better TLS config and add security headers
This commit is contained in:
parent
805df6e67c
commit
0525429e83
|
@ -123,6 +123,7 @@
|
||||||
./modules/file_sharing.nix
|
./modules/file_sharing.nix
|
||||||
./modules/numbering.nix
|
./modules/numbering.nix
|
||||||
./modules/grafana.nix
|
./modules/grafana.nix
|
||||||
|
./modules/website.nix
|
||||||
{
|
{
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
data-accumulator.overlay."x86_64-linux"
|
data-accumulator.overlay."x86_64-linux"
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"docs.dvb.solutions" = {
|
"docs.dvb.solutions" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
onlySSL = true;
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
root = "${pkgs.dvb-dump-docs}/bin/";
|
root = "${pkgs.dvb-dump-docs}/bin/";
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"files.dvb.solutions" = {
|
"files.dvb.solutions" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
onlySSL = true;
|
forceSSL = true;
|
||||||
root = "/var/lib/data-accumulator/";
|
root = "/var/lib/data-accumulator/";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
autoindex on;
|
autoindex on;
|
||||||
|
|
|
@ -37,7 +37,7 @@
|
||||||
params = { module = [ "http_2xx" ]; };
|
params = { module = [ "http_2xx" ]; };
|
||||||
static_configs = [{
|
static_configs = [{
|
||||||
targets = [
|
targets = [
|
||||||
"10.13.37.1:8080"
|
"127.0.0.1:8080"
|
||||||
];
|
];
|
||||||
}];
|
}];
|
||||||
relabel_configs = [
|
relabel_configs = [
|
||||||
|
@ -86,12 +86,12 @@
|
||||||
port = 2342;
|
port = 2342;
|
||||||
addr = "127.0.0.1";
|
addr = "127.0.0.1";
|
||||||
|
|
||||||
provision = {
|
#provision = {
|
||||||
enable = true;
|
# enable = true;
|
||||||
dashboards = [
|
#dashboards = [
|
||||||
{ options.path = "${../services/dashboards}"; }
|
# { options.path = "${../services/dashboards}"; }
|
||||||
];
|
#];
|
||||||
};
|
#};
|
||||||
};
|
};
|
||||||
|
|
||||||
# reverse proxy for grafana
|
# reverse proxy for grafana
|
||||||
|
@ -99,8 +99,8 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${toString config.services.grafana.domain}" = {
|
"${toString config.services.grafana.domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
|
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"map.dvb.solutions" = {
|
"map.dvb.solutions" = {
|
||||||
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
|
|
@ -1,4 +1,21 @@
|
||||||
{ pkgs, config, lib, ... }: {
|
{ pkgs, config, lib, ... }: {
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.email = "dump-dvb@protonmail.com";
|
security.acme.email = "dump-dvb@protonmail.com";
|
||||||
|
services.nginx.commonHttpConfig = ''
|
||||||
|
# Enable CSP for your services.
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
|
||||||
|
# Minimize information leaked to other domains
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
|
||||||
|
# Disable embedding as a frame
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
# Enable XSS protection of the browser.
|
||||||
|
# May be unnecessary when CSP is configured properly (see above)
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,6 +29,7 @@
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"socket.dvb.solutions" = {
|
"socket.dvb.solutions" = {
|
||||||
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
@ -38,8 +39,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"api.dvb.solutions" = {
|
"api.dvb.solutions" = {
|
||||||
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
onlySSL = true;
|
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:9002/";
|
proxyPass = "http://127.0.0.1:9002/";
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
{ pkgs, lib, ... }: {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"dvb.solutions" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
return 307 https://github.com/dump-dvb;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@ scrape_configs:
|
||||||
max_age: 12h
|
max_age: 12h
|
||||||
labels:
|
labels:
|
||||||
job: systemd-journal
|
job: systemd-journal
|
||||||
host: espresso
|
host: data-hoarder
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
- source_labels: ['__journal__systemd_unit']
|
- source_labels: ['__journal__systemd_unit']
|
||||||
target_label: 'unit'
|
target_label: 'unit'
|
||||||
|
|
Loading…
Reference in New Issue