nixos-vps

Author	SHA1	Message	Date
ashisgreat22	f31ec2ce65	feat(security): restrict internal services to tailscale - Add `internalOnly` option to nginx module to block public access. - Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.	2026-03-19 22:35:33 +01:00
Franz Kafka	790501d290	feat(nginx): add rate limiting with per-domain overrides - Global rate limit: 10 req/s with burst of 20 - Connection limit: 30 concurrent per IP - Per-domain override support (requests, burst, enable/disable) - SearXNG gets higher limits (20/40) to tolerate bot traffic - Returns 429 when rate limited	2026-03-19 15:08:34 +00:00
Franz Kafka	fbea02867e	feat(nginx): add security headers with per-domain CSP - Add HSTS (6 months, includeSubDomains, preload-ready) - Add X-Content-Type-Options: nosniff - Add Permissions-Policy (disable camera/mic/geolocation) - Add Cross-Origin-Resource-Policy: same-origin - Add Cross-Origin-Opener-Policy: same-origin - Add configurable Content-Security-Policy per domain Per-service CSP tuning: - SearXNG: null (handles its own CSP in settings.yml) - Forgejo: relaxed (unsafe-inline/eval for code highlighting) - Vaultwarden: relaxed (unsafe-eval for WebCrypto vault) Fixes: missing CSP, HSTS, X-Content-Type-Options headers	2026-03-19 13:42:41 +00:00
ashisgreat22	cbce4aa228	feat(nginx): add extraLocations option for WebSocket support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 03:19:31 +01:00
ashisgreat22	24d01ac630	Add modular service configuration with SearXNG and Nginx - Create modules/ directory with reusable NixOS modules - Add system module for main user configuration - Add podman module for rootless container support - Add nginx module with automatic Let's Encrypt SSL - Add searxng module with Anubis AI firewall protection - Configure SearXNG at search.ashisgreat.xyz - Enable nginx reverse proxy with HTTPS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 19:47:43 +01:00

5 commits