diff --git a/domainhash.txt b/domainhash.txt new file mode 100644 index 00000000..65c77d8c --- /dev/null +++ b/domainhash.txt @@ -0,0 +1 @@ +9077b11e97e76528abc8 diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 94e1a708..2202fdcf 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -15,7 +15,7 @@ unbound = { enable = true; }; - caddy = { + acme = { enable = true; }; homepage-dashboard = { diff --git a/hosts/ziggy/server.nix b/hosts/ziggy/server.nix index b8836727..9e9b357d 100644 --- a/hosts/ziggy/server.nix +++ b/hosts/ziggy/server.nix @@ -1,5 +1,4 @@ -{ config, ... }: -{ +{config, ...}: { server = { enable = true; email = "adam@cnst.dev"; @@ -12,7 +11,7 @@ unbound = { enable = true; }; - caddy = { + acme = { enable = true; }; homepage-dashboard = { diff --git a/modules/default.nix b/modules/default.nix index 6a45cc24..8c2fa7d3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -123,7 +123,7 @@ server = { imports = [ ./server - ./server/caddy + ./server/acme ./server/fail2ban ./server/homepage-dashboard ./server/nextcloud diff --git a/modules/server/caddy/default.nix b/modules/server/acme/default.nix similarity index 79% rename from modules/server/caddy/default.nix rename to modules/server/acme/default.nix index 792f103c..b412dd01 100644 --- a/modules/server/caddy/default.nix +++ b/modules/server/acme/default.nix @@ -4,7 +4,7 @@ ... }: let inherit (lib) mkIf mkEnableOption; - cfg = config.server.caddy; + cfg = config.server.acme; getCloudflareCredentials = hostname: if hostname == "ziggy" @@ -14,7 +14,7 @@ else throw "Unknown hostname: ${hostname}"; in { options = { - server.caddy.enable = mkEnableOption "Enables caddy"; + server.acme.enable = mkEnableOption "Enables ACME"; }; config = mkIf cfg.enable { networking.firewall = let @@ -40,13 +40,13 @@ in { environmentFile = getCloudflareCredentials config.networking.hostName; }; certs.${config.server.domainPublic} = { - reloadServices = ["caddy.service"]; + reloadServices = ["nginx.service"]; domain = "${config.server.domainPublic}"; extraDomainNames = ["*.${config.server.domainPublic}"]; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; dnsPropagationCheck = true; - group = config.services.caddy.group; + group = config.services.nginx.group; environmentFile = getCloudflareCredentials config.networking.hostName; }; }; @@ -67,17 +67,6 @@ in { redir https://{host}{uri} ''; }; - - "http://${config.server.domainPublic}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; - "http://*.${config.server.domainPublic}" = { - extraConfig = '' - redir https://{host}{uri} - ''; - }; }; }; }; diff --git a/modules/server/default.nix b/modules/server/default.nix index a0d49a9a..85f6d4f2 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -102,17 +102,5 @@ in { ]; }; }; - - systemd.services.hd-idle = { - description = "External HD spin down daemon"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "simple"; - ExecStart = let - idleTime = toString 900; - hardDriveParameter = lib.strings.concatMapStringsSep " " (x: "-a ${x} -i ${idleTime}") hardDrives; - in "${pkgs.hd-idle}/bin/hd-idle -i 0 ${hardDriveParameter}"; - }; - }; }; } diff --git a/modules/server/nextcloud/default.nix b/modules/server/nextcloud/default.nix index 90186ffa..84d70abf 100644 --- a/modules/server/nextcloud/default.nix +++ b/modules/server/nextcloud/default.nix @@ -57,12 +57,6 @@ in { }; }; config = lib.mkIf cfg.enable { - services.nginx.virtualHosts."nextcloud".listen = [ - { - addr = "127.0.0.1"; - port = 8083; - } - ]; services.cloudflared = { enable = true; tunnels.${cfg.cloudflared.tunnelId} = { @@ -89,22 +83,21 @@ in { caching = { redis = true; }; - occ = { - maintenance = "install"; + phpOptions = { + "opcache.jit" = "tracing"; + "opcache.jit_buffer_size" = "100M"; + "opcache.interned_strings_buffer" = "16"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "1280"; }; - database.createLocally = true; maxUploadSize = "50G"; settings = { + maintenance_window_start = "1"; trusted_proxies = ["127.0.0.1"]; - trusted_domains = ["cloud.${srv.domainPublic}" "192.168.88.14"]; + trusted_domains = ["cloud.${srv.domainPublic}"]; overwriteprotocol = "https"; overwritehost = "cloud.${srv.domainPublic}"; overwrite.cli.url = "https://cloud.${srv.domainPublic}"; - # mail_smtpmode = "sendmail"; - # mail_sendmailmode = "pipe"; - # user_oidc = { - # allow_multiple_user_backends = 0; - # }; forwarded_for_headers = [ "HTTP_CF_CONNECTING_IP" ]; @@ -131,11 +124,31 @@ in { adminpassFile = cfg.adminpassFile; }; }; - services.caddy.virtualHosts."${srv.domainPublic}" = { - useACMEHost = srv.domainPublic; - extraConfig = '' - reverse_proxy http://127.0.0.1:8083 - ''; + services = { + nginx = { + virtualHosts.nextcloud = { + useACMEHost = srv.domainPublic; + listen = [ + { + addr = "127.0.0.1"; + port = 8083; + } + ]; + extraConfig = '' + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains;"; + + access_log /var/log/nginx/nextcloud.access.log; + error_log /var/log/nginx/nextcloud.error.log; + ''; + }; + }; }; server.postgresql.databases = [ {