diff --git a/flake.lock b/flake.lock index eda6d51..e8d01f1 100644 --- a/flake.lock +++ b/flake.lock @@ -974,12 +974,12 @@ "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { - "dirtyRev": "f4a871a401059ff0662ef86a059742d47d45a5bc-dirty", - "dirtyShortRev": "f4a871a-dirty", - "lastModified": 1703274528, - "narHash": "sha256-3bmxjxILyOrmjPYJvGZqcBgQPPgUd2cIxFAbvmag0kE=", - "type": "git", - "url": "file:///home/patrick/repos/nix/nixos-extra-modules" + "lastModified": 1703537346, + "narHash": "sha256-uHS8w7HzkPyPh4K2L0U13A0IUeSI9yugYXgK8xz+CyA=", + "owner": "oddlama", + "repo": "nixos-extra-modules", + "rev": "4daf3ffd02f7cfb1c9a3c8c95bec21dd078ab26f", + "type": "github" }, "original": { "owner": "oddlama", diff --git a/lib/containers.nix b/lib/containers.nix index dbdec8f..1e98391 100644 --- a/lib/containers.nix +++ b/lib/containers.nix @@ -7,7 +7,6 @@ inputs: _self: super: { { config = { imports = [ - ../modules/services/nginx.nix ../modules/config ]; node.name = name; diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 7ec326b..b1334d8 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -7,15 +7,17 @@ } @ attrs: let hostName = "nc.${config.secrets.secrets.global.domains.mail}"; in { - imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix]; + imports = [./containers.nix ./ddclient.nix ./acme.nix]; services.nginx = { enable = true; + recommendedSetup = true; upstreams.nextcloud = { servers."192.168.178.33:80" = {}; extraConfig = '' zone nextcloud 64k ; keepalive 5 ; + client_max_body_size 4G ; ''; }; virtualHosts.${hostName} = { @@ -34,6 +36,7 @@ in { pkgs, ... }: { + #TODO enable recommended nginx setup systemd.network.networks = { "lan01" = { address = ["192.168.178.33/24"]; @@ -57,7 +60,7 @@ in { services.nextcloud = { inherit hostName; enable = true; - package = pkgs.nextcloud27; + package = pkgs.nextcloud28; configureRedis = true; config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store! extraApps = with config.services.nextcloud.package.packages.apps; { diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix deleted file mode 100644 index 6d03828..0000000 --- a/modules/services/nginx.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit - (lib) - mkBefore - mkIf - mkOption - types - ; -in { - options.services.nginx.virtualHosts = mkOption { - type = types.attrsOf (types.submodule { - options.locations = mkOption { - type = types.attrsOf (types.submodule ({config, ...}: { - options = { - recommendedSecurityHeaders = mkOption { - type = types.bool; - default = true; - description = "Whether to add additional security headers to this location."; - }; - - X-Frame-Options = mkOption { - type = types.str; - default = "DENY"; - description = "The value to use for X-Frame-Options"; - }; - }; - config = mkIf config.recommendedSecurityHeaders { - extraConfig = mkBefore '' - # Enable HTTP Strict Transport Security (HSTS) - add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; - - # Minimize information leaked to other domains - add_header Referrer-Policy "origin-when-cross-origin"; - - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "${config.X-Frame-Options}"; - add_header X-Content-Type-Options "nosniff"; - ''; - }; - })); - }; - }); - }; - - config = mkIf config.services.nginx.enable { - age.secrets."dhparams.pem" = { - generator.script = "dhparams"; - mode = "440"; - group = "nginx"; - }; - security.acme.acceptTerms = true; - security.acme.defaults.email = config.secrets.secrets.global.devEmail; - - # Sensible defaults for nginx - services.nginx = { - recommendedBrotliSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # SSL config - sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL"; - sslDhparam = config.age.secrets."dhparams.pem".path; - commonHttpConfig = '' - log_format json_combined escape=json '{' - '"time": $msec,' - '"remote_addr":"$remote_addr",' - '"status":$status,' - '"method":"$request_method",' - '"host":"$host",' - '"uri":"$request_uri",' - '"request_size":$request_length,' - '"response_size":$body_bytes_sent,' - '"response_time":$request_time,' - '"referrer":"$http_referer",' - '"user_agent":"$http_user_agent"' - '}'; - error_log syslog:server=unix:/dev/log,nohostname; - access_log syslog:server=unix:/dev/log,nohostname json_combined; - ssl_ecdh_curve secp384r1; - ''; - - # Default host that rejects everything. - # This is selected when no matching host is found for a request. - virtualHosts.dummy = { - listenAddresses = ["127.0.0.1" "[::1]"]; - default = true; - rejectSSL = true; - locations."/".extraConfig = '' - deny all; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [80 443]; - }; -} diff --git a/modules/services/radicale.nix b/modules/services/radicale.nix index d84b107..9eb2d66 100644 --- a/modules/services/radicale.nix +++ b/modules/services/radicale.nix @@ -7,7 +7,7 @@ } @ attrs: let hostName = "radicale.${config.secrets.secrets.global.domains.mail}"; in { - imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix]; + imports = [./containers.nix ./ddclient.nix ./acme.nix]; services.nginx = { enable = true; upstreams.radicale = {