Commit 66b0cf468a3f

Vincent Demeester <vincent@sbr.pm>
2025-06-14 00:33:21
systems/kerkouane: add nginx configuration
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 534c8ab
Changed files (1)
systems
kerkouane
extra.nix
systems/kerkouane/extra.nix
@@ -1,14 +1,58 @@
 {
   globals,
+  pkgs,
   ...
 }:
+let
+  # TODO: migrate this out of here
+  nginxExtraConfig = ''
+    expires 31d;
+    add_header Cache-Control "public, max-age=604800, immutable";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems *.demeester.fr";
+    add_header X-XSS-Protection "1; mode=block";
+  '';
+
+  nginx = pkgs.nginxMainline.override (_old: {
+    modules = with pkgs.nginxModules; [
+      fancyindex
+    ];
+  });
+
+  filesWWW = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/www/dl.sbr.pm";
+    locations."/" = {
+      index = "index.html";
+      extraConfig = ''
+        fancyindex on;
+        fancyindex_localtime on;
+        fancyindex_exact_size off;
+        fancyindex_header "/.fancyindex/header.html";
+        fancyindex_footer "/.fancyindex/footer.html";
+        # fancyindex_ignore "examplefile.html";
+        fancyindex_ignore "README.md";
+        fancyindex_ignore "HEADER.md";
+        fancyindex_ignore ".fancyindex";
+        fancyindex_name_length 255;
+      '';
+    };
+    locations."/private" = {
+      extraConfig = ''
+        auth_basic "Restricted";
+        auth_basic_user_file /var/www/dl.sbr.pm/private/.htpasswd;
+      '';
+    };
+    extraConfig = nginxExtraConfig;
+  };
+in
 {
   imports = [
-    # ../common/services/gosmee.nix
     ../common/services/prometheus-exporters-node.nix
-    # ../common/services/prometheus-exporters-nginx.nix
-    # ../common/services/nginx.nix
-    # ../common/services/govanityurl.nix
+    ../common/services/syncthing.nix
   ];
 
   services.openssh = {
@@ -22,6 +66,7 @@
     passwordAuthentication = false;
     permitRootLogin = "without-password";
   };
+
   services.wireguard.server = {
     enable = true;
     inherit (globals.machines.kerkouane.net.vpn) ips;
@@ -33,6 +78,106 @@
     public-url = "https://webhook.sbr.pm";
   };
 
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    package = nginx;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    virtualHosts."dl.sbr.pm" = filesWWW;
+    virtualHosts."files.sbr.pm" = filesWWW;
+    virtualHosts."paste.sbr.pm" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/paste.sbr.pm";
+      locations."/" = {
+        index = "index.html";
+      };
+      extraConfig = nginxExtraConfig;
+    };
+    virtualHosts."go.sbr.pm" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+      };
+      extraConfig = nginxExtraConfig;
+    };
+    virtualHosts."whoami.sbr.pm" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://10.100.0.8:80";
+        extraConfig = ''
+          proxy_set_header Host            $host;
+          proxy_set_header X-Forwarded-For $remote_addr;
+        '';
+      };
+    };
+    virtualHosts."webhook.sbr.pm" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3333";
+        extraConfig = ''
+          proxy_buffering off;
+          proxy_cache off;
+          proxy_set_header Host            $host;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header Connection "";
+          proxy_http_version 1.1;
+          chunked_transfer_encoding off;
+        '';
+      };
+    };
+    virtualHosts."sbr.pm" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/sbr.pm";
+      locations."/" = {
+        index = "index.html";
+      };
+      extraConfig = nginxExtraConfig;
+    };
+    virtualHosts."sbr.systems" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/sbr.systems";
+      locations."/" = {
+        index = "index.html";
+      };
+      extraConfig = nginxExtraConfig;
+    };
+    virtualHosts."vincent.demeester.fr" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/vincent.demeester.fr";
+      locations."/" = {
+        index = "index.html";
+        extraConfig = ''
+          default_type text/html;
+          try_files $uri $uri.html $uri/ = 404;
+          fancyindex on;
+          fancyindex_localtime on;
+          fancyindex_exact_size off;
+          fancyindex_header "/assets/.fancyindex/header.html";
+          fancyindex_footer "/assets/.fancyindex/footer.html";
+          # fancyindex_ignore "examplefile.html";
+          fancyindex_ignore "README.md";
+          fancyindex_ignore "HEADER.md";
+          fancyindex_ignore ".fancyindex";
+          fancyindex_name_length 255;
+        '';
+      };
+      extraConfig = nginxExtraConfig;
+    };
+  };
+  services.prometheus.exporters.nginx = {
+    enable = true;
+    port = 9001;
+  };
+
   security.pam.enableSSHAgentAuth = true;
   services.govanityurl = {
     enable = true;