magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-26 10:06:13 +01:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/nixos/systems/altra/http-synapse-proxy.nix
Magic_RB f79b6fea76
Attempt to setup a forward proxy with nginx on altra 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
2023-07-26 22:09:05 +02:00

114 lines
3.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ pkgs, inputs', lib, config, ... }:
let
inherit (lib)
singleton;
in
{
users.users.nginx = {
group = "nginx";
isSystemUser = true;
uid = config.ids.uids.nginx;
};
users.groups.nginx = {
gid = config.ids.gids.nginx;
};
systemd.services.nginx-proxy =
let
nginxConfiguration = inputs'.nixng.nglib.generators.toNginx {
daemon = "off";
worker_processes = 2;
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = "/var/log/nginx/error.log warn";
http."" = {
server_tokens = "off";
include = singleton [ "${pkgs.nginx}/conf/mime.types" ];
charset = "utf-8";
access_log = "/var/log/nginx/access.log combined";
server."" = {
listen = [ "8883" ];
location."/" = {
satisfy = "all";
allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ];
deny = "all";
rewrite_by_lua_file
auth_basic = "\"Administrators Area\"";
auth_basic_user_file = "/var/secret/htpasswd";
resolver = "8.8.8.8";
proxy_pass = "http://$http_host$uri$is_args$args";
};
};
};
};
in
{
serviceConfig = {
Restart = "always";
RestartSec = "10s";
# User and group
User = "nginx";
Group = "nginx";
# Runtime directory and mode
RuntimeDirectory = "nginx";
RuntimeDirectoryMode = "0750";
# Cache directory and mode
CacheDirectory = "nginx";
CacheDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "nginx";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# New file permissions
UMask = "0027"; # 0640 / 0750
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
# Security
NoNewPrivileges = true;
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ];
};
script = ''
ls /proc/self/fd /dev
${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration}
'';
};
}
Reference in a new issue View git blame Copy permalink