penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
154 commits 3 branches 0 tags 370 KiB
Commit graph

7 commits

Author SHA1 Message Date
ashisgreat22
6b64254eab . 2026-03-22 01:45:51 +00:00
ashisgreat22
3598d5f2bf fix(nginx): add ACME webroot + fix multi-line CSP headers 
- Set security.acme.certs.*.webroot for Let's Encrypt challenges
- Consolidate multi-line Content-Security-Policy to single line
- Fixes build error: exactly one of dnsProvider/webroot/listenHTTP/s3Bucket is required

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-20 22:16:51 +00:00
ashisgreat22
f31ec2ce65 feat(security): restrict internal services to tailscale 
- Add `internalOnly` option to nginx module to block public access.

- Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.
 2026-03-19 22:35:33 +01:00
Franz Kafka
790501d290 feat(nginx): add rate limiting with per-domain overrides 
- Global rate limit: 10 req/s with burst of 20
- Connection limit: 30 concurrent per IP
- Per-domain override support (requests, burst, enable/disable)
- SearXNG gets higher limits (20/40) to tolerate bot traffic
- Returns 429 when rate limited
 2026-03-19 15:08:34 +00:00
Franz Kafka
fbea02867e feat(nginx): add security headers with per-domain CSP 
- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers
 2026-03-19 13:42:41 +00:00
ashisgreat22
cbce4aa228 feat(nginx): add extraLocations option for WebSocket support 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 03:19:31 +01:00
ashisgreat22
24d01ac630 Add modular service configuration with SearXNG and Nginx 
- Create modules/ directory with reusable NixOS modules
- Add system module for main user configuration
- Add podman module for rootless container support
- Add nginx module with automatic Let's Encrypt SSL
- Add searxng module with Anubis AI firewall protection
- Configure SearXNG at search.ashisgreat.xyz
- Enable nginx reverse proxy with HTTPS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-17 19:47:43 +01:00