From 57d8d2a610953e4aaf0bbf591a758751828eb494 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Thu, 30 May 2024 22:38:30 +0300 Subject: [PATCH] host/istal: add docker registry proxy --- hosts/istal/services/default.nix | 8 ++-- .../istal/services/docker-registry-proxy.nix | 20 +++++++++ hosts/istal/services/nginx.nix | 41 +++++++++++++++++++ 3 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 hosts/istal/services/docker-registry-proxy.nix create mode 100644 hosts/istal/services/nginx.nix diff --git a/hosts/istal/services/default.nix b/hosts/istal/services/default.nix index 9ac1f8d..4bcfcce 100644 --- a/hosts/istal/services/default.nix +++ b/hosts/istal/services/default.nix @@ -1,5 +1,7 @@ -{ ... }: - { - imports = [ ./wireguard ]; + imports = [ + ./wireguard + ./docker-registry-proxy.nix + ./nginx.nix + ]; } diff --git a/hosts/istal/services/docker-registry-proxy.nix b/hosts/istal/services/docker-registry-proxy.nix new file mode 100644 index 0000000..4ccf4e7 --- /dev/null +++ b/hosts/istal/services/docker-registry-proxy.nix @@ -0,0 +1,20 @@ +{...}: + +{ + services.dockerRegistry = { + enable = true; + enableGarbageCollect = true; + extraConfig = { + proxy.remoteurl = "https://registry-1.docker.io"; + }; + }; + + services.nginx = { + upstreams.docker-hub-registry.servers."localhost:5000" = { }; + virtualHosts."docker-hub.pleshevski.ru" = { + enableACME = true; + forceSSL = true; + locations."/v2/".proxyPass = "http://docker-hub-registry"; + }; + }; +} diff --git a/hosts/istal/services/nginx.nix b/hosts/istal/services/nginx.nix new file mode 100644 index 0000000..9290b25 --- /dev/null +++ b/hosts/istal/services/nginx.nix @@ -0,0 +1,41 @@ +{ ... }: + +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "dmitriy@pleshevski.ru"; + }; + + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; +}