Changed shell color for Ophanim. Fixed nix-serve. Improved nginx security.
This commit is contained in:
parent
782cd1efae
commit
3ea4cf2954
4 changed files with 15 additions and 6 deletions
|
@ -19,11 +19,11 @@
|
||||||
# userlist = [];
|
# userlist = [];
|
||||||
# };
|
# };
|
||||||
services.haveged.enable = true;
|
services.haveged.enable = true;
|
||||||
programs.zsh.interactiveShellInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '"
|
programs.zsh.promptInit = "PROMPT='%(!.%{$fg_bold[red]%}.%{$fg_bold[cyan]%}%n@)%m %{$fg_bold[magenta]%}%(!.%1~.%~) $(git_prompt_info)%_$(prompt_char)%{$reset_color%} '";
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
# should.
|
# should.
|
||||||
system.stateVersion = "18.09";
|
system.stateVersion = "19.03";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -223,6 +223,7 @@ let
|
||||||
|
|
||||||
server = with pkgs; [
|
server = with pkgs; [
|
||||||
audit
|
audit
|
||||||
|
(gitpkgs.jekyll.override { withOptionalDependencies = true; })
|
||||||
letsencrypt
|
letsencrypt
|
||||||
php
|
php
|
||||||
simp_le
|
simp_le
|
||||||
|
|
|
@ -46,7 +46,7 @@ mkIf (elem "hydra" config.machine.services) rec {
|
||||||
|
|
||||||
services.nix-serve = {
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
bindAddress = "172.0.0.1";
|
bindAddress = "0.0.0.0";
|
||||||
port = 5000;
|
port = 5000;
|
||||||
secretKeyFile = "/secret/hydra_cache";
|
secretKeyFile = "/secret/hydra_cache";
|
||||||
extraParams = ''
|
extraParams = ''
|
||||||
|
|
|
@ -21,7 +21,14 @@ mkIf (elem "nginx" config.machine.services) {
|
||||||
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
|
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
|
||||||
sslProtocols = "TLSv1.3 TLSv1.2";
|
sslProtocols = "TLSv1.3 TLSv1.2";
|
||||||
commonHttpConfig = ''
|
commonHttpConfig = ''
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
'';
|
'';
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${config.machine.domain}" = {
|
"${config.machine.domain}" = {
|
||||||
|
@ -55,10 +62,10 @@ mkIf (elem "nginx" config.machine.services) {
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"mail.${config.machine.domain}" = mkIf config.mailserver.enable {
|
"${config.mailserver.fqdn}" = mkIf config.mailserver.enable {
|
||||||
|
serverName = config.mailserver.fqdn;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
root = "/var/www";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
"storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
|
"storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
|
||||||
|
@ -134,6 +141,7 @@ mkIf (elem "nginx" config.machine.services) {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Robots-Tag none;
|
add_header X-Robots-Tag none;
|
||||||
|
|
Loading…
Reference in a new issue