mynix/system
1
1
Fork 0
Code Issues 2 Pull requests Activity

host/istal: add docker registry proxy

Browse source
This commit is contained in:
Dmitriy Pleshevskiy 2024-05-30 22:38:30 +03:00
parent 8461819774
commit 57d8d2a610
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
3 changed files with 66 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hosts/istal/services/default.nix
View file

@ -1,5 +1,7 @@
{ ... }:
{ {
imports = [ ./wireguard ]; imports = [
./wireguard
./docker-registry-proxy.nix
./nginx.nix
];
} }

20
hosts/istal/services/docker-registry-proxy.nix Normal file
View file

@ -0,0 +1,20 @@
{...}:
{
services.dockerRegistry = {
enable = true;
enableGarbageCollect = true;
extraConfig = {
proxy.remoteurl = "https://registry-1.docker.io";
};
};
services.nginx = {
upstreams.docker-hub-registry.servers."localhost:5000" = { };
virtualHosts."docker-hub.pleshevski.ru" = {
enableACME = true;
forceSSL = true;
locations."/v2/".proxyPass = "http://docker-hub-registry";
};
};
}

41
hosts/istal/services/nginx.nix Normal file
View file

@ -0,0 +1,41 @@
{ ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "dmitriy@pleshevski.ru";
};
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
}