Add Radicale reverse proxy

2019-11-10 23:40:31 +01:00
parent 27b3cf0933
commit c154af8f83
4 changed files with 87 additions and 7 deletions
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -0,0 +1,75 @@
+# LEPP stack configuration
+{ config, pkgs, lib, ... }:
+{
+
+  environment.systemPackages = with pkgs; [
+    nginx
+    php
+    postgresql_11
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    #sslDhparam = "/var/lib/dhparams";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "coolneng.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+        sslCertificate = "/var/lib/acme/radicale.coolneng.duckdns.org/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/radicale.coolneng.duckdns.org/key.pem";
+        locations."/radicale/" = {
+          proxyPass = "http://localhost:5232/";
+          extraConfig = ''
+            proxy_set_header     X-Script-Name /radicale;
+            proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass_header Authorization;
+          '';
+        };
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme.certs = {
+    "coolneng.duckdns.org" = {
+      email = "akasroua@gmail.com";
+      postRun = "systemctl reload nginx.service";
+    };
+  };
+
+  security.dhparams.enable = true;
+
+}