summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-10-15 21:16:26 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2023-10-15 21:16:26 +0200
commitebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e (patch)
treeff71b317201b140afbc87512ab3a96149354b0c3
parent3559a78338e5eaf502d5b49f19e275aa955f1334 (diff)
downloadnixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar
nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.gz
nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.bz2
nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.tar.xz
nixos-ebc4c6c641d697b4bdb9af94e1ab5171c92b6c4e.zip
surtr: ...
-rw-r--r--hosts/surtr/http/default.nix8
-rw-r--r--hosts/surtr/matrix/default.nix40
2 files changed, 39 insertions, 9 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 6b516b00..c70eb8f8 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -24,16 +24,20 @@
24 access_log syslog:server=unix:/dev/log main; 24 access_log syslog:server=unix:/dev/log main;
25 error_log syslog:server=unix:/dev/log info; 25 error_log syslog:server=unix:/dev/log info;
26 26
27 client_body_temp_path /run/nginx-client-bodies; 27 client_body_temp_path /run/nginx-client-bodies 2 2;
28 proxy_temp_path /run/nginx-proxy-bodies 2 2;
28 ''; 29 '';
29 additionalModules = with pkgs.nginxModules; [ pam ]; 30 additionalModules = with pkgs.nginxModules; [ pam ];
31 eventsConfig = ''
32 worker_connections 2048;
33 '';
30 }; 34 };
31 systemd.services.nginx = { 35 systemd.services.nginx = {
32 preStart = lib.mkForce config.services.nginx.preStart; 36 preStart = lib.mkForce config.services.nginx.preStart;
33 serviceConfig = { 37 serviceConfig = {
34 SupplementaryGroups = [ "shadow" ]; 38 SupplementaryGroups = [ "shadow" ];
35 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 39 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
36 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; 40 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ];
37 RuntimeDirectoryMode = "0750"; 41 RuntimeDirectoryMode = "0750";
38 }; 42 };
39 }; 43 };
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index fcebf9c1..7a1b968e 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -141,6 +141,9 @@ with lib;
141 recommendedProxySettings = true; 141 recommendedProxySettings = true;
142 142
143 upstreams."matrix-synapse" = { 143 upstreams."matrix-synapse" = {
144 extraConfig = ''
145 keepalive 64;
146 '';
144 servers = { 147 servers = {
145 "127.0.0.1:8008" = {}; 148 "127.0.0.1:8008" = {};
146 }; 149 };
@@ -175,7 +178,11 @@ with lib;
175 proxyPass = "http://matrix-synapse"; 178 proxyPass = "http://matrix-synapse";
176 extraConfig = '' 179 extraConfig = ''
177 client_max_body_size 500M; 180 client_max_body_size 500M;
181
178 proxy_pass_header Server; 182 proxy_pass_header Server;
183
184 proxy_http_version 1.1;
185 proxy_set_header "Connection" "";
179 ''; 186 '';
180 }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { 187 }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // {
181 "= /.well-known/matrix/server" = { 188 "= /.well-known/matrix/server" = {
@@ -201,7 +208,16 @@ with lib;
201 }; 208 };
202 }; 209 };
203 210
204 virtualHosts."element.synapse.li" = { 211 virtualHosts."element.synapse.li" = let
212 headerDirectives = ''
213 add_header Strict-Transport-Security "max-age=63072000" always;
214
215 add_header X-Frame-Options SAMEORIGIN always;
216 add_header X-Content-Type-Options nosniff always;
217 add_header X-XSS-Protection "1; mode=block" always;
218 add_header Content-Security-Policy "frame-ancestors 'self'" always;
219 '';
220 in {
205 forceSSL = true; 221 forceSSL = true;
206 kTLS = true; 222 kTLS = true;
207 http3 = true; 223 http3 = true;
@@ -209,12 +225,7 @@ with lib;
209 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; 225 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
210 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 226 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
211 extraConfig = '' 227 extraConfig = ''
212 add_header Strict-Transport-Security "max-age=63072000" always; 228 error_page 500 502 503 504 /50x.html;
213
214 add_header X-Frame-Options SAMEORIGIN;
215 add_header X-Content-Type-Options nosniff;
216 add_header X-XSS-Protection "1; mode=block";
217 add_header Content-Security-Policy "frame-ancestors 'self'";
218 ''; 229 '';
219 230
220 root = pkgs.element-web.override { 231 root = pkgs.element-web.override {
@@ -225,6 +236,21 @@ with lib;
225 }; 236 };
226 }; 237 };
227 }; 238 };
239
240 locations = {
241 "= /index.html".extraConfig = ''
242 ${headerDirectives}
243 add_header Cache-Control "no-cache" always;
244 '';
245 "= /version".extraConfig = ''
246 ${headerDirectives}
247 add_header Cache-Control "no-cache" always;
248 '';
249 "/config".extraConfig = ''
250 ${headerDirectives}
251 add_header Cache-Control "no-cache" always;
252 '';
253 };
228 }; 254 };
229 }; 255 };
230 256