host/tatos: move miniflux from canigou

2024-05-05 00:37:06 +03:00 · 2024-05-05 00:37:06 +03:00 · cb4783172a
commit cb4783172a
parent dbffbf3eef
5 changed files with 66 additions and 0 deletions
--- a/.agenix_config.nix
+++ b/.agenix_config.nix
--- a/hosts/tatos/services/default.nix
+++ b/hosts/tatos/services/default.nix
@ -2,7 +2,9 @@

 {
  imports = [
+    ./miniflux
    ./wireguard
+    ./nginx.nix
    ./dns.nix
  ];
 }
--- a/hosts/tatos/services/miniflux/default.nix
+++ b/hosts/tatos/services/miniflux/default.nix
@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+let
+  port = 33001;
+  addr = "127.0.0.1:${toString port}";
+
+in
+{
+  age.secrets.miniflux-admin-credentials.file = ./miniflux-admin-credentials.age;
+
+  services.miniflux = {
+    enable = true;
+    package = pkgs.unstable.miniflux;
+    adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
+    config.LISTEN_ADDR = addr;
+  };
+
+  services.nginx.virtualHosts."miniflux.pleshevski.ru" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${addr}";
+  };
+}
--- a/hosts/tatos/services/miniflux/miniflux-admin-credentials.age
+++ b/hosts/tatos/services/miniflux/miniflux-admin-credentials.age
--- a/hosts/tatos/services/nginx.nix
+++ b/hosts/tatos/services/nginx.nix
@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dmitriy@pleshevski.ru";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}