better TLS config and add security headers
This commit is contained in:
parent
805df6e67c
commit
0525429e83
|
@ -123,6 +123,7 @@
|
|||
./modules/file_sharing.nix
|
||||
./modules/numbering.nix
|
||||
./modules/grafana.nix
|
||||
./modules/website.nix
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
data-accumulator.overlay."x86_64-linux"
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
virtualHosts = {
|
||||
"docs.dvb.solutions" = {
|
||||
enableACME = true;
|
||||
onlySSL = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "${pkgs.dvb-dump-docs}/bin/";
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
virtualHosts = {
|
||||
"files.dvb.solutions" = {
|
||||
enableACME = true;
|
||||
onlySSL = true;
|
||||
forceSSL = true;
|
||||
root = "/var/lib/data-accumulator/";
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
params = { module = [ "http_2xx" ]; };
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"10.13.37.1:8080"
|
||||
"127.0.0.1:8080"
|
||||
];
|
||||
}];
|
||||
relabel_configs = [
|
||||
|
@ -86,12 +86,12 @@
|
|||
port = 2342;
|
||||
addr = "127.0.0.1";
|
||||
|
||||
provision = {
|
||||
enable = true;
|
||||
dashboards = [
|
||||
{ options.path = "${../services/dashboards}"; }
|
||||
];
|
||||
};
|
||||
#provision = {
|
||||
# enable = true;
|
||||
#dashboards = [
|
||||
# { options.path = "${../services/dashboards}"; }
|
||||
#];
|
||||
#};
|
||||
};
|
||||
|
||||
# reverse proxy for grafana
|
||||
|
@ -99,8 +99,8 @@
|
|||
enable = true;
|
||||
virtualHosts = {
|
||||
"${toString config.services.grafana.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
|
||||
proxyWebsockets = true;
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"map.dvb.solutions" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
|
|
|
@ -1,4 +1,21 @@
|
|||
{ pkgs, config, lib, ... }: {
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = "dump-dvb@protonmail.com";
|
||||
services.nginx.commonHttpConfig = ''
|
||||
# Enable CSP for your services.
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
# Enable XSS protection of the browser.
|
||||
# May be unnecessary when CSP is configured properly (see above)
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"socket.dvb.solutions" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
|
@ -38,8 +39,8 @@
|
|||
};
|
||||
};
|
||||
"api.dvb.solutions" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
onlySSL = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:9002/";
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{ pkgs, lib, ... }: {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"dvb.solutions" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
return 307 https://github.com/dump-dvb;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -15,7 +15,7 @@ scrape_configs:
|
|||
max_age: 12h
|
||||
labels:
|
||||
job: systemd-journal
|
||||
host: espresso
|
||||
host: data-hoarder
|
||||
relabel_configs:
|
||||
- source_labels: ['__journal__systemd_unit']
|
||||
target_label: 'unit'
|
||||
|
|
Loading…
Reference in New Issue