From 20cda4404094344331491dda8b7916681567bbaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 13 Oct 2021 14:53:05 +0100 Subject: [PATCH 1/5] nextcloud: Update nginx config --- .../services/configs/nginx-nextcloud.conf | 156 +++++++++--------- 1 file changed, 75 insertions(+), 81 deletions(-) diff --git a/configuration/services/configs/nginx-nextcloud.conf b/configuration/services/configs/nginx-nextcloud.conf index 3eb1193..eec7bdb 100644 --- a/configuration/services/configs/nginx-nextcloud.conf +++ b/configuration/services/configs/nginx-nextcloud.conf @@ -24,11 +24,6 @@ http { keepalive_timeout 65; - set_real_ip_from 10.0.0.0/8; - set_real_ip_from 172.16.0.0/12; - set_real_ip_from 192.168.0.0/16; - real_ip_header X-Real-IP; - #gzip on; upstream php-handler { @@ -38,23 +33,22 @@ http { server { listen 80; - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # + # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -62,27 +56,48 @@ http { # Path to the root of your installation root /var/www/html; + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + location = /robots.txt { allow all; log_not_found off; access_log off; } - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; } # set max upload size @@ -97,77 +112,56 @@ http { gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; - location / { - rewrite ^ /index.php; - } + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; + #fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - - # Enable pretty urls - fastcgi_param front_controller_active true; + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; + fastcgi_intercept_errors on; fastcgi_request_buffering off; } - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + location ~ \.woff2?$ { try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; } } } -- 2.44.1 From 90926e2eeecbb1051c88ec03471b8cb3a97f778a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 13 Oct 2021 15:29:12 +0100 Subject: [PATCH 2/5] nextcloud: Give nginx access to the nextcloud root --- configuration/services/nextcloud.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index f8a0f08..d4a7fe5 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -11,6 +11,7 @@ image = "nextcloud:fpm-alpine"; dependsOn = [ "postgres" ]; volumes = [ + "nextcloud-root:/var/www/html" "nextcloud-apps:/var/www/html/custom_apps" "nextcloud-config:/var/www/html/config" "nextcloud-data:/var/www/html/data" @@ -34,8 +35,10 @@ nginx = { image = "nginx:alpine"; dependsOn = [ "nextcloud" ]; - volumes = - [ "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro" ]; + volumes = [ + "nextcloud-root:/var/www/html:ro" + "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro" + ]; extraOptions = [ "--volumes-from=nextcloud-nextcloud" ]; }; -- 2.44.1 From 9060cb6414c4bef04c95f7a9873836ca6e65b67a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 17 Dec 2021 18:40:40 +0000 Subject: [PATCH 3/5] Update to NixOS 21.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file changes: • Updated input 'flake-utils': 'github:numtide/flake-utils/7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19' (2021-09-13) → 'github:numtide/flake-utils/74f7e4319258e287b0f9cb95426c9853b282730b' (2021-11-28) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/0a8b8054c9920368a3c15e6d766188fdf04b736f' (2021-09-30) → 'github:nixos/nixos-hardware/2a7063461c3751d83869a2a0a8ebc59e34bec5b2' (2021-12-11) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d' (2021-10-03) → 'github:nixos/nixpkgs/573095944e7c1d58d30fc679c81af63668b54056' (2021-12-10) --- flake.lock | 20 ++++++++++---------- flake.nix | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index 3be1860..11de3e3 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-utils": { "locked": { - "lastModified": 1631561581, - "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=", + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", "owner": "numtide", "repo": "flake-utils", - "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", "type": "github" }, "original": { @@ -38,11 +38,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1632990363, - "narHash": "sha256-SNqz+9Vt4yDHqw8u/CMFdzMQTulKoMlVGJdshfcb5O0=", + "lastModified": 1639240632, + "narHash": "sha256-BAXhgnPOW1COIfZ9EOOFTdolalYS73MFHSRajgrSdZw=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "0a8b8054c9920368a3c15e6d766188fdf04b736f", + "rev": "2a7063461c3751d83869a2a0a8ebc59e34bec5b2", "type": "github" }, "original": { @@ -54,16 +54,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1633267966, - "narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=", + "lastModified": 1639161226, + "narHash": "sha256-75Y08ynJDTq6HHGIF+8IADBJSVip0UyWQH7jqSFnRR8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d", + "rev": "573095944e7c1d58d30fc679c81af63668b54056", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-21.05", + "ref": "nixos-21.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index a7b1ef7..8a0025f 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; flake-utils.url = "github:numtide/flake-utils"; tlaternet-webserver = { -- 2.44.1 From bd7e4a319328da315222d9c37b3629d7a9566621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 26 Dec 2021 19:00:59 +0000 Subject: [PATCH 4/5] Fix service uid/gids --- configuration/ids.nix | 6 ++++++ configuration/services/minecraft.nix | 15 ++++++++++++--- configuration/services/webserver.nix | 18 ++++++++++-------- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/configuration/ids.nix b/configuration/ids.nix index 895b976..5488ff0 100644 --- a/configuration/ids.nix +++ b/configuration/ids.nix @@ -4,6 +4,12 @@ ids.uids = { # System user ids start at 400 (see nixos/modules/programs/shadow.nix) webserver = 400; + minecraft = 401; # The limit is 999 }; + + ids.gids = { + webserver = 400; + minecraft = 401; + }; } diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix index bf8f58f..23705ac 100644 --- a/configuration/services/minecraft.nix +++ b/configuration/services/minecraft.nix @@ -54,6 +54,16 @@ in { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "forge-server" ]; + users = { + extraUsers.minecraft = { + uid = config.ids.uids.minecraft; + group = config.users.extraGroups.minecraft.name; + isSystemUser = true; + description = "Minecraft server user"; + }; + extraGroups.minecraft = { gid = config.ids.gids.minecraft; }; + }; + virtualisation.oci-containers.containers.minecraft-voor-kia = let properties = ./configs/minecraft/voor-kia/server.properties; icon = ./configs/minecraft/voor-kia/server-icon.png; @@ -73,9 +83,8 @@ in { ]; config = let - # Use the upstream minecraft uid - uid = toString config.ids.uids.minecraft; - gid = toString config.users.groups.nogroup.gid; + uid = toString config.users.extraUsers.minecraft.uid; + gid = toString config.users.extraGroups.minecraft.gid; in { Cmd = [ "forge-server" ] ++ minecraft-server-args; WorkingDir = "/var/lib/minecraft"; diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix index c1966a5..d72b417 100644 --- a/configuration/services/webserver.nix +++ b/configuration/services/webserver.nix @@ -1,10 +1,14 @@ { config, pkgs, ... }: { - users.extraUsers.webserver = { - uid = config.ids.uids.webserver; - isSystemUser = true; - description = "tlater.net web server user"; + users = { + extraUsers.webserver = { + uid = config.ids.uids.webserver; + group = config.users.extraGroups.webserver.name; + isSystemUser = true; + description = "tlater.net web server user"; + }; + extraGroups.webserver = { gid = config.ids.gids.webserver; }; }; virtualisation.oci-containers.containers.webserver = { @@ -16,10 +20,8 @@ contents = pkgs.tlaternet-webserver.webserver; config = let - user = config.users.extraUsers.webserver; - group = config.users.groups.${user.group}; - uid = toString user.uid; - gid = toString group.gid; + uid = toString config.users.extraUsers.webserver.uid; + gid = toString config.users.extraGroups.webserver.gid; in { Cmd = [ "tlaternet-webserver" ]; Volumes = { "/srv/mail" = { }; }; -- 2.44.1 From b6f39969cc50293b6dce493ef3273bc0573939f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sat, 8 Jan 2022 00:27:01 +0000 Subject: [PATCH 5/5] Fix podman hostnames It seems that with the newest version of podman container names are no longer added as hostnames, meaning that any attempt to resolve hostnames with the current config will fail. `localhost` is probably more robust anyway, so we switch to that. The bug manifests as broken services because nextcloud/gitea cannot resolve their databases and nextcloud fails to resolve the php server. To fix this a running system, the gitea and nextcloud database configurations will need to be hand-edited, since those values are only set on initialization, and not updated when changed later. --- configuration/services/configs/nginx-nextcloud.conf | 2 +- configuration/services/gitea.nix | 2 +- configuration/services/nextcloud.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configuration/services/configs/nginx-nextcloud.conf b/configuration/services/configs/nginx-nextcloud.conf index eec7bdb..7c6ad78 100644 --- a/configuration/services/configs/nginx-nextcloud.conf +++ b/configuration/services/configs/nginx-nextcloud.conf @@ -27,7 +27,7 @@ http { #gzip on; upstream php-handler { - server nextcloud-nextcloud:9000; + server localhost:9000; } server { diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix index 2258566..221b976 100644 --- a/configuration/services/gitea.nix +++ b/configuration/services/gitea.nix @@ -24,7 +24,7 @@ environment = { DB_TYPE = "postgres"; - DB_HOST = "gitea-postgres:5432"; + DB_HOST = "localhost:5432"; DB_NAME = "gitea"; DB_USER = "gitea"; diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index d4a7fe5..7d94bcf 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -19,7 +19,7 @@ environment = { POSTGRES_DB = "nextcloud"; POSTGRES_USER = "nextcloud"; - POSTGRES_HOST = "nextcloud-postgres"; + POSTGRES_HOST = "localhost"; OVERWRITEPROTOCOL = "https"; TRUSTED_PROXIES = "127.0.0.1"; }; -- 2.44.1