{ config, lib, pkgs, ... }: { # Reverse proxy configuration services.nginx = { enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslProtocols = "TLSv1.2 TLSv1.3"; sslDhparam = "/var/lib/dhparams/nginx.pem"; commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) add_header X-XSS-Protection "1; mode=block"; # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; virtualHosts = { "coace.duckdns.org" = { enableACME = true; forceSSL = true; }; }; virtualHosts = { "gcw.coace.duckdns.org" = { enableACME = true; forceSSL = true; root = "/vault/backups/frontend/inetpub/wwwroot/gcw"; locations."/".extraConfig = '' fastcgi_index Default.aspx; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_param PATH_INFO ""; fastcgi-mono-server4 /applications=gcw.coace.duckns.org/:/vault/backups/frontend/inetpub/wwwroot/gcw/socket=tcp:127.0.0.1:9001; include ${pkgs.nginx}/conf/fastcgi_params; ''; }; "few.coace.duckdns.org" = { enableACME = true; forceSSL = true; root = "/vault/backups/frontend/inetpub/wwwroot/few"; locations."/".extraConfig = '' fastcgi_index Default.aspx; fastcgi_pass 127.0.0.1:9001; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_param PATH_INFO ""; fastcgi-mono-server4 /applications=few.coace.duckdns.org/:/vault/backups/frontend/inetpub/wwwroot/few/socket=tcp:127.0.0.1:9001; include ${pkgs.nginx}/conf/fastcgi_params; ''; }; }; }; # ACME certs configuration security.acme = { acceptTerms = true; email = "secretario@arquitectosdeceuta.com"; certs."coace.duckdns.org" = { webroot = "/var/lib/acme/acme-challenge"; extraDomainNames = [ "few.coace.duckdns.org" "gcw.coace.duckdns.org" ]; }; }; # Generate dhparams security.dhparams = { enable = true; params.nginx.bits = 2048; }; # PostgreSQL databases configuration services.postgresql = { enable = true; authentication = lib.mkForce '' # Generated file; do not edit! # TYPE DATABASE USER ADDRESS METHOD local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; }; # Run Mono server systemd.services.mono-server = { description = "Mono server to run ASP .NET applications"; wantedBy = [ "default.target" ]; path = with pkgs; [ mono6 ]; script = '' gcw_lockfile=/tmp/mono-service-gcw few_lockfile=/tmp/mono-service-few ${pkgs.mono6}/bin/mono-service --applications /:/vault/backups/frontend/inetpub/wwwroot/gcw -l:$gcw_lockfile --socket=tcp:127.0.0.1:9000 ${pkgs.mono6}/bin/mono-service --applications /:/vault/backups/frontend/inetpub/wwwroot/few -l:$few_lockfile --socket=tcp:127.0.0.1:9001 ''; before = [ "nginx.service" ]; }; }