From 5357b7a2dfa61ca9d937fd6906fc1fc21ccb934f Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sun, 9 Oct 2022 00:39:52 +0300 Subject: [PATCH] add joplin-server and fix nginx --- profiles/servers/joplin-server.nix | 23 ++----- profiles/servers/mailserver.nix | 8 +++ profiles/servers/nginx.nix | 100 ++++++++++------------------- 3 files changed, 49 insertions(+), 82 deletions(-) diff --git a/profiles/servers/joplin-server.nix b/profiles/servers/joplin-server.nix index c0e882b..1a116f6 100644 --- a/profiles/servers/joplin-server.nix +++ b/profiles/servers/joplin-server.nix @@ -1,36 +1,27 @@ { config, lib, pkgs, ... }: { + secrets.joplin-env = { }; + secrets.joplin-db-env = { }; + virtualisation.oci-containers.containers = { joplin = { autoStart = true; dependsOn = [ "joplin-db" ]; - environment = { - DB_CLIENT = "pg"; - POSTGRES_DATABASE = "joplin"; - POSTGRES_USER = "test"; - POSTGRES_PASSWORD = "test"; - POSTGRES_PORT = "5432"; - POSTGRES_HOST = "joplin-db"; - APP_PORT = "22300"; - APP_BASE_URL = "joplin.ataraxiadev.com"; - }; + environmentFiles = [ config.secrets.joplin-env.decrypted ]; extraOptions = [ "--network=joplin" ]; ports = [ "127.0.0.1:22300:22300" ]; image = "joplin:latest-dev"; + volumes = [ "/srv/joplin/data:/data" ]; }; joplin-db = { autoStart = true; - environment = { - POSTGRES_PASSWORD= "test"; - POSTGRES_USER = "test"; - POSTGRES_DB = "joplin"; - }; + environmentFiles = [ config.secrets.joplin-db-env.decrypted ]; extraOptions = [ "--network=joplin" ]; image = "postgres:13"; - # volumes = [ "/server/data/postgres:/var/lib/postgresql/data" ]; + volumes = [ "/srv/joplin/postgres:/var/lib/postgresql/data" ]; }; }; systemd.services.create-joplin-network = with config.virtualisation.oci-containers; { diff --git a/profiles/servers/mailserver.nix b/profiles/servers/mailserver.nix index b8a9dc0..49ad199 100644 --- a/profiles/servers/mailserver.nix +++ b/profiles/servers/mailserver.nix @@ -11,6 +11,10 @@ in { owner = "dovecot2:dovecot2"; services = [ "dovecot2" ]; }; + secrets.mailserver-joplin = { + owner = "dovecot2:dovecot2"; + services = [ "dovecot2" ]; + }; secrets.mailserver-vaultwarden = { owner = "dovecot2:dovecot2"; services = [ "dovecot2" ]; @@ -115,6 +119,10 @@ in { [ "minichka76" "kpoxa@ataraxiadev.com" "kpoxa" ]; hashedPasswordFile = config.secrets.mailserver-minichka.decrypted; }; + "joplin@ataraxiadev.com" = { + aliases = [ "joplin" ]; + hashedPasswordFile = config.secrets.mailserver-joplin.decrypted; + }; "vaultwarden@ataraxiadev.com" = { aliases = [ "vaultwarden" ]; hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted; diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index fa24d25..cc4668d 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -35,7 +35,7 @@ "shoko.ataraxiadev.com" "bathist.ataraxiadev.com" "microbin.ataraxiadev.com" - # "joplin.ataraxiadev.com" + "joplin.ataraxiadev.com" ]; }; }; @@ -52,9 +52,7 @@ proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; add_header X-XSS-Protection "1; mode=block"; - # add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8"; add_header X-Robots-Tag "none"; - # add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Content-Type-Options "nosniff"; ''; virtualHosts = let @@ -63,25 +61,18 @@ enableACME = false; forceSSL = true; }; - proxySettings = { - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; - }; - hardened = { - extraConfig = '' - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com"; - add_header X-Robots-Tag "none"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header X-Content-Type-Options "nosniff"; - ''; - }; + proxySettings = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + hardened = '' + add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; in { "ataraxiadev.com" = { locations."/.well-known/matrix" = { @@ -123,13 +114,7 @@ proxyPass = "http://matrix.pve:81"; extraConfig = '' proxy_hide_header Content-Security-Policy; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; + '' + proxySettings; }; } // default; "matrix:8448" = { @@ -141,52 +126,54 @@ }]; locations."/" = { proxyPass = "http://matrix.pve:8449"; - } // proxySettings; + extraConfig = proxySettings; + }; } // default; "startpage.ataraxiadev.com" = { locations."/" = { root = "/srv/http/startpage.ataraxiadev.com/"; - # extraConfig = '' - # add_header X-XSS-Protection "1; mode=block"; - # add_header X-Robots-Tag "none"; - # add_header Referrer-Policy "strict-origin-when-cross-origin"; - # add_header X-Content-Type-Options "nosniff"; - # ''; + # extraConfig = hardened; }; } // default; "vw.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:8812"; - } // proxySettings; + extraConfig = proxySettings; + }; locations."/notifications/hub" = { proxyPass = "http://localhost:3012"; proxyWebsockets = true; - } // proxySettings; + extraConfig = proxySettings; + }; locations."/notifications/hub/negotiate" = { proxyPass = "http://localhost:8812"; - } // proxySettings; + extraConfig = proxySettings; + }; } // default; "code.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:6000"; - } // proxySettings; + extraConfig = proxySettings; + }; } // default; "bathist.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:9999"; - } // proxySettings; + extraConfig = proxySettings; + }; } // default; "file.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:8088"; - } // proxySettings; + extraConfig = proxySettings; + }; } // default; "webmail.ataraxiadev.com" = { locations."/" = { extraConfig = '' client_max_body_size 30M; - ''; - } // proxySettings; + '' + proxySettings; + }; } // default; "media-stack" = { serverAliases = [ @@ -207,12 +194,6 @@ proxyPass = "http://localhost:8100"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; @@ -220,34 +201,21 @@ proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 15m; - ''; + '' + proxySettings; }; } // default; "microbin.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:9988"; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; client_max_body_size 40M; - ''; + '' + proxySettings; }; } // default; "joplin.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:22300"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; + extraConfig = proxySettings; }; } // default; };