host/istal: add docker registry proxy

2024-05-30 22:38:30 +03:00 · 2024-05-30 22:38:30 +03:00 · 57d8d2a610
commit 57d8d2a610
parent 8461819774
3 changed files with 66 additions and 3 deletions
--- a/hosts/istal/services/default.nix
+++ b/hosts/istal/services/default.nix
@ -1,5 +1,7 @@
-{ ... }:
-
 {
-  imports = [ ./wireguard ];
+  imports = [
+    ./wireguard
+    ./docker-registry-proxy.nix
+    ./nginx.nix
+  ];
 }
--- a/hosts/istal/services/docker-registry-proxy.nix
+++ b/hosts/istal/services/docker-registry-proxy.nix
@ -0,0 +1,20 @@
+{...}:
+
+{
+  services.dockerRegistry = {
+    enable = true;
+    enableGarbageCollect = true;
+    extraConfig = {
+      proxy.remoteurl = "https://registry-1.docker.io";
+    };
+  };
+
+  services.nginx = {
+    upstreams.docker-hub-registry.servers."localhost:5000" = { };
+    virtualHosts."docker-hub.pleshevski.ru" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/v2/".proxyPass = "http://docker-hub-registry";
+    };
+  };
+}
--- a/hosts/istal/services/nginx.nix
+++ b/hosts/istal/services/nginx.nix
@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dmitriy@pleshevski.ru";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}