reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

free ourselves from the shackles of openresty

Browse source
This commit is contained in:
Reid 2024-07-08 20:44:32 -07:00
parent f8de5f317f
commit 6ff5041b07
Signed by: reidlab
GPG key ID: DAF5EAF6665839FD
4 changed files with 10 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/nixos-server-reid/default.nix
View file

@ -38,8 +38,6 @@ in {
ssh.enableMoshSupport = true; ssh.enableMoshSupport = true;
postgres.enable = true; postgres.enable = true;
redis.enable = true;
}; };
security.useDoas = true; security.useDoas = true;

35
hosts/nixos-server-reid/webapps/default.nix
View file

@ -16,13 +16,10 @@ in {
# actually enables nginx, configures acme, # actually enables nginx, configures acme,
# gzip, optimization, proxy, ssl config, # gzip, optimization, proxy, ssl config,
# opens ports, and adds some Headers # opens ports, and adds some Headers
nginx-config = { nginx-config.enable = true;
enable = true;
defaultLuaPackagePath = /var/www/reidlab.online/lua;
};
staticSites = { staticSites = {
"v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online"; "reidlab.online".dataDir = "/var/www/reidlab.online";
}; };
metrics = { metrics = {
@ -36,30 +33,12 @@ in {
services = { services = {
nginx.virtualHosts = { nginx.virtualHosts = {
"reidlab.online" = { "reidlab.online" = {
forceSSL = true; locations."/f/".extraConfig = ''
enableACME = true; add_header Access-Control-Allow-Origin "*";
root = "/var/www/reidlab.online/public"; '';
# we should perhaps add something to help with this in staticsites?
extraConfig = '' extraConfig = ''
error_page 404 /errors/404.html; error_page 404 /404.html;
error_page 403 /errors/403.html;
error_page 500 /errors/500.html;
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
location / {
try_files $uri @main;
}
location /chat {
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
}
location @main {
content_by_lua '
require("main").handle_request()
';
}
''; '';
}; };
}; };

40
modules/services/nginx-conf.nix
View file

@ -5,17 +5,7 @@ let
cfg = config.modules.services.nginx-config; cfg = config.modules.services.nginx-config;
in { in {
options.modules.services.nginx-config = { options.modules.services.nginx-config = {
enable = mkEnableOption "enable and configure nginx, a high performance web server"; enable = mkEnableOption "enable and configure nginx, a high performance web server";
package = mkOption {
type = types.package;
default = pkgs.openresty;
};
defaultLuaPackagePath = mkOption {
type = types.path;
default = null;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -41,29 +31,7 @@ in {
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
# TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
commonHttpConfig = let commonHttpConfig = let
# lua
lua-resty-template = pkgs.fetchFromGitHub {
owner = "bungle";
repo = "lua-resty-template";
rev = "v2.0";
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
};
lua-resty-redis = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-redis";
rev = "v0.29";
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
};
lua-resty-websocket = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-websocket";
rev = "v0.10";
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
};
# cloudflare
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
cfipv4 = fileToList (pkgs.fetchurl { cfipv4 = fileToList (pkgs.fetchurl {
@ -75,17 +43,15 @@ in {
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
}); });
in '' in ''
lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
# add hsts header with preloading to https reqeusts # add hsts header with preloading to https reqeusts
# adding this header to http requests is # adding this header to http requests is discouraged
map $scheme $hsts_header { map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload"; https "max-age=31536000; includeSubdomains; preload";
} }
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services. # Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header 'Referrer-Policy' 'origin-when-cross-origin';

16
modules/services/redis.nix
View file

@ -1,16 +0,0 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.redis;
in {
options.modules.services.redis = {
enable = mkEnableOption "enable redis, a speedy cache database";
};
config = mkIf cfg.enable {
services.redis.servers."" = {
enable = true;
};
};
}