penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
127 commits 3 branches 0 tags 370 KiB
Commit graph

4 commits

Author SHA1 Message Date
ashisgreat22
f31ec2ce65 feat(security): restrict internal services to tailscale 
- Add `internalOnly` option to nginx module to block public access.

- Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.
 2026-03-19 22:35:33 +01:00
Franz Kafka
fbea02867e feat(nginx): add security headers with per-domain CSP 
- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers
 2026-03-19 13:42:41 +00:00
ashisgreat22
db4f0f8f61 fix: remove duplicate SOPS declaration, clean up unused param 
- Remove redundant vaultwarden_admin_token from configuration.nix
  (already declared in module)
- Remove unused pkgs parameter from vaultwarden module

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 12:37:09 +01:00
ashisgreat22
e2facd1fa9 feat: add Vaultwarden module 
- Add native NixOS Vaultwarden service module
- Supports WebSocket for real-time sync notifications
- Integrates with nginx via extraLocations for /notifications/hub
- Configurable signup, invitations, and SMTP settings
- Uses SOPS for admin token secret management

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 12:07:26 +01:00