIf config.mailserver.enable {
+      "${config.mailserver.fqdn}" = mkIf config.mailserver.enable {
+        serverName = config.mailserver.fqdn;
        enableACME = true;
        forceSSL = true;
-        root = "/var/www";
      };

      "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
@ -134,6 +141,7 @@ mkIf (elem "nginx" config.machine.services) {
          '';
        };
        extraConfig = ''
+          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          add_header X-Robots-Tag none;