zion/modules/webstack.nix

# LEPP stack configuration
{ config, pkgs, lib, ... }:
{

  environment.systemPackages = with pkgs; [
    nginx
    postgresql_11
    libressl
    miniflux
  ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
    sslProtocols = "TLSv1.2 TLSv1.3";
    sslDhparam = "/var/lib/dhparams/nginx.pem";
    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
      "coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";
        locations."/radicale/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
            proxy_set_header     X-Script-Name /radicale;
            proxy_pass_header Authorization;
          '';
        };
        locations."/syncthing/" = {
          proxyPass = "http://localhost:8384/";
        };
        locations."/gitea/" = {
          proxyPass = "http://localhost:3000/";
        };
        locations."/miniflux/" = {
          proxyPass = "http://localhost:8080/miniflux/";
        };
        locations."/wallabag/" = {
          proxyPass = "http://localhost:8081/";
        };
      };
    };
  };

  # ACME certs configuration
  security.acme.certs = {
    "coolneng.duckdns.org" = {
      email = "akasroua@gmail.com";
      postRun = "systemctl reload nginx.service";
    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
    params = { nginx.bits = 2048; };
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;
    ensureDatabases = [ "gitea" "wallabag" ];
    ensureUsers = [
      {
      name = "gitea";
      ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};
      }
      {
      name = "wallabag";
      ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};
      }
    ];
    authentication = lib.mkForce ''
    # Generated file; do not edit!
    # TYPE  DATABASE        USER            ADDRESS                 METHOD
    local   all             all                                     trust
    host    all             all             127.0.0.1/32            trust
    host    all             all             ::1/128                 trust
    '';
    identMap = ''
            gitea-users gitea gitea
    '';
  };

  # PostgreSQL daily backups
  services.postgresqlBackup = {
      enable = true;
      backupAll = true;
      location = "/vault/backups/zion/databases";
      startAt = "*-*-* 05:15:00";
  };

  # Miniflux configuration
  services.miniflux = {
    enable = true;
    adminCredentialsFile = "/var/keys/miniflux/admin";
    config = {
      BASE_URL = "https://coolneng.duckdns.org/miniflux/";
    };
  };

  # Restart nginx after
  systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ];
}
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`# LEPP stack configuration`
			`{ config, pkgs, lib, ... }:`
			`{`

			`environment.systemPackages = with pkgs; [`
			`nginx`
			`postgresql_11`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`libressl`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`miniflux`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`];`

			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
Remove upload limit on nginx Change LFS path and increase push timeout Remove LFS path Increase nginx upload size to 512 MB Increase nginx upload size to 1GB Set nginx upload size to unlimited 2019-11-25 18:56:39 +01:00			`clientMaxBodySize = "0";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
			`sslProtocols = "TLSv1.2 TLSv1.3";`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`sslDhparam = "/var/lib/dhparams/nginx.pem";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`virtualHosts = {`
			`"coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Disable IPv6 2019-11-11 14:30:45 +01:00			`sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";`
			`sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`locations."/radicale/" = {`
			`proxyPass = "http://localhost:5232/";`
			`extraConfig = ''`
			`proxy_set_header X-Script-Name /radicale;`
			`proxy_pass_header Authorization;`
			`'';`
			`};`
Set up Syncthing reverse proxy 2019-11-13 00:00:04 +01:00			`locations."/syncthing/" = {`
			`proxyPass = "http://localhost:8384/";`
			`};`
Revert gitea subdomain location 2019-11-25 15:19:01 +01:00			`locations."/gitea/" = {`
Set up Gitea 2019-11-16 10:55:10 +01:00			`proxyPass = "http://localhost:3000/";`
			`};`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`locations."/miniflux/" = {`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`proxyPass = "http://localhost:8080/miniflux/";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`};`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`locations."/wallabag/" = {`
Change gitea location to the root of the domain 2019-11-23 00:00:47 +01:00			`proxyPass = "http://localhost:8081/";`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
			`};`
			`};`

			`# ACME certs configuration`
			`security.acme.certs = {`
			`"coolneng.duckdns.org" = {`
			`email = "akasroua@gmail.com";`
			`postRun = "systemctl reload nginx.service";`
			`};`
			`};`

Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00			`# Generate dhparams`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`security.dhparams = {`
			`enable = true;`
			`params = { nginx.bits = 2048; };`
			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00
Set up Wallabag 2019-11-17 18:58:31 +01:00			`# PostgreSQL databases configuration`
Set up Gitea 2019-11-16 10:55:10 +01:00			`services.postgresql = {`
			`enable = true;`
			`package = pkgs.postgresql_11;`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`ensureDatabases = [ "gitea" "wallabag" ];`
Set up Gitea 2019-11-16 10:55:10 +01:00			`ensureUsers = [`
			`{`
			`name = "gitea";`
			`ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};`
			`}`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`{`
			`name = "wallabag";`
			`ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};`
			`}`
Set up Gitea 2019-11-16 10:55:10 +01:00			`];`
			`authentication = lib.mkForce ''`
			`# Generated file; do not edit!`
			`# TYPE DATABASE USER ADDRESS METHOD`
			`local all all trust`
Revert TCP/IP connection for PostgreSQL 2019-12-15 23:08:19 +01:00			`host all all 127.0.0.1/32 trust`
			`host all all ::1/128 trust`
Set up Gitea 2019-11-16 10:55:10 +01:00			`'';`
			`identMap = ''`
			`gitea-users gitea gitea`
			`'';`
			`};`
Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00
Set up Wallabag 2019-11-17 18:58:31 +01:00			`# PostgreSQL daily backups`
Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00			`services.postgresqlBackup = {`
			`enable = true;`
			`backupAll = true;`
			`location = "/vault/backups/zion/databases";`
			`startAt = "--* 05:15:00";`
			`};`

Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`# Miniflux configuration`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`services.miniflux = {`
			`enable = true;`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`adminCredentialsFile = "/var/keys/miniflux/admin";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`config = {`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`BASE_URL = "https://coolneng.duckdns.org/miniflux/";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`};`
			`};`

Package cleanup and reverse proxy service restart Squashed commit of the following: commit db95d142d42f97891db9aecd61625886c84e18a4 Author: coolneng <akasroua@gmail.com> Date: Thu Jan 30 13:23:23 2020 +0100 Update Syncthing IDs and add roamer to Wireguard commit 6a2346d4a1b6bf39e57130bf2a70e5e190850fc9 Author: coolneng <akasroua@gmail.com> Date: Wed Jan 29 14:30:31 2020 +0100 Add wireguard server configuration commit 09c5755ec8119db3f17df180034ea5c03adc5242 Author: coolneng <akasroua@gmail.com> Date: Wed Jan 29 00:20:52 2020 +0100 Add wireguard packages commit c542b06c9d718da9ca5ec6b00bf5179e970ccbdb Author: coolneng <akasroua@gmail.com> Date: Tue Jan 28 21:57:53 2020 +0100 Move zeroconf section to networking commit 1af6e07072ba345482b71b1817563c6a8c01f71c Author: coolneng <akasroua@gmail.com> Date: Tue Jan 28 21:54:39 2020 +0100 Revert "Clean up packages and refactor nginx config" This reverts commit 375758a958c4dd9f1ba99d25fc6840c52a5582a7. commit 5eb5e446ade2854e966ba0f60067e3b153a7a119 Author: coolneng <akasroua@gmail.com> Date: Sun Jan 26 19:39:28 2020 +0100 Add wallabag docker container commit 375758a958c4dd9f1ba99d25fc6840c52a5582a7 Author: coolneng <akasroua@gmail.com> Date: Sun Jan 26 08:45:56 2020 +0100 Clean up packages and refactor nginx config commit f210353ce53d378eb01f7124c889df156758470a Author: coolneng <akasroua@gmail.com> Date: Tue Dec 31 18:41:34 2019 +0100 Delete Security folder from Syncthing commit 65afa32e57032eb59444fecb223d69dbfef585bd Author: coolneng <akasroua@gmail.com> Date: Thu Dec 26 04:19:38 2019 +0100 Use 'after' instead of 'wantedBy' commit 8cc829e06329a0eb75b3d924c9843370e41c9555 Author: coolneng <akasroua@gmail.com> Date: Thu Dec 26 04:16:21 2019 +0100 Use wantedBy instead of partOf commit e490102d74fada01a336d42086c186c06ab4ff8b Merge: 91d4b24 51ed142 Author: coolneng <akasroua@gmail.com> Date: Wed Dec 25 17:47:14 2019 +0100 Merge branch 'test' of gitea into test commit 51ed142c5f851a718ec814a8badc0ca670f22d7b Author: coolneng <akasroua@gmail.com> Date: Wed Dec 25 17:15:42 2019 +0100 Use mkforce for 'partOf' option commit caf4a49ec2796948213539f0dcb6a38d51228f6f Author: coolneng <akasroua@gmail.com> Date: Wed Dec 25 16:37:11 2019 +0100 Configure nginx service as dependent on gitea commit e8850eff5166ae6f6e56ac11d58cc56491fca255 Author: coolneng <akasroua@gmail.com> Date: Wed Dec 25 16:24:10 2019 +0100 Restart nginx after Gitea commit 91d4b240d7b188b973ec7c3a86138587c52920fe Author: coolneng <akasroua@gmail.com> Date: Sun Dec 15 22:54:00 2019 +0100 # This is a combination of 2 commits. # This is the 1st commit message: Revert "Disable wizard on Gitea" This reverts commit d8b415ee16e1a560dac430f577d34cb098e0f832. # This is the commit message #2: Remove Gitea socket connection to the DB 2020-02-21 12:24:13 +01:00			`# Restart nginx after`
Avoid packages rebuilds and decrease ZFS ARC cache 2020-03-29 06:21:19 +02:00			`systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ];`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`}`