nixos-hypervisor/services/nginx/default.nix

{ config, pkgs, lib, ... }:
let
  cfg = config.services.vm_nginx;
in
{
  options.services.vm_nginx = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = "theo.barnouin@le43.eu";
    };
    services = {
      fail2ban = {
        jails = {
          nginx-http-auth = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
          nginx-botsearch = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
          nginx-bad-request = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            backend  = polling
            journalmatch =
          '';
        };
      };
      nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        clientMaxBodySize = "10000m";
        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
        appendHttpConfig = ''
          # Add HSTS header with preloading to HTTPS requests.
          # Adding this header to HTTP requests is discouraged
          map $scheme $hsts_header {
              https   "max-age=31536000; includeSubdomains; preload";
          }
          add_header Strict-Transport-Security $hsts_header;
    
          # Enable CSP for your services.
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    
          # Minimize information leaked to other domains
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
    
          # Disable embedding as a frame
          add_header X-Frame-Options DENY;
    
          # Prevent injection of code in other mime types (XSS Attacks)
          add_header X-Content-Type-Options nosniff;
          client_body_buffer_size 400M;
        '';
        user = "tbarnouin";
        logError = "syslog:server=unix:/dev/log";
        commonHttpConfig = ''
          access_log syslog:server=unix:/dev/log;
        '';
        virtualHosts."logs.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.20:3000";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."play.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.42:8096";
            recommendedProxySettings = true;
          };
        };
        virtualHosts."cloud.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.44";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."collabora.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.46:9980";
            proxyWebsockets = true;
            recommendedProxySettings = true;
          };
        };
        virtualHosts."git.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.14:3000";
            recommendedProxySettings = true;
          };
        };
        virtualHosts."authentik.le43.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.1.41";
            recommendedProxySettings = true;
            proxyWebsockets = true;
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}
First commit 2024-09-09 10:48:56 +02:00			`{ config, pkgs, lib, ... }:`
			`let`
			`cfg = config.services.vm_nginx;`
			`in`
			`{`
			`options.services.vm_nginx = {`
			`enable = lib.mkEnableOption "Enable minimal config";`
			`};`
			`config = lib.mkIf cfg.enable {`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "theo.barnouin@le43.eu";`
			`};`
			`services = {`
			`fail2ban = {`
			`jails = {`
			`nginx-http-auth = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
			`backend = polling`
			`journalmatch =`
			`'';`
			`nginx-botsearch = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
			`backend = polling`
			`journalmatch =`
			`'';`
			`nginx-bad-request = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
			`backend = polling`
			`journalmatch =`
			`'';`
			`};`
			`};`
			`nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`clientMaxBodySize = "10000m";`
			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`
			`appendHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`
			`client_body_buffer_size 400M;`
			`'';`
			`user = "tbarnouin";`
			`logError = "syslog:server=unix:/dev/log";`
			`commonHttpConfig = ''`
			`access_log syslog:server=unix:/dev/log;`
			`'';`
			`virtualHosts."logs.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.20:3000";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`virtualHosts."play.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.42:8096";`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`virtualHosts."cloud.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.44";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`virtualHosts."collabora.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.46:9980";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`virtualHosts."git.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.14:3000";`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`virtualHosts."authentik.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.41";`
			`recommendedProxySettings = true;`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`
			`};`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`
			`}`