From b517ea29707efc6677fe8c0e7ff6dadff4de3c3d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:21:19 +0200 Subject: l 4: add website helper functions --- lass/4lib/default.nix | 127 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 125 insertions(+), 2 deletions(-) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index a751a2995..d45313894 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -1,10 +1,133 @@ -{ lib, ... }: +{ lib, pkgs, ... }: with lib; -{ +rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + manageCert = domain: + { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "cert.pem" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domain: + { + imports = [ + ( manageCert domain ) + ( activateACME domain ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers."${domain}" = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/cert.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + '') + (nameValuePair "~ \.php$" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + '') + ]; + extraConfig = '' + root /srv/http/${domain}/; + #index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } -- cgit v1.2.3 From ed37b759286a1989ee3830b0268134a177303d23 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 21:20:35 +0200 Subject: l 4: update owncloud config to solve errors --- lass/4lib/default.nix | 98 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 72 insertions(+), 26 deletions(-) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index d45313894..4d3adfd1d 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -74,43 +74,89 @@ rec { "${domain}" "www.${domain}" ]; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; locations = [ - (nameValuePair "/" '' - # The following 2 rules are only needed with webfinger - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - - try_files $uri $uri/ /index.php; + try_files $uri $uri/ =404; '') - (nameValuePair "~ \.php$" '' + + (nameValuePair "~ \.php(?:$|/)" '' fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi.conf; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; '') - ]; - extraConfig = '' - root /srv/http/${domain}/; - #index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - ''; + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool -- cgit v1.2.3 From 1773a9cd92ca2c0d78ba55c9ba16f7580cde388e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:49:52 +0200 Subject: l 4: add more helpers for wordpress hosting --- lass/4lib/default.nix | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index 4d3adfd1d..e089f022c 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -33,6 +33,34 @@ rec { }; }; + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + ssl = domain: { imports = [ @@ -176,4 +204,56 @@ rec { ''; }; + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } -- cgit v1.2.3 From 8f20cf974e334157a241dee5ad729eb5708637ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:52:43 +0200 Subject: l 4: use fullchain.pem as certificate --- lass/4lib/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index e089f022c..22a8c3c6e 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -15,7 +15,6 @@ rec { webroot = "/var/lib/acme/challenges/${domain}"; plugins = [ "account_key.json" - "cert.pem" "key.pem" "fullchain.pem" ]; @@ -74,7 +73,7 @@ rec { krebs.nginx.servers."${domain}" = { ssl = { enable = true; - certificate = "/var/lib/acme/${domain}/cert.pem"; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; certificate_key = "/var/lib/acme/${domain}/key.pem"; }; }; -- cgit v1.2.3 From de6e888da9ed85ebbe35fa23569fbd8617734798 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:32:04 +0200 Subject: l websites: use lists in helpers --- lass/4lib/default.nix | 53 +++++++++++++-------------------------------------- 1 file changed, 13 insertions(+), 40 deletions(-) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index 22a8c3c6e..7949154a0 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -7,31 +7,6 @@ rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - manageCert = domain: - { - security.acme = { - certs."${domain}" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/challenges/${domain}"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - }; - }; - - krebs.nginx.servers."${domain}" = { - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/${domain}/; - '') - ]; - }; - }; - manageCerts = domains: let domain = head domains; @@ -60,11 +35,11 @@ rec { }; }; - ssl = domain: + ssl = domains: { imports = [ - ( manageCert domain ) - ( activateACME domain ) + ( manageCerts domains ) + ( activateACME (head domains) ) ]; }; @@ -79,13 +54,12 @@ rec { }; }; - servePage = domain: - { + servePage = domains: + let + domain = head domains; + in { krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; + server-names = domains; locations = [ (nameValuePair "/" '' root /srv/http/${domain}; @@ -94,13 +68,12 @@ rec { }; }; - serveOwncloud = domain: - { + serveOwncloud = domains: + let + domain = head domains; + in { krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; + server-names = domains; extraConfig = '' # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; -- cgit v1.2.3 From 6a009982af81f6591ee026c7f866008a17d4d8f8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:34:02 +0200 Subject: l 4: also serve dotfiles in serveWordpress --- lass/4lib/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/4lib/default.nix') diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index 7949154a0..30cbced49 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -199,9 +199,9 @@ rec { fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf; '') - (nameValuePair "~ /\\." '' - deny all; - '') + #(nameValuePair "~ /\\." '' + # deny all; + #'') #Directives to send expires headers and turn off 404 error logging. (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' access_log off; -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/4b300000.lock: No such file or directory (2)