ivandimitrov8080/configuration.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

split mail and web

Browse Source
This commit is contained in:
Ivan Dimitrov 2023-09-15 21:24:17 +03:00
parent 357a85e1ba
commit 003177e093
3 changed files with 61 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/mailserver/configuration.nix
View File

@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./vpsadminos.nix ./vpsadminos.nix
./web.nix
]; ];
services.openssh.enable = true; services.openssh.enable = true;

59
sys/mailserver/mailserver.nix
View File

@ -15,65 +15,6 @@
''; '';
}; };
services = {
nginx = {
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
# Add any further config to match your needs, e.g.:
virtualHosts =
let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
};
proxy = port: base {
"/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
};
in
{
"idimitrov.dev" = proxy 3000 // { default = true; };
};
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.idimitrov.dev"; fqdn = "mail.idimitrov.dev";

60
sys/mailserver/web.nix Normal file
View File

@ -0,0 +1,60 @@
{ config, pkgs, ... }: {
services = {
nginx = {
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
# Add any further config to match your needs, e.g.:
virtualHosts =
let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
};
proxy = port: base {
"/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
};
in
{
"idimitrov.dev" = proxy 3000 // { default = true; };
};
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
}