2021-11-26 13:45:04 +00:00
|
|
|
{ lib, ... }:
|
2021-11-22 13:00:07 +00:00
|
|
|
{
|
|
|
|
imports = [ ../../../common/services/nginx.nix ];
|
|
|
|
services.nginx.virtualHosts = {
|
|
|
|
"nixaalb.org" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
root = "/var/www/nixaalb.org/public";
|
2021-11-26 13:51:00 +00:00
|
|
|
extraConfig = ''
|
|
|
|
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
add_header 'Referrer-Policy' 'same-origin';
|
|
|
|
add_header X-Frame-Options DENY;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
2022-02-15 12:51:54 +00:00
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
2021-11-26 13:52:38 +00:00
|
|
|
add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
|
2022-02-14 20:30:24 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
"vault.dotsrc.org" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
2022-02-15 12:51:54 +00:00
|
|
|
proxyPass = "http://127.0.0.1:8812";
|
2022-02-14 20:30:24 +00:00
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
locations."/notifications/hub" = {
|
2022-02-15 12:51:54 +00:00
|
|
|
proxyPass = "http://127.0.0.1:3012";
|
2022-02-14 20:30:24 +00:00
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
locations."/notifications/hub/negotiate" = {
|
2022-02-15 12:51:54 +00:00
|
|
|
proxyPass = "http://127.0.0.1:8812";
|
2022-02-14 20:30:24 +00:00
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
2021-11-22 13:00:07 +00:00
|
|
|
};
|
|
|
|
"mta-sts.nixaalb.org" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
root = "/var/www/mta-sts/public";
|
2022-02-15 12:51:54 +00:00
|
|
|
extraConfig = ''
|
|
|
|
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
add_header 'Referrer-Policy' 'same-origin';
|
|
|
|
add_header X-Frame-Options DENY;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
|
|
'';
|
2021-11-22 13:00:07 +00:00
|
|
|
};
|
2021-11-26 13:45:04 +00:00
|
|
|
"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
|
|
|
|
# TODO: Do this with unix sockets instead
|
|
|
|
listen = [ {
|
|
|
|
addr = "[::1]";
|
|
|
|
port = 8080;
|
|
|
|
} ];
|
|
|
|
root = "/var/www/nixaalb.org/public";
|
2022-02-15 12:51:54 +00:00
|
|
|
extraConfig = ''
|
|
|
|
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
add_header 'Referrer-Policy' 'same-origin';
|
|
|
|
add_header X-Frame-Options DENY;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
|
|
'';
|
2021-11-26 13:51:00 +00:00
|
|
|
|
2021-11-26 13:45:04 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2021-11-22 13:00:07 +00:00
|
|
|
}
|