zion/modules/webstack.nix

# Web services configuration
{ config, pkgs, lib, ... }: {

  environment.systemPackages = with pkgs; [ libressl ];

  # Reverse proxy configuration
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
    sslProtocols = "TLSv1.2 TLSv1.3";
    sslDhparam = "/var/lib/dhparams/nginx.pem";
    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
      "coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        # Redirect from legacy subdirectory URL to subdomain
        locations = {
          "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
          "/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
          "/gitea/".extraConfig =
            "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
          "/miniflux/".extraConfig =
            "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
        };
      };
      "radicale.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
            proxy_set_header     X-Script-Name /;
            proxy_pass_header Authorization;
          '';
        };
      };
      "sync.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8384/";
      };
      "git.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:3000/";
      };
      "rss.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8080/";
      };
      "matrix.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
        ];
        locations."/" = { proxyPass = "http://localhost:8008/"; };
      };
      "element.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/".root = pkgs.element-web.override {
          conf = {
            default_server_config."m.homeserver" = {
              "base_url" = "https://matrix.coolneng.duckdns.org";
              "server_name" = "coolneng.duckdns.org";
            };
          };
        };
      };
      "wallabag.coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        root = "${pkgs.wallabag}/web";
        locations = {
          "/".tryFiles = "$uri /app.php$is_args$args";
          "/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
          "~ ^/app.php(/|$)" = {
            fastcgiParams = {
              SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
              DOCUMENT_ROOT = "${pkgs.wallabag}/web";
            };
            extraConfig = ''
              fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
              fastcgi_split_path_info ^(.+\.php)(/.*)$;
              include ${pkgs.nginx}/conf/fastcgi_params;
              internal;
            '';
          };
        };
      };
    };
  };

  # ACME certs configuration
  security.acme = {
    acceptTerms = true;
    email = "akasroua@gmail.com";
    certs = {
      "coolneng.duckdns.org" = {
        extraDomainNames = [
          "radicale.coolneng.duckdns.org"
          "sync.coolneng.duckdns.org"
          "git.coolneng.duckdns.org"
          "rss.coolneng.duckdns.org"
          "matrix.coolneng.duckdns.org"
          "element.coolneng.duckdns.org"
          "wallabag.coolneng.duckdns.org"
        ];
      };
    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
    params = { nginx.bits = 2048; };
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;
    authentication = lib.mkForce ''
      # Generated file; do not edit!
      # TYPE  DATABASE        USER            ADDRESS                 METHOD
      local   all             all                                     trust
      host    all             all             127.0.0.1/32            trust
      host    all             all             ::1/128                 trust
    '';
  };

  # Restart reverse proxy after services startup
  systemd.services.nginx.after = [
    "gitea.service"
    "syncthing.service"
    "miniflux.service"
    "radicale.service"
    "matrix-synapse.service"
    "element.service"
    "phpfpm-wallabag.service"
  ];
}
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`# Web services configuration`
			`{ config, pkgs, lib, ... }: {`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00
Clean up redundant packages 2020-09-02 18:44:31 +02:00			`environment.systemPackages = with pkgs; [ libressl ];`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`# Reverse proxy configuration`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
Remove upload limit on nginx Change LFS path and increase push timeout Remove LFS path Increase nginx upload size to 512 MB Increase nginx upload size to 1GB Set nginx upload size to unlimited 2019-11-25 18:56:39 +01:00			`clientMaxBodySize = "0";`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`sslCiphers =`
			"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`sslProtocols = "TLSv1.2 TLSv1.3";`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`sslDhparam = "/var/lib/dhparams/nginx.pem";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`virtualHosts = {`
			`"coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`# Redirect from legacy subdirectory URL to subdomain`
			`locations = {`
			`"/radicale/".return = "301 https://radicale.coolneng.duckdns.org";`
			`"/syncthing/".return = "301 https://sync.coolneng.duckdns.org";`
			`"/gitea/".extraConfig =`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`"rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`"/miniflux/".extraConfig =`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`"rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`};`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`};`
			`"radicale.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:5232/";`
			`extraConfig = ''`
			`proxy_set_header X-Script-Name /;`
			`proxy_pass_header Authorization;`
			`'';`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`"sync.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`locations."/".proxyPass = "http://localhost:8384/";`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`};`
			`"git.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`locations."/".proxyPass = "http://localhost:3000/";`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`};`
			`"rss.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`locations."/".proxyPass = "http://localhost:8080/";`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`};`
Set up Matrix and Element 2020-12-28 18:42:26 +01:00			`"matrix.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`listen = [`
			`{`
			`addr = "0.0.0.0";`
			`port = 8448;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 443;`
			`ssl = true;`
			`}`
			`];`
			`locations."/" = { proxyPass = "http://localhost:8008/"; };`
			`};`
			`"element.coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Refactor nginx configuration 2021-02-03 03:56:59 +01:00			`locations."/".root = pkgs.element-web.override {`
			`conf = {`
			`default_server_config."m.homeserver" = {`
			`"base_url" = "https://matrix.coolneng.duckdns.org";`
			`"server_name" = "coolneng.duckdns.org";`
Set up Matrix and Element 2020-12-28 18:42:26 +01:00			`};`
			`};`
			`};`
			`};`
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`"wallabag.coolneng.duckdns.org" = {`
Fix Wallabag service 2021-02-03 05:28:10 +01:00			`enableACME = true;`
			`forceSSL = true;`
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`root = "${pkgs.wallabag}/web";`
Fix Wallabag service 2021-02-03 05:28:10 +01:00			`locations = {`
			`"/".tryFiles = "$uri /app.php$is_args$args";`
			`"/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";`
			`"~ ^/app.php(/\|$)" = {`
			`fastcgiParams = {`
			`SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";`
			`DOCUMENT_ROOT = "${pkgs.wallabag}/web";`
			`};`
			`extraConfig = ''`
			`fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};`
			`fastcgi_split_path_info ^(.+\.php)(/.*)$;`
			`include ${pkgs.nginx}/conf/fastcgi_params;`
			`internal;`
			`'';`
			`};`
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`};`
			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
			`};`

			`# ACME certs configuration`
Adapt ACME configuration to NixOS 20.03 2020-04-22 02:31:56 +02:00			`security.acme = {`
			`acceptTerms = true;`
			`email = "akasroua@gmail.com";`
			`certs = {`
			`"coolneng.duckdns.org" = {`
Adapte ACME configuration to Nixos 20.09 2020-10-28 00:39:32 +01:00			`extraDomainNames = [`
			`"radicale.coolneng.duckdns.org"`
			`"sync.coolneng.duckdns.org"`
			`"git.coolneng.duckdns.org"`
			`"rss.coolneng.duckdns.org"`
Set up Matrix and Element 2020-12-28 18:42:26 +01:00			`"matrix.coolneng.duckdns.org"`
			`"element.coolneng.duckdns.org"`
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`"wallabag.coolneng.duckdns.org"`
Adapte ACME configuration to Nixos 20.09 2020-10-28 00:39:32 +01:00			`];`
Adapt ACME configuration to NixOS 20.03 2020-04-22 02:31:56 +02:00			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
			`};`

Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00			`# Generate dhparams`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`security.dhparams = {`
			`enable = true;`
			`params = { nginx.bits = 2048; };`
			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00
Set up Wallabag 2019-11-17 18:58:31 +01:00			`# PostgreSQL databases configuration`
Set up Gitea 2019-11-16 10:55:10 +01:00			`services.postgresql = {`
			`enable = true;`
Revert "Set up shiori as an alternative to Wallabag" This reverts commit 00ac8e6bb27c230b97ffeb9da979f2a6a835ba9d. 2020-12-22 15:42:46 +01:00			`package = pkgs.postgresql_11;`
Set up Gitea 2019-11-16 10:55:10 +01:00			`authentication = lib.mkForce ''`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`# Generated file; do not edit!`
			`# TYPE DATABASE USER ADDRESS METHOD`
			`local all all trust`
			`host all all 127.0.0.1/32 trust`
			`host all all ::1/128 trust`
Set up Gitea 2019-11-16 10:55:10 +01:00			`'';`
			`};`
Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00
Add pihole docker container 2020-04-17 00:47:17 +02:00			`# Restart reverse proxy after services startup`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`systemd.services.nginx.after = [`
			`"gitea.service"`
			`"syncthing.service"`
			`"miniflux.service"`
			`"radicale.service"`
Set up Matrix and Element 2020-12-28 18:42:26 +01:00			`"matrix-synapse.service"`
			`"element.service"`
Set up Wallabag in a new module 2021-01-19 00:14:57 +01:00			`"phpfpm-wallabag.service"`
Move web services to subdomains 2020-08-24 15:07:55 +02:00			`];`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`}`