diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 06a3d29..c4bb9d1 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -5,6 +5,8 @@ [ ./hardware-configuration.nix ../../users/qenya.nix + ../../services/nginx.nix + ../../services/openssh.nix ]; boot.loader.systemd-boot.enable = true; @@ -15,59 +17,14 @@ time.timeZone = "Etc/UTC"; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + services.nginx.virtualHosts = { + "git.katherina.rocks" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3000/"; }; }; - # Allow remote root login only from home network - # TODO: Find a less hacky way of doing remote deployment - users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; - services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; - - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - services.fail2ban.enable = true; - - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; - }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "accounts@katherina.rocks"; - }; - services.forgejo = { enable = true; stateDir = "/data/forgejo"; diff --git a/services/nginx.nix b/services/nginx.nix new file mode 100644 index 0000000..a5a91c6 --- /dev/null +++ b/services/nginx.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} \ No newline at end of file diff --git a/services/openssh.nix b/services/openssh.nix new file mode 100644 index 0000000..5e9651a --- /dev/null +++ b/services/openssh.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fail2ban.enable = true; + + networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow remote root login only from home network + # TODO: Find a less hacky way of doing remote deployment + users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; + services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; +} \ No newline at end of file