diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-10-15 21:16:26 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-10-15 21:16:26 +0200 |
commit | ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e (patch) | |
tree | ff71b317201b140afbc87512ab3a96149354b0c3 | |
parent | 3559a78338e5eaf502d5b49f19e275aa955f1334 (diff) | |
download | nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.gz nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.bz2 nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.xz nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.zip |
surtr: ...
-rw-r--r-- | hosts/surtr/http/default.nix | 8 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 40 |
2 files changed, 39 insertions, 9 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 6b516b00..c70eb8f8 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
@@ -24,16 +24,20 @@ | |||
24 | access_log syslog:server=unix:/dev/log main; | 24 | access_log syslog:server=unix:/dev/log main; |
25 | error_log syslog:server=unix:/dev/log info; | 25 | error_log syslog:server=unix:/dev/log info; |
26 | 26 | ||
27 | client_body_temp_path /run/nginx-client-bodies; | 27 | client_body_temp_path /run/nginx-client-bodies 2 2; |
28 | proxy_temp_path /run/nginx-proxy-bodies 2 2; | ||
28 | ''; | 29 | ''; |
29 | additionalModules = with pkgs.nginxModules; [ pam ]; | 30 | additionalModules = with pkgs.nginxModules; [ pam ]; |
31 | eventsConfig = '' | ||
32 | worker_connections 2048; | ||
33 | ''; | ||
30 | }; | 34 | }; |
31 | systemd.services.nginx = { | 35 | systemd.services.nginx = { |
32 | preStart = lib.mkForce config.services.nginx.preStart; | 36 | preStart = lib.mkForce config.services.nginx.preStart; |
33 | serviceConfig = { | 37 | serviceConfig = { |
34 | SupplementaryGroups = [ "shadow" ]; | 38 | SupplementaryGroups = [ "shadow" ]; |
35 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 39 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
36 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; | 40 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ]; |
37 | RuntimeDirectoryMode = "0750"; | 41 | RuntimeDirectoryMode = "0750"; |
38 | }; | 42 | }; |
39 | }; | 43 | }; |
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index fcebf9c1..7a1b968e 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -141,6 +141,9 @@ with lib; | |||
141 | recommendedProxySettings = true; | 141 | recommendedProxySettings = true; |
142 | 142 | ||
143 | upstreams."matrix-synapse" = { | 143 | upstreams."matrix-synapse" = { |
144 | extraConfig = '' | ||
145 | keepalive 64; | ||
146 | ''; | ||
144 | servers = { | 147 | servers = { |
145 | "127.0.0.1:8008" = {}; | 148 | "127.0.0.1:8008" = {}; |
146 | }; | 149 | }; |
@@ -175,7 +178,11 @@ with lib; | |||
175 | proxyPass = "http://matrix-synapse"; | 178 | proxyPass = "http://matrix-synapse"; |
176 | extraConfig = '' | 179 | extraConfig = '' |
177 | client_max_body_size 500M; | 180 | client_max_body_size 500M; |
181 | |||
178 | proxy_pass_header Server; | 182 | proxy_pass_header Server; |
183 | |||
184 | proxy_http_version 1.1; | ||
185 | proxy_set_header "Connection" ""; | ||
179 | ''; | 186 | ''; |
180 | }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { | 187 | }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { |
181 | "= /.well-known/matrix/server" = { | 188 | "= /.well-known/matrix/server" = { |
@@ -201,7 +208,16 @@ with lib; | |||
201 | }; | 208 | }; |
202 | }; | 209 | }; |
203 | 210 | ||
204 | virtualHosts."element.synapse.li" = { | 211 | virtualHosts."element.synapse.li" = let |
212 | headerDirectives = '' | ||
213 | add_header Strict-Transport-Security "max-age=63072000" always; | ||
214 | |||
215 | add_header X-Frame-Options SAMEORIGIN always; | ||
216 | add_header X-Content-Type-Options nosniff always; | ||
217 | add_header X-XSS-Protection "1; mode=block" always; | ||
218 | add_header Content-Security-Policy "frame-ancestors 'self'" always; | ||
219 | ''; | ||
220 | in { | ||
205 | forceSSL = true; | 221 | forceSSL = true; |
206 | kTLS = true; | 222 | kTLS = true; |
207 | http3 = true; | 223 | http3 = true; |
@@ -209,12 +225,7 @@ with lib; | |||
209 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; | 225 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; |
210 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 226 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
211 | extraConfig = '' | 227 | extraConfig = '' |
212 | add_header Strict-Transport-Security "max-age=63072000" always; | 228 | error_page 500 502 503 504 /50x.html; |
213 | |||
214 | add_header X-Frame-Options SAMEORIGIN; | ||
215 | add_header X-Content-Type-Options nosniff; | ||
216 | add_header X-XSS-Protection "1; mode=block"; | ||
217 | add_header Content-Security-Policy "frame-ancestors 'self'"; | ||
218 | ''; | 229 | ''; |
219 | 230 | ||
220 | root = pkgs.element-web.override { | 231 | root = pkgs.element-web.override { |
@@ -225,6 +236,21 @@ with lib; | |||
225 | }; | 236 | }; |
226 | }; | 237 | }; |
227 | }; | 238 | }; |
239 | |||
240 | locations = { | ||
241 | "= /index.html".extraConfig = '' | ||
242 | ${headerDirectives} | ||
243 | add_header Cache-Control "no-cache" always; | ||
244 | ''; | ||
245 | "= /version".extraConfig = '' | ||
246 | ${headerDirectives} | ||
247 | add_header Cache-Control "no-cache" always; | ||
248 | ''; | ||
249 | "/config".extraConfig = '' | ||
250 | ${headerDirectives} | ||
251 | add_header Cache-Control "no-cache" always; | ||
252 | ''; | ||
253 | }; | ||
228 | }; | 254 | }; |
229 | }; | 255 | }; |
230 | 256 | ||