From c154af8f83ac9396b71aef9ad3353d67fcc821a2 Mon Sep 17 00:00:00 2001 From: coolneng Date: Sun, 10 Nov 2019 23:40:31 +0100 Subject: [PATCH] Add Radicale reverse proxy --- Timeline.org | 16 +++++---- configuration.nix | 1 + modules/networking.nix | 2 +- modules/webstack.nix | 75 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 87 insertions(+), 7 deletions(-) create mode 100644 modules/webstack.nix diff --git a/Timeline.org b/Timeline.org index faf3e60..15490c1 100644 --- a/Timeline.org +++ b/Timeline.org @@ -36,17 +36,21 @@ - [ ] Discovery server *** DONE Radicale CLOSED: [2019-11-08 Fri 13:51] -** Web stack [0/7] [0%] -*** TODO Nginx [0/2] [0%] - - [ ] Radicale reverse proxy +** Web stack [1/7] [14%] +*** IN-PROGRESS Nginx [1/5] [20%] + - [X] Radicale reverse proxy - [ ] Syncthing discovery reverse proxy + - [ ] Wallabag vhost + - [ ] Gitea vhost + - [ ] Miniflux vhost *** TODO PHP [0/1] [0%] - [ ] Php-fpm *** TODO PostgreSQL [0/1] [0%] - [ ] Restore DBs -*** TODO Certbot [0/2] [0%] - - [ ] Obtain certs - - [ ] Script to renew certs +*** DONE ACME [2/2] [100%] + CLOSED: [2019-11-10 Sun 21:47] + - [X] Obtain certs + - [X] Automatic renewal *** TODO Wallabag *** TODO Miniflux *** TODO Hugo [0/2] [0%] diff --git a/configuration.nix b/configuration.nix index d759af9..a2bdd89 100644 --- a/configuration.nix +++ b/configuration.nix @@ -99,6 +99,7 @@ ./modules/networking.nix ./modules/datasync.nix ./modules/hardware-configuration.nix + ./modules/webstack.nix ]; } diff --git a/modules/networking.nix b/modules/networking.nix index b8500b1..5538229 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -16,7 +16,7 @@ # Firewall configuration networking.firewall = { - allowedTCPPorts = [ 631 6566 22067 8384 5232 ]; + allowedTCPPorts = [ 631 6566 22067 8384 80 443 ]; autoLoadConntrackHelpers = true; connectionTrackingModules = [ "sane" ]; }; diff --git a/modules/webstack.nix b/modules/webstack.nix new file mode 100644 index 0000000..ec5d827 --- /dev/null +++ b/modules/webstack.nix @@ -0,0 +1,75 @@ +# LEPP stack configuration +{ config, pkgs, lib, ... }: +{ + + environment.systemPackages = with pkgs; [ + nginx + php + postgresql_11 + ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; + sslProtocols = "TLSv1.2 TLSv1.3"; + #sslDhparam = "/var/lib/dhparams"; + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts = { + "coolneng.duckdns.org" = { + enableACME = true; + forceSSL = true; + sslCertificate = "/var/lib/acme/radicale.coolneng.duckdns.org/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/radicale.coolneng.duckdns.org/key.pem"; + locations."/radicale/" = { + proxyPass = "http://localhost:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Authorization; + ''; + }; + }; + }; + }; + + # ACME certs configuration + security.acme.certs = { + "coolneng.duckdns.org" = { + email = "akasroua@gmail.com"; + postRun = "systemctl reload nginx.service"; + }; + }; + + security.dhparams.enable = true; + +}