From 0525429e83830ed12a0646623d86654cfb9362de Mon Sep 17 00:00:00 2001
From: Grigory Shipunov <blame@oxapentane.com>
Date: Fri, 13 May 2022 19:42:30 +0200
Subject: [PATCH] better TLS config and add security headers

---
 flake.nix                 |  1 +
 modules/documentation.nix |  2 +-
 modules/file_sharing.nix  |  2 +-
 modules/grafana.nix       | 16 ++++++++--------
 modules/map.nix           |  1 +
 modules/nginx.nix         | 17 +++++++++++++++++
 modules/public_api.nix    |  3 ++-
 modules/website.nix       | 17 +++++++++++++++++
 services/promtail.yaml    |  2 +-
 9 files changed, 49 insertions(+), 12 deletions(-)
 create mode 100644 modules/website.nix

diff --git a/flake.nix b/flake.nix
index dfb64ff..c58fa37 100644
--- a/flake.nix
+++ b/flake.nix
@@ -123,6 +123,7 @@
               ./modules/file_sharing.nix
               ./modules/numbering.nix
               ./modules/grafana.nix
+              ./modules/website.nix
               {
                 nixpkgs.overlays = [
                   data-accumulator.overlay."x86_64-linux"
diff --git a/modules/documentation.nix b/modules/documentation.nix
index f09ddbf..12e7d62 100644
--- a/modules/documentation.nix
+++ b/modules/documentation.nix
@@ -6,7 +6,7 @@
       virtualHosts = {
         "docs.dvb.solutions" = {
           enableACME = true;
-          onlySSL = true;
+          forceSSL = true;
           locations = {
             "/" = {
               root = "${pkgs.dvb-dump-docs}/bin/";
diff --git a/modules/file_sharing.nix b/modules/file_sharing.nix
index 84b8fe3..ee9ac20 100644
--- a/modules/file_sharing.nix
+++ b/modules/file_sharing.nix
@@ -6,7 +6,7 @@
       virtualHosts = {
         "files.dvb.solutions" = {
           enableACME = true;
-          onlySSL = true;
+          forceSSL = true;
           root = "/var/lib/data-accumulator/";
           extraConfig = ''
             autoindex on;
diff --git a/modules/grafana.nix b/modules/grafana.nix
index e1abd08..25d380e 100644
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@@ -37,7 +37,7 @@
           params = { module = [ "http_2xx" ]; };
           static_configs = [{
             targets = [
-              "10.13.37.1:8080"
+              "127.0.0.1:8080"
             ];
           }];
           relabel_configs = [
@@ -86,12 +86,12 @@
       port = 2342;
       addr = "127.0.0.1";
 
-      provision = {
-        enable = true;
-        dashboards = [
-          { options.path = "${../services/dashboards}"; }
-        ];
-      };
+      #provision = {
+      #  enable = true;
+        #dashboards = [
+        #  { options.path = "${../services/dashboards}"; }
+        #];
+      #};
     };
 
     # reverse proxy for grafana
@@ -99,8 +99,8 @@
       enable = true;
       virtualHosts = {
         "${toString config.services.grafana.domain}" = {
-          enableACME = true;
           forceSSL = true;
+          enableACME = true;
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
             proxyWebsockets = true;
diff --git a/modules/map.nix b/modules/map.nix
index c8291f0..8bbf03f 100644
--- a/modules/map.nix
+++ b/modules/map.nix
@@ -5,6 +5,7 @@
       recommendedProxySettings = true;
       virtualHosts = {
         "map.dvb.solutions" = {
+          forceSSL = true;
           enableACME = true;
           locations = {
             "/" = {
diff --git a/modules/nginx.nix b/modules/nginx.nix
index ef9ad2a..bef59b6 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -1,4 +1,21 @@
 { pkgs, config, lib, ... }: {
   security.acme.acceptTerms = true;
   security.acme.email = "dump-dvb@protonmail.com";
+  services.nginx.commonHttpConfig = ''
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+        add_header X-XSS-Protection "1; mode=block";
+  '';
 }
diff --git a/modules/public_api.nix b/modules/public_api.nix
index 636cb3e..06aab96 100644
--- a/modules/public_api.nix
+++ b/modules/public_api.nix
@@ -29,6 +29,7 @@
       recommendedProxySettings = true;
       virtualHosts = {
         "socket.dvb.solutions" = {
+          forceSSL = true;
           enableACME = true;
           locations = {
             "/" = {
@@ -38,8 +39,8 @@
           };
         };
         "api.dvb.solutions" = {
+          forceSSL = true;
           enableACME = true;
-          onlySSL = true;
           locations = {
             "/" = {
               proxyPass = "http://127.0.0.1:9002/";
diff --git a/modules/website.nix b/modules/website.nix
new file mode 100644
index 0000000..cd783f0
--- /dev/null
+++ b/modules/website.nix
@@ -0,0 +1,17 @@
+{ pkgs, lib, ... }: {
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "dvb.solutions" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          extraConfig = ''
+            return 307 https://github.com/dump-dvb;
+          '';
+        };
+      };
+    };
+  };
+}
+
diff --git a/services/promtail.yaml b/services/promtail.yaml
index 5ec3b76..7b79653 100644
--- a/services/promtail.yaml
+++ b/services/promtail.yaml
@@ -15,7 +15,7 @@ scrape_configs:
       max_age: 12h
       labels:
         job: systemd-journal
-        host: espresso 
+        host: data-hoarder
     relabel_configs:
       - source_labels: ['__journal__systemd_unit']
         target_label: 'unit'