diff --git a/nixos/systems/altra/default.nix b/nixos/systems/altra/default.nix index 29991dd..58a6e22 100644 --- a/nixos/systems/altra/default.nix +++ b/nixos/systems/altra/default.nix @@ -35,6 +35,7 @@ in ./hardware.nix ./filesystems.nix ./users.nix + ./http-synapse-proxy.nix ../../common/remote_access.nix config'.flake.nixosModules.hashicorp diff --git a/nixos/systems/altra/http-synapse-proxy.nix b/nixos/systems/altra/http-synapse-proxy.nix new file mode 100644 index 0000000..8ed46b2 --- /dev/null +++ b/nixos/systems/altra/http-synapse-proxy.nix @@ -0,0 +1,113 @@ +{ pkgs, inputs', lib, config, ... }: +let + inherit (lib) + singleton; +in +{ + users.users.nginx = { + group = "nginx"; + isSystemUser = true; + uid = config.ids.uids.nginx; + }; + + users.groups.nginx = { + gid = config.ids.gids.nginx; + }; + + systemd.services.nginx-proxy = + let + nginxConfiguration = inputs'.nixng.nglib.generators.toNginx { + daemon = "off"; + worker_processes = 2; + + events."" = { + use = "epoll"; + worker_connections = 128; + }; + + error_log = "/var/log/nginx/error.log warn"; + + http."" = { + server_tokens = "off"; + include = singleton [ "${pkgs.nginx}/conf/mime.types" ]; + charset = "utf-8"; + + access_log = "/var/log/nginx/access.log combined"; + + server."" = { + listen = [ "8883" ]; + + location."/" = { + satisfy = "all"; + + allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ]; + deny = "all"; + + rewrite_by_lua_file + + auth_basic = "\"Administrator’s Area\""; + auth_basic_user_file = "/var/secret/htpasswd"; + + resolver = "8.8.8.8"; + proxy_pass = "http://$http_host$uri$is_args$args"; + + }; + }; + }; + }; + in + { + serviceConfig = { + Restart = "always"; + RestartSec = "10s"; + # User and group + User = "nginx"; + Group = "nginx"; + # Runtime directory and mode + RuntimeDirectory = "nginx"; + RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nginx"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nginx"; + LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = false; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]; + }; + script = '' + ls /proc/self/fd /dev + ${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration} + ''; + }; +}