tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

treewide: Refactor nginx config

Browse source
This commit is contained in:
Tristan Daniël Maat 2024-04-13 04:34:53 +02:00
parent 7bb27d9bee
commit 0d43b5177d
Signed by: tlater
GPG key ID: 49670FD774E43268
8 changed files with 68 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
configuration/services/conduit.nix
View file

@ -212,9 +212,9 @@ in {
]; ];
forceSSL = true; forceSSL = true;
enableHSTS = true;
extraConfig = '' extraConfig = ''
merge_slashes off; merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations = { locations = {

5
configuration/services/foundryvtt.nix
View file

@ -25,10 +25,7 @@ in {
in { in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;

5
configuration/services/gitea.nix
View file

@ -42,10 +42,7 @@ in {
in { in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = { locations."/metrics" = {

5
configuration/services/metrics/grafana.nix
View file

@ -39,10 +39,7 @@ in {
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
}; };
} }

4
configuration/services/nextcloud.nix
View file

@ -46,9 +46,7 @@ in {
services.nginx.virtualHosts."${hostName}" = { services.nginx.virtualHosts."${hostName}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' # The upstream module already adds HSTS
access_log /var/log/nginx/${hostName}/access.log upstream_time;
'';
}; };
# Block repeated failed login attempts # Block repeated failed login attempts

5
configuration/services/webserver.nix
View file

@ -17,10 +17,7 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${addr}:${toString port}"; locations."/".proxyPass = "http://${addr}:${toString port}";
}; };

24
modules/default.nix
View file

@ -1,23 +1,5 @@
{ {
pkgs, imports = [
config, ./nginxExtensions.nix
lib, ];
...
}: {
options.services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
} }

59
modules/nginxExtensions.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
pkgs,
lib,
...
}: {
options = {
services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
services.nginx.virtualHosts = let
extraVirtualHostOptions = {
name,
config,
...
}: {
options = {
enableHSTS = lib.mkEnableOption "Enable HSTS";
addAccessLog = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Add special logging to `/var/log/nginx/''${serverName}`
'';
};
};
config = {
extraConfig = lib.concatStringsSep "\n" [
(lib.optionalString config.enableHSTS ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'')
(lib.optionalString config.addAccessLog ''
access_log /var/log/nginx/${name}/access.log upstream_time;
'')
];
};
};
in
lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
};
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
}