muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2026-03-08 19:43:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add embedded syntax hl

Browse source
This commit is contained in:
muon 2025-12-26 10:48:31 +00:00
parent 5bdf9e3a2c
commit fc14a394aa
5 changed files with 284 additions and 250 deletions
Download patch file Download diff file Expand all files Collapse all files

197
modules/nixos/server/grav/service.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }:
let
inherit (lib)
generators mapAttrs mkDefault mkEnableOption mkIf mkPackageOption mkOption
types;
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
generators
mapAttrs
mkDefault
mkEnableOption
mkIf
mkPackageOption
mkOption
types
;
cfg = config.mods.services.grav;
@ -12,9 +22,9 @@ let
poolName = "grav";
pkgs_grav = pkgs.callPackage ./package.nix { };
pkgs_grav = pkgs.callPackage ./package.nix {};
servedRoot = pkgs.runCommand "grav-served-root" { } ''
servedRoot = pkgs.runCommand "grav-served-root" {} ''
cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out
for p in assets images user system/config; do
@ -22,10 +32,8 @@ let
ln -sf /var/lib/grav/$p $out/$p
done
'';
# systemSettingsYaml =
# yamlFormat.generate "grav-settings.yaml" cfg.systemSettings;
in {
options.mods.services.grav = {
enable = mkEnableOption "grav";
@ -70,7 +78,7 @@ in {
default = 3000;
};
phpPackage = mkPackageOption pkgs "php" { };
phpPackage = mkPackageOption pkgs "php" {};
maxUploadSize = mkOption {
type = types.str;
@ -97,7 +105,10 @@ in {
group = "grav";
phpPackage = cfg.phpPackage.buildEnv {
extensions = { all, enabled }:
extensions = {
all,
enabled,
}:
with all; [
apcu
ctype
@ -115,27 +126,28 @@ in {
zip
];
extraConfig = generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault { } " = ";
} {
output_buffering = "0";
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL";
display_errors = "stderr";
"opcache.interned_strings_buffer" = "8";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
extraConfig =
generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault {} " = ";
} {
output_buffering = "0";
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL";
display_errors = "stderr";
"opcache.interned_strings_buffer" = "8";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize;
"apc.enable_cli" = "1";
};
upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize;
"apc.enable_cli" = "1";
};
};
phpEnv = {
@ -169,10 +181,12 @@ in {
${cfg.virtualHost} = {
root = "${servedRoot}";
listen = [{
addr = cfg.addr;
port = cfg.port;
}];
listen = [
{
addr = cfg.addr;
port = cfg.port;
}
];
locations = {
"= /robots.txt" = {
@ -202,31 +216,28 @@ in {
};
# deny running scripts inside core system folders
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny running scripts inside user folder
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny access to specific files in the root folder
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny all files and folder beginning with a dot (hidden files & folders)
"~ (^|/)\\." = {
@ -245,41 +256,45 @@ in {
};
};
extraConfig = ''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
'';
extraConfig =
# sh
''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
'';
};
};
};
systemd.tmpfiles.rules = let datadir = "/var/lib/grav";
in map (dir: "d '${dir}' 0750 grav grav - -") [
"/var/cache/grav"
"${datadir}/assets"
"${datadir}/backup"
"${datadir}/images"
"${datadir}/system/config"
"${datadir}/user/accounts"
"${datadir}/user/config"
"${datadir}/user/data"
"/var/log/grav"
];
systemd.tmpfiles.rules = let
datadir = "/var/lib/grav";
in
map (dir: "d '${dir}' 0750 grav grav - -") [
"/var/cache/grav"
"${datadir}/assets"
"${datadir}/backup"
"${datadir}/images"
"${datadir}/system/config"
"${datadir}/user/accounts"
"${datadir}/user/config"
"${datadir}/user/data"
"/var/log/grav"
];
# ++ [
# "L+ ${datadir}/user/config/system.yaml - - - - ${systemSettingsYaml}"
# ];
@ -287,7 +302,7 @@ in {
systemd.services = {
"phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") {
# restartTriggers = [ servedRoot systemSettingsYaml ];
restartTriggers = [ servedRoot ];
restartTriggers = [servedRoot];
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "grav-pre-start" ''
@ -329,6 +344,6 @@ in {
group = "grav";
};
users.groups.grav = { members = [ config.services.nginx.user ]; };
users.groups.grav = {members = [config.services.nginx.user];};
};
}

177
modules/nixos/server/nginx.nix
View file

@ -1,105 +1,112 @@
{ pkgs, lib, config, ... }:
let
{
pkgs,
lib,
config,
...
}: let
cfg = config.mods.server.nginx;
in
with lib; {
options.mods.server.nginx = {
enable = mkEnableOption {
default = false;
description = "enables nginx reverse proxy";
};
in with lib; {
options.mods.server.nginx = {
enable = mkEnableOption {
default = false;
description = "enables nginx reverse proxy";
ip = mkOption {
type = types.str;
default = "10.0.0.3";
};
domain = mkOption {
type = types.str;
default = "muon.host";
};
ports = mkOption {
type = types.attrsOf (types.ints.u16);
default = {};
};
};
ip = mkOption {
type = types.str;
default = "10.0.0.3";
};
config = mkIf cfg.enable {
# ACME won't be able to authenticate your domain
# if ports 80 & 443 aren't open in your firewall.
networking.firewall = {allowedTCPPorts = [443 80];};
security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true;
domain = mkOption {
type = types.str;
default = "muon.host";
};
services.nginx = {
enable = true;
ports = mkOption {
type = types.attrsOf (types.ints.u16);
default = { };
};
};
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
config = mkIf cfg.enable {
# ACME won't be able to authenticate your domain
# if ports 80 & 443 aren't open in your firewall.
networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true;
# Only allow PFS-enabled ciphers with AES256
# sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
services.nginx = {
enable = true;
appendHttpConfig =
# sh
''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Only allow PFS-enabled ciphers with AES256
# sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Minimize information leaked to other domains
# add_header 'Referrer-Policy' 'origin-when-cross-origin';
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Prevent injection of code in other mime types (XSS Attacks)
# add_header X-Content-Type-Options nosniff;
# Minimize information leaked to other domains
# add_header 'Referrer-Policy' 'origin-when-cross-origin';
# This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# required when the server wants to use HTTP Authentication
proxy_pass_header Authorization;
# Prevent injection of code in other mime types (XSS Attacks)
# add_header X-Content-Type-Options nosniff;
# This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP;
# This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# security
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
# required when the server wants to use HTTP Authentication
proxy_pass_header Authorization;
virtualHosts = let
base = locations: {
inherit locations;
# This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP;
# security
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
};
proxy = port:
base {
"/" = {
proxyPass = "http://${cfg.ip}:${toString port}/";
proxyWebsockets = true;
};
forceSSL = true;
enableACME = true;
};
in mapAttrs' (name: port:
nameValuePair ("${name}.${cfg.domain}")
# (proxy port // { default = true; })) cfg.ports;
(proxy port)) cfg.ports;
proxy = port:
base {
"/" = {
proxyPass = "http://${cfg.ip}:${toString port}/";
proxyWebsockets = true;
};
};
in
mapAttrs' (name: port:
nameValuePair "${name}.${cfg.domain}"
# (proxy port // { default = true; })) cfg.ports;
(proxy port))
cfg.ports;
};
};
};
}
}