Updated nginx config; added missing mkIf; added fail2ban to Ophanim's services list.

2019-03-20 04:37:00 +01:00 · 2019-03-20 04:37:00 +01:00 · 63e40a5a29
commit 63e40a5a29
parent 14332b2c7b
4 changed files with 111 additions and 104 deletions
--- a/machines/Ophanim/configuration.nix
+++ b/machines/Ophanim/configuration.nix
@ -1,4 +1,4 @@
-{ config, lib }:
+{ config, lib, ... }:

 with lib;

@ -12,9 +12,8 @@ with lib;
    hostName = "Ophanim";
    allowUnfree = true;
    conffiles = [
-      "etcfiles"
      "etcvars"
-      "fonts"
+      "security"
      "zsh"
    ];
    pkgs = [
@ -23,6 +22,7 @@ with lib;
      "server"
    ];
    services = [
+      "fail2ban"
      "gitea"
      "hydra"
      "mailserver"
--- a/services/mariaDB.nix
+++ b/services/mariaDB.nix
@ -8,14 +8,14 @@ in mkIf (elem "mariaDB" config.machine.services) {
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
-    initialDatabases = [ mkIf config.services.gitea.enable {
+    initialDatabases = if config.services.gitea.enable then [ {
      name = "gitea";
      schema = pkgs.writeText "gitea.sql"
      ''
        create user if not exists 'git'@'localhost' identified by ${giteapwd};
        grant all privileges on gitea.* to 'git'@'localhost' identified by ${giteapwd};
      '';
-    } ];
+    } ] else [];
  };
 }

--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -16,14 +16,19 @@ mkIf (elem "nginx" config.machine.services) {
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
-    sslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+    recommendedTlsSettings = true;
+    sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
+    sslProtocols = "TLSv1.3 TLSv1.2";
+    commonHttpConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    '';
    virtualHosts = {
      "ophanim.de" = {
        enableACME = true;
        forceSSL = true;
        root = "/var/www";
      };
-      "builder.ophanim.de" = {
+      "builder.ophanim.de" = mkIf config.services.hydra.enable {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
@ -36,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) {
          }
        '';
      };
-      "cache.ophanim.de" = {
+      "cache.ophanim.de" = mkIf config.services.hydra.enable {
        enableACME = true;
        forceSSL = true;
        root = "/var/cache/hydra";
@ -50,7 +55,7 @@ mkIf (elem "nginx" config.machine.services) {
        root = "/var/www";
      };

-        "${config.services.nextcloud.hostName}" = {
+      "${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable {
        root = pkgs.nextcloud;
        enableACME = config.services.nextcloud.https;
        forceSSL = config.services.nextcloud.https;
@ -140,17 +145,17 @@ mkIf (elem "nginx" config.machine.services) {
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-              ${lib.optionalString config.services.nextcloud.webfinger ''
+          ${optionalString config.services.nextcloud.webfinger ''
            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
          ''}
        '';
      };

-      "git.ophanim.de" = {
+      "${config.services.gitea.domain}" = mkIf config.services.gitea.enable {
        enableACME = true;
        forceSSL = true;
-        root = "/var/lib/gitea/public";
+        root = "${config.services.gitea.stateDir}/public";
        extraConfig = ''
          location / {
            try_files maintain.html $uri $uri/index.html @node;
--- a/services/xserver.nix
+++ b/services/xserver.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "xserver" config.machine.services) {
  services.gnome3.gvfs.enable = true;
  environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.gvfs}/lib/gio/modules" ];
  services.xserver = {