mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 18:16:13 +01:00
114 lines
3.3 KiB
Nix
114 lines
3.3 KiB
Nix
|
{ pkgs, inputs', lib, config, ... }:
|
|||
|
|
let
|
|||
|
|
inherit (lib)
|
|||
|
|
singleton;
|
|||
|
|
in
|
|||
|
|
{
|
|||
|
|
users.users.nginx = {
|
|||
|
|
group = "nginx";
|
|||
|
|
isSystemUser = true;
|
|||
|
|
uid = config.ids.uids.nginx;
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
users.groups.nginx = {
|
|||
|
|
gid = config.ids.gids.nginx;
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
systemd.services.nginx-proxy =
|
|||
|
|
let
|
|||
|
|
nginxConfiguration = inputs'.nixng.nglib.generators.toNginx {
|
|||
|
|
daemon = "off";
|
|||
|
|
worker_processes = 2;
|
|||
|
|
|
|||
|
|
events."" = {
|
|||
|
|
use = "epoll";
|
|||
|
|
worker_connections = 128;
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
error_log = "/var/log/nginx/error.log warn";
|
|||
|
|
|
|||
|
|
http."" = {
|
|||
|
|
server_tokens = "off";
|
|||
|
|
include = singleton [ "${pkgs.nginx}/conf/mime.types" ];
|
|||
|
|
charset = "utf-8";
|
|||
|
|
|
|||
|
|
access_log = "/var/log/nginx/access.log combined";
|
|||
|
|
|
|||
|
|
server."" = {
|
|||
|
|
listen = [ "8883" ];
|
|||
|
|
|
|||
|
|
location."/" = {
|
|||
|
|
satisfy = "all";
|
|||
|
|
|
|||
|
|
allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ];
|
|||
|
|
deny = "all";
|
|||
|
|
|
|||
|
|
rewrite_by_lua_file
|
|||
|
|
|
|||
|
|
auth_basic = "\"Administrator’s Area\"";
|
|||
|
|
auth_basic_user_file = "/var/secret/htpasswd";
|
|||
|
|
|
|||
|
|
resolver = "8.8.8.8";
|
|||
|
|
proxy_pass = "http://$http_host$uri$is_args$args";
|
|||
|
|
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
in
|
|||
|
|
{
|
|||
|
|
serviceConfig = {
|
|||
|
|
Restart = "always";
|
|||
|
|
RestartSec = "10s";
|
|||
|
|
# User and group
|
|||
|
|
User = "nginx";
|
|||
|
|
Group = "nginx";
|
|||
|
|
# Runtime directory and mode
|
|||
|
|
RuntimeDirectory = "nginx";
|
|||
|
|
RuntimeDirectoryMode = "0750";
|
|||
|
|
# Cache directory and mode
|
|||
|
|
CacheDirectory = "nginx";
|
|||
|
|
CacheDirectoryMode = "0750";
|
|||
|
|
# Logs directory and mode
|
|||
|
|
LogsDirectory = "nginx";
|
|||
|
|
LogsDirectoryMode = "0750";
|
|||
|
|
# Proc filesystem
|
|||
|
|
ProcSubset = "pid";
|
|||
|
|
ProtectProc = "invisible";
|
|||
|
|
# New file permissions
|
|||
|
|
UMask = "0027"; # 0640 / 0750
|
|||
|
|
# Capabilities
|
|||
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
|
|||
|
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
|
|||
|
|
# Security
|
|||
|
|
NoNewPrivileges = true;
|
|||
|
|
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
|
|||
|
|
ProtectSystem = "strict";
|
|||
|
|
ProtectHome = true;
|
|||
|
|
PrivateTmp = true;
|
|||
|
|
PrivateDevices = true;
|
|||
|
|
ProtectHostname = true;
|
|||
|
|
ProtectClock = true;
|
|||
|
|
ProtectKernelTunables = true;
|
|||
|
|
ProtectKernelModules = true;
|
|||
|
|
ProtectKernelLogs = true;
|
|||
|
|
ProtectControlGroups = true;
|
|||
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|||
|
|
RestrictNamespaces = true;
|
|||
|
|
LockPersonality = true;
|
|||
|
|
MemoryDenyWriteExecute = false;
|
|||
|
|
RestrictRealtime = true;
|
|||
|
|
RestrictSUIDSGID = true;
|
|||
|
|
RemoveIPC = true;
|
|||
|
|
PrivateMounts = true;
|
|||
|
|
# System Call Filtering
|
|||
|
|
SystemCallArchitectures = "native";
|
|||
|
|
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ];
|
|||
|
|
};
|
|||
|
|
script = ''
|
|||
|
|
ls /proc/self/fd /dev
|
|||
|
|
${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration}
|
|||
|
|
'';
|
|||
|
|
};
|
|||
|
|
}
|