nixos-hypervisor/services/nginx/default.nix

{ config, pkgs, lib, ... }:
let
  cfg = config.services.vm_nginx;
in
{
  options.services.vm_nginx = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = "theo.barnouin@le43.eu";
      certs."authentik.le43.eu".extraDomainNames = [
        "le43.eu"
      ];
    };
    services = {
      fail2ban = {
        jails = {
          nginx-http-auth = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            skip_if_nologs = true
            backend  = polling
            journalmatch =
          '';
          nginx-botsearch = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            skip_if_nologs = true
            backend  = polling
            journalmatch =
          '';
          nginx-bad-request = ''
            enabled  = true
            port     = http,https
            logpath  = /var/log/nginx/*.log
            skip_if_nologs = true
            backend  = polling
            journalmatch =
          '';
        };
      };
      nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        clientMaxBodySize = "10000m";
        sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
        appendHttpConfig = ''
          # Add HSTS header with preloading to HTTPS requests.
          # Adding this header to HTTP requests is discouraged
          map $scheme $hsts_header {
              https   "max-age=31536000; includeSubdomains; preload";
          }
          add_header Strict-Transport-Security $hsts_header;

          # Enable CSP for your services.
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
          add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";


          # Minimize information leaked to other domains
          add_header 'Referrer-Policy' 'origin-when-cross-origin';

          # Disable embedding as a frame
          #add_header X-Frame-Options SAMEORIGIN;

          # Prevent injection of code in other mime types (XSS Attacks)
          add_header X-Content-Type-Options nosniff;
          client_body_buffer_size 400M;
        '';
        user = "tbarnouin";
        logError = "syslog:server=unix:/dev/log";
        commonHttpConfig = ''
          access_log syslog:server=unix:/dev/log;
        '';
        virtualHosts = {
          "le43.eu" = {
            forceSSL = true;
            enableACME = true;
            globalRedirect = "authentik.le43.eu";
          };
          "logs.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.27:3000";
              proxyWebsockets = true;
              recommendedProxySettings = true;
            };
          };
          "play.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.42:8096";
              recommendedProxySettings = true;
            };
          };
          "cloud.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.45";
              proxyWebsockets = true;
              recommendedProxySettings = true;
            };
          };
          "office.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.125:8000";
              proxyWebsockets = true;
              recommendedProxySettings = true;
            };
          };
          "git.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.14:3000";
              recommendedProxySettings = true;
            };
          };
          "authentik.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.125:9000";
              recommendedProxySettings = true;
              proxyWebsockets = true;
            };
          };
          "uptime.le43.eu" = {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
              proxyPass = "http://192.168.1.90:3001";
              recommendedProxySettings = true;
              proxyWebsockets = true;
            };
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}
First commit 2024-09-09 10:48:56 +02:00			`{ config, pkgs, lib, ... }:`
			`let`
			`cfg = config.services.vm_nginx;`
			`in`
			`{`
			`options.services.vm_nginx = {`
			`enable = lib.mkEnableOption "Enable minimal config";`
			`};`
			`config = lib.mkIf cfg.enable {`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "theo.barnouin@le43.eu";`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`certs."authentik.le43.eu".extraDomainNames = [`
			`"le43.eu"`
			`];`
First commit 2024-09-09 10:48:56 +02:00			`};`
			`services = {`
			`fail2ban = {`
			`jails = {`
			`nginx-http-auth = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
Skip fail2ban ERROR if nginx log does not exist at boot 2024-10-13 18:11:53 +02:00			`skip_if_nologs = true`
First commit 2024-09-09 10:48:56 +02:00			`backend = polling`
			`journalmatch =`
			`'';`
			`nginx-botsearch = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
Skip fail2ban ERROR if nginx log does not exist at boot 2024-10-13 18:11:53 +02:00			`skip_if_nologs = true`
First commit 2024-09-09 10:48:56 +02:00			`backend = polling`
			`journalmatch =`
			`'';`
			`nginx-bad-request = ''`
			`enabled = true`
			`port = http,https`
			`logpath = /var/log/nginx/*.log`
Skip fail2ban ERROR if nginx log does not exist at boot 2024-10-13 18:11:53 +02:00			`skip_if_nologs = true`
First commit 2024-09-09 10:48:56 +02:00			`backend = polling`
			`journalmatch =`
			`'';`
			`};`
			`};`
			`nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`clientMaxBodySize = "10000m";`
			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`
			`appendHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`
Change authentik IP in nginx vshosts 2024-10-16 11:19:20 +02:00
First commit 2024-09-09 10:48:56 +02:00			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
Functioning OAuth for grafana 2025-01-08 12:57:14 +01:00			`add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";`
Update everyone to 24.11 2025-01-08 10:02:38 +01:00
Change authentik IP in nginx vshosts 2024-10-16 11:19:20 +02:00
First commit 2024-09-09 10:48:56 +02:00			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`
Change authentik IP in nginx vshosts 2024-10-16 11:19:20 +02:00
First commit 2024-09-09 10:48:56 +02:00			`# Disable embedding as a frame`
Update everyone to 24.11 2025-01-08 10:02:38 +01:00			`#add_header X-Frame-Options SAMEORIGIN;`
Change authentik IP in nginx vshosts 2024-10-16 11:19:20 +02:00
First commit 2024-09-09 10:48:56 +02:00			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`
			`client_body_buffer_size 400M;`
			`'';`
			`user = "tbarnouin";`
			`logError = "syslog:server=unix:/dev/log";`
			`commonHttpConfig = ''`
			`access_log syslog:server=unix:/dev/log;`
			`'';`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`virtualHosts = {`
			`"le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`globalRedirect = "authentik.le43.eu";`
First commit 2024-09-09 10:48:56 +02:00			`};`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`"logs.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
Update nginx vhosts to serve grafana LXC 2024-10-23 15:52:46 +02:00			`proxyPass = "http://192.168.1.27:3000";`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`"play.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.42:8096";`
			`recommendedProxySettings = true;`
			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`"cloud.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
Change nextcloud host 2024-11-09 14:40:56 +01:00			`proxyPass = "http://192.168.1.45";`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
Add onlyoffice service 2025-01-07 13:55:31 +01:00			`"office.le43.eu" = {`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
Use OnlyOffice docker until nixpkgs is fixed 2025-01-08 11:23:32 +01:00			`proxyPass = "http://192.168.1.125:8000";`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`"git.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.14:3000";`
			`recommendedProxySettings = true;`
			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
Redirect le43.eu to authentik hompage 2024-10-18 14:15:03 +02:00			`"authentik.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.125:9000";`
			`recommendedProxySettings = true;`
			`proxyWebsockets = true;`
			`};`
			`};`
Add kuma to nginx vhosts 2024-10-18 15:34:02 +02:00			`"uptime.le43.eu" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://192.168.1.90:3001";`
			`recommendedProxySettings = true;`
			`proxyWebsockets = true;`
			`};`
			`};`
Add netbox vhost in nginx config 2024-09-20 10:50:59 +02:00			`};`
First commit 2024-09-09 10:48:56 +02:00			`};`
			`};`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`
			`}`