{ config, lib, pkgs, ... }: { # Reverse proxy configuration services.nginx = { enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslProtocols = "TLSv1.2 TLSv1.3"; sslDhparam = "/var/lib/dhparams/nginx.pem"; commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) add_header X-XSS-Protection "1; mode=block"; # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; virtualHosts = { "coace.duckdns.org" = { enableACME = true; forceSSL = true; }; }; virtualHosts = { "frontend.coace.duckdns.org" = { enableACME = true; forceSSL = true; root = "/vault/backups/frontend/inetpub/wwwroot"; locations = { "/few/".extraConfig = '' fastcgi_index Default.aspx; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name; fastcgi_param PATH_INFO ""; fastcgi-mono-server4 /applications=/few/:/vault/backups/frontend/inetpub/wwwroot/few/socket=tcp:127.0.0.1:9000; include ${pkgs.nginx}/conf/fastcgi_params; ''; "/gcw/".extraConfig = '' fastcgi_index Default.aspx; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root/few/$fastcgi_script_name; fastcgi_param PATH_INFO ""; fastcgi-mono-server4 /applications=/gcw/:/vault/backups/frontend/inetpub/wwwroot/gcw/socket=tcp:127.0.0.1:9000; include ${pkgs.nginx}/conf/fastcgi_params; ''; }; }; }; }; # ACME certs configuration security.acme = { acceptTerms = true; email = "secretario@arquitectosdeceuta.com"; certs."coace.duckdns.org" = { webroot = "/var/lib/acme/acme-challenge"; extraDomainNames = [ "frontend.coace.duckdns.org" ]; }; }; # Generate dhparams security.dhparams = { enable = true; params.nginx.bits = 2048; }; # PostgreSQL databases configuration services.postgresql = { enable = true; authentication = lib.mkForce '' # Generated file; do not edit! # TYPE DATABASE USER ADDRESS METHOD local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; }; # Run Mono server systemd.services.mono-server = { description = "Mono server to run ASP .NET applications"; wantedBy = [ "default.target" ]; path = with pkgs; [ mono6 ]; script = '' lockfile=/tmp/mono-service ${pkgs.mono6}/bin/mono-service -d:/vault/backups/frontend/inetpub/wwwroot/gcw -l:$lockfile ${pkgs.mono6}/bin/mono-service -d:/vault/backups/frontend/inetpub/wwwroot/few -l:$lockfile ''; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; User = "nginx"; Group = "nginx"; ExecStop = '' kill `cat $lockfile` ''; }; before = [ "nginx.service" ]; }; }