From 57d8d2a610953e4aaf0bbf591a758751828eb494 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Thu, 30 May 2024 22:38:30 +0300
Subject: [PATCH] host/istal: add docker registry proxy

---
 hosts/istal/services/default.nix              |  8 ++--
 .../istal/services/docker-registry-proxy.nix  | 20 +++++++++
 hosts/istal/services/nginx.nix                | 41 +++++++++++++++++++
 3 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 hosts/istal/services/docker-registry-proxy.nix
 create mode 100644 hosts/istal/services/nginx.nix

diff --git a/hosts/istal/services/default.nix b/hosts/istal/services/default.nix
index 9ac1f8d..4bcfcce 100644
--- a/hosts/istal/services/default.nix
+++ b/hosts/istal/services/default.nix
@@ -1,5 +1,7 @@
-{ ... }:
-
 {
-  imports = [ ./wireguard ];
+  imports = [
+    ./wireguard
+    ./docker-registry-proxy.nix
+    ./nginx.nix
+  ];
 }
diff --git a/hosts/istal/services/docker-registry-proxy.nix b/hosts/istal/services/docker-registry-proxy.nix
new file mode 100644
index 0000000..4ccf4e7
--- /dev/null
+++ b/hosts/istal/services/docker-registry-proxy.nix
@@ -0,0 +1,20 @@
+{...}:
+
+{
+  services.dockerRegistry = {
+    enable = true;
+    enableGarbageCollect = true;
+    extraConfig = {
+      proxy.remoteurl = "https://registry-1.docker.io";
+    };
+  };
+
+  services.nginx = {
+    upstreams.docker-hub-registry.servers."localhost:5000" = { };
+    virtualHosts."docker-hub.pleshevski.ru" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/v2/".proxyPass = "http://docker-hub-registry";
+    };
+  };
+}
diff --git a/hosts/istal/services/nginx.nix b/hosts/istal/services/nginx.nix
new file mode 100644
index 0000000..9290b25
--- /dev/null
+++ b/hosts/istal/services/nginx.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dmitriy@pleshevski.ru";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}