zion/modules/webstack.nix

# LEPP stack configuration
{ config, pkgs, lib, ... }:
{

  environment.systemPackages = with pkgs; [
    nginx
    postgresql_11
    libressl
    miniflux
  ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
    sslProtocols = "TLSv1.2 TLSv1.3";
    sslDhparam = "/var/lib/dhparams/nginx.pem";
    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # Enable XSS protection of the browser.
      # May be unnecessary when CSP is configured properly (see above)
      add_header X-XSS-Protection "1; mode=block";

      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
      "coolneng.duckdns.org" = {
        enableACME = true;
        forceSSL = true;
        sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";
        locations."/radicale/" = {
          proxyPass = "http://localhost:5232/";
          extraConfig = ''
            proxy_set_header     X-Script-Name /radicale;
            proxy_pass_header Authorization;
          '';
        };
        locations."/syncthing/" = {
          proxyPass = "http://localhost:8384/";
        };
        locations."/gitea/" = {
          proxyPass = "http://localhost:3000/";
        };
        locations."/miniflux/" = {
          proxyPass = "http://localhost:8080/miniflux/";
        };
        locations."/wallabag/" = {
          proxyPass = "http://localhost:8081/";
        };
      };
    };
  };

  # ACME certs configuration
  security.acme = {
    acceptTerms = true;
    email = "akasroua@gmail.com";
    certs = {
      "coolneng.duckdns.org" = {
        postRun = "systemctl reload nginx.service";
      };
    };
  };

  # Generate dhparams
  security.dhparams = {
    enable = true;
    params = { nginx.bits = 2048; };
  };

  # PostgreSQL databases configuration
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;
    ensureDatabases = [ "gitea" "wallabag" ];
    ensureUsers = [
      {
      name = "gitea";
      ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};
      }
      {
      name = "wallabag";
      ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};
      }
    ];
    authentication = lib.mkForce ''
    # Generated file; do not edit!
    # TYPE  DATABASE        USER            ADDRESS                 METHOD
    local   all             all                                     trust
    host    all             all             127.0.0.1/32            trust
    host    all             all             ::1/128                 trust
    '';
    identMap = ''
            gitea-users gitea gitea
    '';
  };

  # PostgreSQL daily backups
  services.postgresqlBackup = {
      enable = true;
      backupAll = true;
      location = "/vault/backups/zion/databases";
      startAt = "*-*-* 05:15:00";
  };

  # Miniflux configuration
  services.miniflux = {
    enable = true;
    adminCredentialsFile = "/var/keys/miniflux/admin";
    config = {
      BASE_URL = "https://coolneng.duckdns.org/miniflux/";
      RUN_MIGRATIONS = "1";
    };
  };

  # Restart reverse proxy after services startup
  systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ];
}
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`# LEPP stack configuration`
			`{ config, pkgs, lib, ... }:`
			`{`

			`environment.systemPackages = with pkgs; [`
			`nginx`
			`postgresql_11`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`libressl`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`miniflux`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`];`

			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
Remove upload limit on nginx Change LFS path and increase push timeout Remove LFS path Increase nginx upload size to 512 MB Increase nginx upload size to 1GB Set nginx upload size to unlimited 2019-11-25 18:56:39 +01:00			`clientMaxBodySize = "0";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
			`sslProtocols = "TLSv1.2 TLSv1.3";`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`sslDhparam = "/var/lib/dhparams/nginx.pem";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`virtualHosts = {`
			`"coolneng.duckdns.org" = {`
			`enableACME = true;`
			`forceSSL = true;`
Disable IPv6 2019-11-11 14:30:45 +01:00			`sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";`
			`sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`locations."/radicale/" = {`
			`proxyPass = "http://localhost:5232/";`
			`extraConfig = ''`
			`proxy_set_header X-Script-Name /radicale;`
			`proxy_pass_header Authorization;`
			`'';`
			`};`
Set up Syncthing reverse proxy 2019-11-13 00:00:04 +01:00			`locations."/syncthing/" = {`
			`proxyPass = "http://localhost:8384/";`
			`};`
Revert gitea subdomain location 2019-11-25 15:19:01 +01:00			`locations."/gitea/" = {`
Set up Gitea 2019-11-16 10:55:10 +01:00			`proxyPass = "http://localhost:3000/";`
			`};`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`locations."/miniflux/" = {`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`proxyPass = "http://localhost:8080/miniflux/";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`};`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`locations."/wallabag/" = {`
Change gitea location to the root of the domain 2019-11-23 00:00:47 +01:00			`proxyPass = "http://localhost:8081/";`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
			`};`
			`};`

			`# ACME certs configuration`
Adapt ACME configuration to NixOS 20.03 2020-04-22 02:31:56 +02:00			`security.acme = {`
			`acceptTerms = true;`
			`email = "akasroua@gmail.com";`
			`certs = {`
			`"coolneng.duckdns.org" = {`
			`postRun = "systemctl reload nginx.service";`
			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`};`
			`};`

Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00			`# Generate dhparams`
Generate dhparams for SSL 2019-11-14 00:31:39 +01:00			`security.dhparams = {`
			`enable = true;`
			`params = { nginx.bits = 2048; };`
			`};`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00
Set up Wallabag 2019-11-17 18:58:31 +01:00			`# PostgreSQL databases configuration`
Set up Gitea 2019-11-16 10:55:10 +01:00			`services.postgresql = {`
			`enable = true;`
			`package = pkgs.postgresql_11;`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`ensureDatabases = [ "gitea" "wallabag" ];`
Set up Gitea 2019-11-16 10:55:10 +01:00			`ensureUsers = [`
			`{`
			`name = "gitea";`
			`ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};`
			`}`
Set up Wallabag 2019-11-17 18:58:31 +01:00			`{`
			`name = "wallabag";`
			`ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};`
			`}`
Set up Gitea 2019-11-16 10:55:10 +01:00			`];`
			`authentication = lib.mkForce ''`
			`# Generated file; do not edit!`
			`# TYPE DATABASE USER ADDRESS METHOD`
			`local all all trust`
Revert TCP/IP connection for PostgreSQL 2019-12-15 23:08:19 +01:00			`host all all 127.0.0.1/32 trust`
			`host all all ::1/128 trust`
Set up Gitea 2019-11-16 10:55:10 +01:00			`'';`
			`identMap = ''`
			`gitea-users gitea gitea`
			`'';`
			`};`
Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00
Set up Wallabag 2019-11-17 18:58:31 +01:00			`# PostgreSQL daily backups`
Set up PostgreSQL with daily backups 2019-11-14 02:30:12 +01:00			`services.postgresqlBackup = {`
			`enable = true;`
			`backupAll = true;`
			`location = "/vault/backups/zion/databases";`
			`startAt = "--* 05:15:00";`
			`};`

Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`# Miniflux configuration`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`services.miniflux = {`
			`enable = true;`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`adminCredentialsFile = "/var/keys/miniflux/admin";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`config = {`
Set up Miniflux reverse proxy 2019-11-17 23:50:48 +01:00			`BASE_URL = "https://coolneng.duckdns.org/miniflux/";`
Adapt ACME configuration to NixOS 20.03 2020-04-22 02:31:56 +02:00			`RUN_MIGRATIONS = "1";`
Set up Miniflux 2019-11-17 23:25:54 +01:00			`};`
			`};`

Add pihole docker container 2020-04-17 00:47:17 +02:00			`# Restart reverse proxy after services startup`
Avoid packages rebuilds and decrease ZFS ARC cache 2020-03-29 06:21:19 +02:00			`systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ];`
Add Radicale reverse proxy 2019-11-10 23:40:31 +01:00			`}`