summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/binary-cache/server.nix10
-rw-r--r--lass/2configs/downloading.nix5
-rw-r--r--lass/2configs/go.nix16
-rw-r--r--lass/2configs/hfos.nix33
-rw-r--r--lass/2configs/libvirt.nix43
-rw-r--r--lass/2configs/nixpkgs.nix4
-rw-r--r--lass/2configs/radio.nix12
-rw-r--r--lass/2configs/realwallpaper.nix12
-rw-r--r--lass/2configs/tests/dummy-secrets/torrent-auth3
-rw-r--r--lass/2configs/tests/dummy-secrets/torrent-authfile1
-rw-r--r--lass/2configs/websites/domsen.nix13
-rw-r--r--lass/2configs/websites/fritz.nix18
-rw-r--r--lass/2configs/websites/lassulus.nix97
-rw-r--r--lass/2configs/websites/util.nix203
14 files changed, 219 insertions, 251 deletions
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 22ec04307..991bbeb54 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -17,13 +17,13 @@
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.nix-serve = {
- server-names = [ "cache.prism.r" ];
- locations = lib.singleton (lib.nameValuePair "/" ''
+ virtualHosts.nix-serve = {
+ serverAliases = [ "cache.prism.r" ];
+ locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
- '');
+ '';
};
};
}
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index ca0aded78..27b6d22d5 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -40,9 +40,8 @@ with import <stockholm/lib>;
enable = true;
web = {
enable = true;
- enableAuth = true;
- listenAddress = "9091";
- authfile = <secrets/torrent-authfile>;
+ port = 9091;
+ basicAuth = import <secrets/torrent-auth>;
};
rutorrent.enable = true;
enableXMLRPC = true;
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index f6ddbe96d..8e31f050f 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = {
enable = true;
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.go = {
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host go;
- proxy_pass http://localhost:1337;
- '')
- ];
- server-names = [
+ virtualHosts.go = {
+ locations."/".extraConfig = ''
+ proxy_set_header Host go;
+ proxy_pass http://localhost:1337;
+ '';
+ serverAliases = [
"go"
"go.retiolum"
];
diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix
new file mode 100644
index 000000000..f6f09e226
--- /dev/null
+++ b/lass/2configs/hfos.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+ users.users.riot = {
+ uid = genid "riot";
+ isNormalUser = true;
+ extraGroups = [ "libvirtd" ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
+ config.krebs.users.lass.pubkey
+ ];
+ };
+
+ networking.interfaces.et0.ip4 = [
+ {
+ address = "213.239.205.246";
+ prefixLength = 24;
+ }
+ ];
+
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+ ];
+
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index e739d2f79..a71638323 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -1,23 +1,30 @@
{ config, lib, pkgs, ... }:
-let
- mainUser = config.users.extraUsers.mainUser;
- inherit (import <stockholm/lib>) genid;
-
-in {
+{
+ users.users.mainUser.extraGroups = [ "libvirtd" ];
virtualisation.libvirtd.enable = true;
- users.extraUsers = {
- libvirt = {
- uid = genid "libvirt";
- description = "user for running libvirt stuff";
- home = "/home/libvirt";
- useDefaultShell = true;
- extraGroups = [ "libvirtd" "audio" ];
- createHome = true;
- };
- };
- security.sudo.extraConfig = ''
- ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
- '';
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ ];
+ krebs.iptables.tables.filter.OUTPUT.rules = [
+ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ ];
}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e2bdd5755..6885ef59d 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -2,7 +2,7 @@
{
krebs.build.source.nixpkgs.git = {
- url = https://github.com/nixos/nixpkgs;
- ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905";
+ url = https://github.com/lassulus/nixpkgs;
+ ref = "819c1ab486a9c81d6a6b76c759aedece2df39037";
};
}
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 88e826683..18574471e 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -156,7 +156,7 @@ in {
})
];
};
- krebs.nginx.servers."lassul.us".locations = let
+ services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" ''
<!DOCTYPE html>
<html lang="en">
@@ -175,10 +175,8 @@ in {
</body>
</html>
'';
- in [
- (nameValuePair "/the_playlist" ''
- default_type "text/html";
- alias ${html};
- '')
- ];
+ in ''
+ default_type "text/html";
+ alias ${html};
+ '';
}
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 2ab52ed92..cf9795071 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -9,15 +9,13 @@ let
in {
krebs.realwallpaper.enable = true;
- krebs.nginx.servers.wallpaper = {
- server-names = [
+ services.nginx.virtualHosts.wallpaper = {
+ serverAliases = [
hostname
];
- locations = [
- (nameValuePair "/wallpaper.png" ''
- root /tmp/;
- '')
- ];
+ locations."/wallpaper.png".extraConfig = ''
+ root /tmp/;
+ '';
};
krebs.iptables = {
diff --git a/lass/2configs/tests/dummy-secrets/torrent-auth b/lass/2configs/tests/dummy-secrets/torrent-auth
new file mode 100644
index 000000000..f167e71f9
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/torrent-auth
@@ -0,0 +1,3 @@
+{
+ x = "xxx";
+}
diff --git a/lass/2configs/tests/dummy-secrets/torrent-authfile b/lass/2configs/tests/dummy-secrets/torrent-authfile
deleted file mode 100644
index 93a8e1fed..000000000
--- a/lass/2configs/tests/dummy-secrets/torrent-authfile
+++ /dev/null
@@ -1 +0,0 @@
-"xxx"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 76e13412b..2bbfe7333 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
- (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+ (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
- (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+ (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [
"ubikmedia.de"
@@ -88,15 +88,12 @@ in {
"www.illucloud.eu"
"www.illucloud.de"
"www.illucloud.com"
- "*.ubikmedia.de"
])
];
- krebs.nginx.servers."ubikmedia.de".locations = [
- (lib.nameValuePair "/piwik" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- ];
+ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
lass.mysqlBackup.config.all.databases = [
"ubikmedia_de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 52914f444..f9035dd13 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -7,7 +7,6 @@ let
head
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
- manageCerts
ssl
servePage
serveWordpress
@@ -26,8 +25,6 @@ let
in {
imports = [
./sqlBackup.nix
- (ssl [ "biostase.de" "www.biostase.de" ])
- (serveWordpress [ "biostase.de" "www.biostase.de" ])
(ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@@ -50,30 +47,17 @@ in {
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
- (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
+ (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
];
lass.mysqlBackup.config.all.databases = [
- "biostase_de"
"eastuttgart_de"
"radical_dreamers_de"
"spielwaren_kern_de"
"ttf_kleinaspach_de"
];
- #password protect some dirs
- krebs.nginx.servers."biostase.de".locations = [
- (nameValuePair "/old_biostase.de" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
- '')
- (nameValuePair "/mysqldumper" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
- '')
- ];
-
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 29374e97d..cfdda05db 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -14,7 +14,7 @@ in {
security.acme = {
certs."lassul.us" = {
email = "lass@lassul.us";
- webroot = "/var/lib/acme/challenges/lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -26,7 +26,7 @@ in {
};
certs."cgit.lassul.us" = {
email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -69,59 +69,54 @@ in {
"nginx"
];
- krebs.nginx.servers."lassul.us" = {
- server-names = [ "lassul.us" ];
- locations = [
- (nameValuePair "/" ''
- root /srv/http/lassul.us;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/lassul.us/;
- '')
- (nameValuePair "= /retiolum-hosts.tar.bz2" ''
- alias ${config.krebs.tinc.retiolum.hostsArchive};
- '')
- (nameValuePair "/tinc" ''
- alias ${config.krebs.tinc_graphs.workingDir}/external;
- '')
- (let
- script = pkgs.writeBash "test" ''
- echo "hello world"
- '';
- #script = pkgs.execve "ddate-wrapper" {
- # filename = "${pkgs.ddate}/bin/ddate";
- # argv = [];
- #};
- in nameValuePair "= /ddate" ''
- gzip off;
- fastcgi_pass unix:/var/run/lass-stuff.socket;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param DOCUMENT_ROOT /var/empty;
- fastcgi_param SCRIPT_FILENAME ${script};
- fastcgi_param SCRIPT_NAME ${script};
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/lassul.us/key.pem";
- };
+ services.nginx.virtualHosts."lassul.us" = {
+ serverAliases = [ "lassul.us" ];
+ locations."/".extraConfig = ''
+ root /srv/http/lassul.us;
+ '';
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/challenges/lassul.us/;
+ '';
+ locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+ alias ${config.krebs.tinc.retiolum.hostsArchive};
+ '';
+ locations."/tinc".extraConfig = ''
+ alias ${config.krebs.tinc_graphs.workingDir}/external;
+ '';
+ locations."= /ddate".extraConfig = let
+ script = pkgs.writeBash "test" ''
+ echo "hello world"
+ '';
+ #script = pkgs.execve "ddate-wrapper" {
+ # filename = "${pkgs.ddate}/bin/ddate";
+ # argv = [];
+ #};
+ in ''
+ gzip off;
+ fastcgi_pass unix:/var/run/lass-stuff.socket;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param DOCUMENT_ROOT /var/empty;
+ fastcgi_param SCRIPT_FILENAME ${script};
+ fastcgi_param SCRIPT_NAME ${script};
+ '';
+
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
- krebs.nginx.servers.cgit = {
- server-names = [
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
"cgit.lassul.us"
];
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/cgit.lassul.us/;
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
- };
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/acme-challenges;
+ '';
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 0b2a6faac..6e236ab63 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -4,66 +4,24 @@ with lib;
rec {
- manageCerts = domains:
+ ssl = domains :
let
domain = head domains;
in {
- #security.acme = {
- # certs."${domain}" = {
- # email = "lassulus@gmail.com";
- # webroot = "/var/lib/acme/challenges/${domain}";
- # plugins = [
- # "account_key.json"
- # "key.pem"
- # "fullchain.pem"
- # ];
- # group = "nginx";
- # allowKeysForGroup = true;
- # extraDomains = genAttrs domains (_: null);
- # };
- #};
-
- krebs.nginx.servers."${domain}" = {
- ssl.acmeEnable = true;
- server-names = domains;
- #locations = [
- # (nameValuePair "/.well-known/acme-challenge" ''
- # root /var/lib/acme/challenges/${domain}/;
- # '')
- #];
- };
- };
-
- ssl = domains:
- {
- imports = [
- ( manageCerts domains )
- #( activateACME (head domains) )
- ];
- };
-
- activateACME = domain:
- {
- krebs.nginx.servers.${domain} = {
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/${domain}/fullchain.pem";
- certificate_key = "/var/lib/acme/${domain}/key.pem";
- };
- };
};
servePage = domains:
let
domain = head domains;
in {
- krebs.nginx.servers.${domain} = {
- server-names = domains;
- locations = [
- (nameValuePair "/" ''
- root /srv/http/${domain};
- '')
- ];
+ services.nginx.virtualHosts.${domain} = {
+ enableACME = true;
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ serverAliases = domains;
+ locations."/".extraConfig = ''
+ root /srv/http/${domain};
+ '';
};
};
@@ -71,9 +29,13 @@ rec {
let
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
+
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
- locations = [
- (nameValuePair "/robots.txt" ''
- allow all;
- log_not_found off;
- access_log off;
- '')
- (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
- deny all;
- '')
-
- (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
- deny all;
- '')
-
- (nameValuePair "/" ''
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- '')
-
- (nameValuePair "~ \.php(?:$|/)" ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- fastcgi_intercept_errors on;
- '')
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- (nameValuePair "~* \.(?:css|js)$" ''
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- # Optional: Don't log access to assets
- access_log off;
- '')
-
- # Optional: Don't log access to other assets
- (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
- access_log off;
- '')
- ];
+ locations."/robots.txt".extraConfig = ''
+ allow all;
+ log_not_found off;
+ access_log off;
+ '';
+ locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+ deny all;
+ '';
+
+ locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
+ deny all;
+ '';
+
+ locations."/".extraConfig = ''
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+ '';
+
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ fastcgi_intercept_errors on;
+ '';
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+ locations."~* \.(?:css|js)$".extraConfig = ''
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ # Optional: Don't log access to assets
+ access_log off;
+ '';
+ # Optional: Don't log access to other assets
+ locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+ access_log off;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
@@ -183,9 +142,12 @@ rec {
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
root /srv/http/${domain}/;
index index.php;
access_log /tmp/nginx_acc.log;
@@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
- locations = [
- (nameValuePair "/" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- (nameValuePair "~ \.php$" ''
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- #(nameValuePair "~ /\\." ''
- # deny all;
- #'')
- #Directives to send expires headers and turn off 404 error logging.
- (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
- access_log off;
- log_not_found off;
- expires max;
- '')
- ];
+ locations."/".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
+ locations."~ \.php$".extraConfig = ''
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '';
+ #Directives to send expires headers and turn off 404 error logging.
+ locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+ access_log off;
+ log_not_found off;
+ expires max;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool