dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

better TLS config and add security headers

This commit is contained in:
oxapentane - 2022-05-13 19:42:30 +02:00
parent 805df6e67c
commit 0525429e83
Signed by: oxapentane
GPG Key ID: 91FA5E5BF9AA901C
9 changed files with 49 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
flake.nix
View File

@ -123,6 +123,7 @@
./modules/file_sharing.nix
./modules/numbering.nix
./modules/grafana.nix
./modules/website.nix
{
nixpkgs.overlays = [
data-accumulator.overlay."x86_64-linux"

2
modules/documentation.nix
View File

@ -6,7 +6,7 @@
virtualHosts = {
"docs.dvb.solutions" = {
enableACME = true;
onlySSL = true;
forceSSL = true;
locations = {
"/" = {
root = "${pkgs.dvb-dump-docs}/bin/";

2
modules/file_sharing.nix
View File

@ -6,7 +6,7 @@
virtualHosts = {
"files.dvb.solutions" = {
enableACME = true;
onlySSL = true;
forceSSL = true;
root = "/var/lib/data-accumulator/";
extraConfig = ''
autoindex on;

16
modules/grafana.nix
View File

@ -37,7 +37,7 @@
params = { module = [ "http_2xx" ]; };
static_configs = [{
targets = [
"10.13.37.1:8080"
"127.0.0.1:8080"
];
}];
relabel_configs = [
@ -86,12 +86,12 @@
port = 2342;
addr = "127.0.0.1";
provision = {
enable = true;
dashboards = [
{ options.path = "${../services/dashboards}"; }
];
};
#provision = {
# enable = true;
#dashboards = [
# { options.path = "${../services/dashboards}"; }
#];
#};
};
# reverse proxy for grafana
@ -99,8 +99,8 @@
enable = true;
virtualHosts = {
"${toString config.services.grafana.domain}" = {
enableACME = true;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;

1
modules/map.nix
View File

@ -5,6 +5,7 @@
recommendedProxySettings = true;
virtualHosts = {
"map.dvb.solutions" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {

17
modules/nginx.nix
View File

@ -1,4 +1,21 @@
{ pkgs, config, lib, ... }: {
security.acme.acceptTerms = true;
security.acme.email = "dump-dvb@protonmail.com";
services.nginx.commonHttpConfig = ''
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
'';
}

3
modules/public_api.nix
View File

@ -29,6 +29,7 @@
recommendedProxySettings = true;
virtualHosts = {
"socket.dvb.solutions" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
@ -38,8 +39,8 @@
};
};
"api.dvb.solutions" = {
forceSSL = true;
enableACME = true;
onlySSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9002/";

17
modules/website.nix Normal file
View File

@ -0,0 +1,17 @@
{ pkgs, lib, ... }: {
services.nginx = {
enable = true;
virtualHosts = {
"dvb.solutions" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
return 307 https://github.com/dump-dvb;
'';
};
};
};
};
}

2
services/promtail.yaml
View File

@ -15,7 +15,7 @@ scrape_configs:
max_age: 12h
labels:
job: systemd-journal
host: espresso
host: data-hoarder
relabel_configs:
- source_labels: ['__journal__systemd_unit']
target_label: 'unit'