diff --git a/configuration.nix b/configuration.nix index 21ce292..a503fac 100644 --- a/configuration.nix +++ b/configuration.nix @@ -107,6 +107,7 @@ ./modules/virtualization.nix ./modules/monitoring.nix ./modules/periodic.nix + ./modules/webstack.nix ]; } diff --git a/modules/datasync.nix b/modules/datasync.nix index bbcae43..736943a 100644 --- a/modules/datasync.nix +++ b/modules/datasync.nix @@ -46,4 +46,28 @@ }; }; }; + + # Nextcloud configuration + services.nextcloud = { + enable = true; + package = pkgs.nextcloud21; + home = "/vault/nextcloud"; + hostName = "nextcloud.coace.duckdns.org"; + https = true; + autoUpdateApps = { + enable = true; + startAt = "Sun 05:00:00"; + }; + config = { + overwriteProtocol = "https"; + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbname = "nextcloud"; + dbpassFile = "/var/keys/nextcloud"; + adminpassFile = "/var/keys/nextcloud-admin"; + adminuser = "admin"; + defaultPhoneRegion = "ES"; + }; + }; + } diff --git a/modules/networking.nix b/modules/networking.nix index b8226be..e788ae4 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -49,6 +49,8 @@ in { 139 # Samba 2222 # VM SSH 5000 # Sybase + 80 # HTTP + 443 # HTTPS ]; allowedUDPPorts = [ 137 # Samba diff --git a/modules/webstack.nix b/modules/webstack.nix new file mode 100644 index 0000000..1c81def --- /dev/null +++ b/modules/webstack.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +{ + # Reverse proxy configuration + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + sslCiphers = + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; + sslProtocols = "TLSv1.2 TLSv1.3"; + sslDhparam = "/var/lib/dhparams/nginx.pem"; + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts = { + "nextcloud.coace.duckdns.org" = { + enableACME = true; + forceSSL = true; + }; + }; + }; + + # ACME certs configuration + security.acme = { + acceptTerms = true; + email = "secretario@arquitectosdeceuta.com"; + certs."nextcloud.coace.duckdns.org".webroot = + "/var/lib/acme/acme-challenge"; + }; + + # Generate dhparams + security.dhparams = { + enable = true; + params.nginx.bits = 2048; + }; + + # PostgreSQL databases configuration + services.postgresql = { + enable = true; + authentication = lib.mkForce '' + # Generated file; do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + + # Restart reverse proxy after services startup + systemd.services.nginx.after = [ "nextcloud.service" ]; +}