coolneng
/
zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add Radicale reverse proxy

This commit is contained in:
coolneng 2019-11-10 23:40:31 +01:00
parent 27b3cf0933
commit c154af8f83
4 changed files with 87 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Timeline.org
View File

@ -36,17 +36,21 @@
- [ ] Discovery server - [ ] Discovery server
*** DONE Radicale *** DONE Radicale
CLOSED: [2019-11-08 Fri 13:51] CLOSED: [2019-11-08 Fri 13:51]
** Web stack [0/7] [0%] ** Web stack [1/7] [14%]
*** TODO Nginx [0/2] [0%] *** IN-PROGRESS Nginx [1/5] [20%]
- [ ] Radicale reverse proxy - [X] Radicale reverse proxy
- [ ] Syncthing discovery reverse proxy - [ ] Syncthing discovery reverse proxy
- [ ] Wallabag vhost
- [ ] Gitea vhost
- [ ] Miniflux vhost
*** TODO PHP [0/1] [0%] *** TODO PHP [0/1] [0%]
- [ ] Php-fpm - [ ] Php-fpm
*** TODO PostgreSQL [0/1] [0%] *** TODO PostgreSQL [0/1] [0%]
- [ ] Restore DBs - [ ] Restore DBs
*** TODO Certbot [0/2] [0%] *** DONE ACME [2/2] [100%]
- [ ] Obtain certs CLOSED: [2019-11-10 Sun 21:47]
- [ ] Script to renew certs - [X] Obtain certs
- [X] Automatic renewal
*** TODO Wallabag *** TODO Wallabag
*** TODO Miniflux *** TODO Miniflux
*** TODO Hugo [0/2] [0%] *** TODO Hugo [0/2] [0%]

1
configuration.nix
View File

@ -99,6 +99,7 @@
./modules/networking.nix ./modules/networking.nix
./modules/datasync.nix ./modules/datasync.nix
./modules/hardware-configuration.nix ./modules/hardware-configuration.nix
./modules/webstack.nix
]; ];
} }

2
modules/networking.nix
View File

@ -16,7 +16,7 @@
# Firewall configuration # Firewall configuration
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 631 6566 22067 8384 5232 ]; allowedTCPPorts = [ 631 6566 22067 8384 80 443 ];
autoLoadConntrackHelpers = true; autoLoadConntrackHelpers = true;
connectionTrackingModules = [ "sane" ]; connectionTrackingModules = [ "sane" ];
}; };

75
modules/webstack.nix Normal file
View File

@ -0,0 +1,75 @@
# LEPP stack configuration
{ config, pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
nginx
php
postgresql_11
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
#sslDhparam = "/var/lib/dhparams";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/var/lib/acme/radicale.coolneng.duckdns.org/fullchain.pem";
sslCertificateKey = "/var/lib/acme/radicale.coolneng.duckdns.org/key.pem";
locations."/radicale/" = {
proxyPass = "http://localhost:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
'';
};
};
};
};
# ACME certs configuration
security.acme.certs = {
"coolneng.duckdns.org" = {
email = "akasroua@gmail.com";
postRun = "systemctl reload nginx.service";
};
};
security.dhparams.enable = true;
}