tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

First commit

Browse source
This commit is contained in:
Théo BARNOUIN 2024-09-09 10:48:56 +02:00
commit 3c39c5aaa4
9 changed files with 784 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

130
services/nginx/default.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vm_nginx;
in
{
options.services.vm_nginx = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults.email = "theo.barnouin@le43.eu";
};
services = {
fail2ban = {
jails = {
nginx-http-auth = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
backend = polling
journalmatch =
'';
nginx-botsearch = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
backend = polling
journalmatch =
'';
nginx-bad-request = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
backend = polling
journalmatch =
'';
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "10000m";
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
client_body_buffer_size 400M;
'';
user = "tbarnouin";
logError = "syslog:server=unix:/dev/log";
commonHttpConfig = ''
access_log syslog:server=unix:/dev/log;
'';
virtualHosts."logs.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.20:3000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
virtualHosts."play.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.42:8096";
recommendedProxySettings = true;
};
};
virtualHosts."cloud.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.44";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
virtualHosts."collabora.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.46:9980";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
virtualHosts."git.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.14:3000";
recommendedProxySettings = true;
};
};
virtualHosts."authentik.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.41";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}