fix(nginx): add ACME webroot + fix multi-line CSP headers
- Set security.acme.certs.*.webroot for Let's Encrypt challenges - Consolidate multi-line Content-Security-Policy to single line - Fixes build error: exactly one of dnsProvider/webroot/listenHTTP/s3Bucket is required Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
e36a67b7a0
commit
3598d5f2bf
2 changed files with 266 additions and 309 deletions
|
|
@ -66,7 +66,6 @@ in
|
|||
services.forgejo = {
|
||||
enable = true;
|
||||
database.type = "postgres";
|
||||
customDir = toString ../custom;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
|
|
@ -77,7 +76,6 @@ in
|
|||
SSH_PORT = 2222;
|
||||
START_SSH_SERVER = true;
|
||||
SSH_LISTEN_ADDR = "0.0.0.0";
|
||||
# SSH Hardening
|
||||
SSH_SERVER_KEY_EXCHANGES = "sntrup761x25519-sha512,curve25519-sha256,curve25519-sha256@libssh.org";
|
||||
SSH_SERVER_CIPHERS = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com";
|
||||
SSH_SERVER_MACS = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com";
|
||||
|
|
@ -92,36 +90,23 @@ in
|
|||
PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
|
||||
MIN_PASSWORD_LENGTH = 12;
|
||||
};
|
||||
"ui.meta" = {
|
||||
AUTHOR = "Penal Colony";
|
||||
DESCRIPTION = "The apparatus inscribes your code. Every commit is judged.";
|
||||
};
|
||||
"ui" = {
|
||||
DEFAULT_THEME = "forgejo-auto";
|
||||
APP_NAME = "The Harrow";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Nginx Reverse Proxy
|
||||
myModules.nginx.domains."${cfg.domain}" = {
|
||||
port = cfg.port;
|
||||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
'';
|
||||
# Relaxed CSP for Forgejo — needs inline styles for code highlighting
|
||||
contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' wss://${cfg.domain}; frame-ancestors 'self'";
|
||||
};
|
||||
|
||||
# Open SSH port for Git
|
||||
networking.firewall.allowedTCPPorts = [ 2222 ];
|
||||
|
||||
# Backups (Add Forgejo data to restic if backup module is enabled)
|
||||
myModules.backup.paths = [
|
||||
config.services.forgejo.stateDir
|
||||
];
|
||||
|
||||
# Actions Runner
|
||||
services.gitea-actions-runner = lib.mkIf cfg.runner.enable {
|
||||
package = pkgs.forgejo-runner;
|
||||
instances.default = {
|
||||
|
|
|
|||
|
|
@ -1,16 +1,5 @@
|
|||
# Nginx Reverse Proxy Module
|
||||
# Provides: Nginx with automatic Let's Encrypt certificates, security headers, and rate limiting
|
||||
#
|
||||
# Usage:
|
||||
# myModules.nginx = {
|
||||
# enable = true;
|
||||
# email = "your@email.com";
|
||||
# domains = {
|
||||
# "search.example.com" = {
|
||||
# port = 8888;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
{
|
||||
config,
|
||||
|
|
@ -44,7 +33,7 @@ in
|
|||
requests = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 10;
|
||||
description = "Number of requests allowed per second (burst applies on top)";
|
||||
description = "Number of requests allowed per second";
|
||||
};
|
||||
|
||||
burst = lib.mkOption {
|
||||
|
|
@ -84,19 +73,19 @@ in
|
|||
enable = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.bool;
|
||||
default = null;
|
||||
description = "Enable rate limiting for this vhost. Defaults to global rateLimit.enable.";
|
||||
description = "Enable rate limiting for this vhost.";
|
||||
};
|
||||
|
||||
requests = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.int;
|
||||
default = null;
|
||||
description = "Requests per second for this vhost. Defaults to global rateLimit.requests.";
|
||||
description = "Number of requests allowed per second for this vhost.";
|
||||
};
|
||||
|
||||
burst = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.int;
|
||||
default = null;
|
||||
description = "Burst size for this vhost. Defaults to global rateLimit.burst.";
|
||||
description = "Burst size for this vhost.";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -115,7 +104,7 @@ in
|
|||
};
|
||||
});
|
||||
default = { };
|
||||
description = "Additional location blocks to add to this virtual host";
|
||||
description = "Additional location blocks";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
|
@ -125,20 +114,17 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Open HTTP/HTTPS ports
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
# ACME (Let's Encrypt) configuration
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = cfg.email;
|
||||
certs = lib.mapAttrs' (domain: opts: {
|
||||
name = domain;
|
||||
value = { };
|
||||
value.webroot = "/var/lib/acme/acme-challenge";
|
||||
}) cfg.domains;
|
||||
};
|
||||
|
||||
# Nginx configuration
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
|
|
@ -146,42 +132,28 @@ in
|
|||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
# Rate limiting zones (one per domain for per-domain limits)
|
||||
commonHttpConfig = lib.optionalString cfg.rateLimit.enable ''
|
||||
# Global rate limiting zone
|
||||
limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s;
|
||||
# Limit connection flooding
|
||||
limit_conn_zone $binary_remote_addr zone=connlimit:10m;
|
||||
'';
|
||||
|
||||
virtualHosts = lib.mapAttrs' (domain: opts: {
|
||||
name = domain;
|
||||
value = {
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
|
||||
# Security headers applied per-vhost
|
||||
extraConfig = ''
|
||||
${lib.optionalString opts.internalOnly ''
|
||||
# Restrict access to Tailscale network
|
||||
allow 100.64.0.0/10;
|
||||
allow 127.0.0.0/8;
|
||||
deny all;
|
||||
''}
|
||||
# Strict Transport Security — 6 months, include subdomains, preload-ready
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||
|
||||
# Prevent MIME type sniffing
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
|
||||
# Restrict browser features
|
||||
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
||||
|
||||
# Cross-origin isolation
|
||||
add_header Cross-Origin-Resource-Policy "same-origin" always;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
|
||||
# Content Security Policy (configurable per-domain)
|
||||
'' + lib.optionalString (opts.contentSecurityPolicy != null) ''
|
||||
add_header Content-Security-Policy "${opts.contentSecurityPolicy}" always;
|
||||
'';
|
||||
|
|
@ -189,9 +161,10 @@ in
|
|||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString opts.port}";
|
||||
extraConfig = opts.extraConfig + lib.optionalString (if opts.rateLimit.enable != null then opts.rateLimit.enable else cfg.rateLimit.enable) ''
|
||||
# Rate limiting
|
||||
limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst else cfg.rateLimit.burst)} nodelay;
|
||||
extraConfig = opts.extraConfig + lib.optionalString (if opts.rateLimit.enable != null then
|
||||
opts.rateLimit.enable else cfg.rateLimit.enable) ''
|
||||
limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst
|
||||
else cfg.rateLimit.burst)} nodelay;
|
||||
limit_conn connlimit 30;
|
||||
limit_req_status 429;
|
||||
'';
|
||||
|
|
@ -207,7 +180,6 @@ in
|
|||
}) cfg.domains;
|
||||
};
|
||||
|
||||
# Ensure nginx user can access ACME certs
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue