unit/modules/webstack.nix

{ config, lib, pkgs, ... }:

{
  # Reverse proxy configuration
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
    sslProtocols = "TLSv1.2 TLSv1.3";
    sslDhparam = "/var/lib/dhparams/nginx.pem";
    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
      "coace.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
      };
    };
    virtualHosts = {
      "frontend.coace.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        root = "/vault/backups/frontend/inetpub/wwwroot";
        locations = {
          "/few/".extraConfig = ''
            fastcgi_index Default.aspx;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name;
            fastcgi_param PATH_INFO "";
            fastcgi-mono-server4 /applications=/few/:/vault/backups/frontend/inetpub/wwwroot/few/socket=tcp:127.0.0.1:9000;
            include ${pkgs.nginx}/conf/fastcgi_params;
          '';
          "/gcw/".extraConfig = ''
            fastcgi_index Default.aspx;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name;
            fastcgi_param PATH_INFO "";
            fastcgi-mono-server4 /applications=/gcw/:/vault/backups/frontend/inetpub/wwwroot/gcw/socket=tcp:127.0.0.1:9000;
            include ${pkgs.nginx}/conf/fastcgi_params;
          '';
        };
      };
    };
  };

  # ACME certs configuration
  security.acme = {
    acceptTerms = true;
    email = "secretario@arquitectosdeceuta.com";
    certs."coace.duckdns.org" = {
      webroot = "/var/lib/acme/acme-challenge";
      extraDomainNames = [ "frontend.coace.duckdns.org" ];
    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
    params.nginx.bits = 2048;
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
    authentication = lib.mkForce ''
      # Generated file; do not edit!
      # TYPE  DATABASE        USER            ADDRESS                 METHOD
      local   all             all                                     trust
      host    all             all             127.0.0.1/32            trust
      host    all             all             ::1/128                 trust
    '';
  };
}
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`{ config, lib, pkgs, ... }:`

			`{`
			`# Reverse proxy configuration`
			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
			`sslCiphers =`
			"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
			`sslProtocols = "TLSv1.2 TLSv1.3";`
			`sslDhparam = "/var/lib/dhparams/nginx.pem";`
			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`virtualHosts = {`
Move Nextcloud from subdomain to main domain name 2021-04-12 11:09:19 +02:00			`"coace.duckdns.org" = {`
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`enableACME = true;`
			`forceSSL = true;`
			`};`
			`};`
Add Mono FastCGI configuration 2021-05-11 11:48:26 +02:00			`virtualHosts = {`
			`"frontend.coace.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`root = "/vault/backups/frontend/inetpub/wwwroot";`
			`locations = {`
			`"/few/".extraConfig = ''`
			`fastcgi_index Default.aspx;`
			`fastcgi_pass 127.0.0.1:9000;`
			`fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name;`
			`fastcgi_param PATH_INFO "";`
Fix path of Mono directories 2021-05-11 12:32:29 +02:00			`fastcgi-mono-server4 /applications=/few/:/vault/backups/frontend/inetpub/wwwroot/few/socket=tcp:127.0.0.1:9000;`
Add Mono FastCGI configuration 2021-05-11 11:48:26 +02:00			`include ${pkgs.nginx}/conf/fastcgi_params;`
			`'';`
			`"/gcw/".extraConfig = ''`
			`fastcgi_index Default.aspx;`
			`fastcgi_pass 127.0.0.1:9000;`
			`fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name;`
			`fastcgi_param PATH_INFO "";`
Fix path of Mono directories 2021-05-11 12:32:29 +02:00			`fastcgi-mono-server4 /applications=/gcw/:/vault/backups/frontend/inetpub/wwwroot/gcw/socket=tcp:127.0.0.1:9000;`
Add Mono FastCGI configuration 2021-05-11 11:48:26 +02:00			`include ${pkgs.nginx}/conf/fastcgi_params;`
			`'';`
			`};`
			`};`
			`};`
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`};`

			`# ACME certs configuration`
			`security.acme = {`
			`acceptTerms = true;`
			`email = "secretario@arquitectosdeceuta.com";`
Add Mono FastCGI configuration 2021-05-11 11:48:26 +02:00			`certs."coace.duckdns.org" = {`
			`webroot = "/var/lib/acme/acme-challenge";`
			`extraDomainNames = [ "frontend.coace.duckdns.org" ];`
			`};`
Set up Nextcloud 2021-04-07 13:18:31 +02:00			`};`

			`# Generate dhparams`
			`security.dhparams = {`
			`enable = true;`
			`params.nginx.bits = 2048;`
			`};`

			`# PostgreSQL databases configuration`
			`services.postgresql = {`
			`enable = true;`
			`authentication = lib.mkForce ''`
			`# Generated file; do not edit!`
			`# TYPE DATABASE USER ADDRESS METHOD`
			`local all all trust`
			`host all all 127.0.0.1/32 trust`
			`host all all ::1/128 trust`
			`'';`
			`};`
			`}`