nixos/config/hosts/capetillo/services/nginx.nix
Emelie Graven 8ed553d2c5
Finalize vaultwarden setup
This fixes the last few issues with the new vaultwarden
deployment, such as backups and email.
2022-02-15 13:51:54 +01:00

69 lines
2.2 KiB
Nix

{ lib, ... }:
{
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"nixaalb.org" = {
enableACME = true;
forceSSL = true;
root = "/var/www/nixaalb.org/public";
extraConfig = ''
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'same-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
'';
};
"vault.dotsrc.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:8812";
proxyWebsockets = true;
};
};
"mta-sts.nixaalb.org" = {
enableACME = true;
forceSSL = true;
root = "/var/www/mta-sts/public";
extraConfig = ''
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'same-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
'';
};
"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
# TODO: Do this with unix sockets instead
listen = [ {
addr = "[::1]";
port = 8080;
} ];
root = "/var/www/nixaalb.org/public";
extraConfig = ''
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'same-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
'';
};
};
}