unit/modules/webstack.nix

{ config, lib, pkgs, ... }:

{
  # Reverse proxy configuration
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
    sslProtocols = "TLSv1.2 TLSv1.3";
    sslDhparam = "/var/lib/dhparams/nginx.pem";
    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
      "coace.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
      };
    };
  };

  # ACME certs configuration
  security.acme = {
    acceptTerms = true;
    email = "secretario@arquitectosdeceuta.com";
    certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
    params.nginx.bits = 2048;
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
    authentication = lib.mkForce ''
      # Generated file; do not edit!
      # TYPE  DATABASE        USER            ADDRESS                 METHOD
      local   all             all                                     trust
      host    all             all             127.0.0.1/32            trust
      host    all             all             ::1/128                 trust
    '';
  };
}
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`{ config, lib, pkgs, ... }:`

			`{`
			`# Reverse proxy configuration`
			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
			`sslCiphers =`
			"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
			`sslProtocols = "TLSv1.2 TLSv1.3";`
			`sslDhparam = "/var/lib/dhparams/nginx.pem";`
			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`virtualHosts = {`
Move Nextcloud from subdomain to main domain name 2021-04-12 11:09:19 +02:00			`"coace.duckdns.org" = {`
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`enableACME = true;`
			`forceSSL = true;`
			`};`
			`};`
			`};`

			`# ACME certs configuration`
			`security.acme = {`
			`acceptTerms = true;`
			`email = "secretario@arquitectosdeceuta.com";`
Move Nextcloud from subdomain to main domain name 2021-04-12 11:09:19 +02:00			`certs."coace.duckdns.org".webroot = "/var/lib/acme/acme-challenge";`
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`};`

			`# Generate dhparams`
			`security.dhparams = {`
			`enable = true;`
			`params.nginx.bits = 2048;`
			`};`

			`# PostgreSQL databases configuration`
			`services.postgresql = {`
			`enable = true;`
			`authentication = lib.mkForce ''`
			`# Generated file; do not edit!`
			`# TYPE DATABASE USER ADDRESS METHOD`
			`local all all trust`
			`host all all 127.0.0.1/32 trust`
			`host all all ::1/128 trust`
			`'';`
			`};`
			`}`