coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
073dd48030
zion/modules/webstack.nix
coolneng 073dd48030
Remove upload limit on nginx 
Change LFS path and increase push timeout

Remove LFS path

Increase nginx upload size to 512 MB

Increase nginx upload size to 1GB

Set nginx upload size to unlimited
2019-11-26 20:51:04 +01:00

167 lines
5.0 KiB
Nix
Raw Blame History

# LEPP stack configuration
{ config, pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
nginx
php
postgresql_11
libressl
miniflux
];
services.nginx = {
enable = true;
resolver.ipv6 = false;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
clientMaxBodySize = "0";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";
sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";
locations."/radicale/" = {
proxyPass = "http://localhost:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_pass_header Authorization;
'';
};
locations."/syncthing/" = {
proxyPass = "http://localhost:8384/";
};
locations."/gitea/" = {
proxyPass = "http://localhost:3000/";
};
locations."/miniflux/" = {
proxyPass = "http://localhost:8080/miniflux/";
};
locations."/wallabag/" = {
proxyPass = "http://localhost:8081/";
};
};
};
};
# ACME certs configuration
security.acme.certs = {
"coolneng.duckdns.org" = {
email = "akasroua@gmail.com";
postRun = "systemctl reload nginx.service";
};
};
# Generate dhparams
security.dhparams = {
enable = true;
params = { nginx.bits = 2048; };
};
# PostgreSQL databases configuration
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
ensureDatabases = [ "gitea" "wallabag" ];
ensureUsers = [
{
name = "gitea";
ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};
}
{
name = "wallabag";
ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};
}
];
authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
identMap = ''
gitea-users gitea gitea
'';
};
# PostgreSQL daily backups
services.postgresqlBackup = {
enable = true;
backupAll = true;
location = "/vault/backups/zion/databases";
startAt = "*-*-* 05:15:00";
};
# PHP-fpm configuration
services.phpfpm = {
pools = {
mypool = {
user = "php";
group = "php";
phpPackage = pkgs.php;
settings = {
"pm" = "static";
"pm.max_children" = 4;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
};
};
};
# Create php and group user
users.users.php = {
extraGroups = [ "php" ];
};
users.groups.php = {
members = [ "php" ];
};
# Miniflux configuration
services.miniflux = {
enable = true;
adminCredentialsFile = "/var/keys/miniflux/admin";
config = {
BASE_URL = "https://coolneng.duckdns.org/miniflux/";
};
};
}
Reference in New Issue View Git Blame Copy Permalink