@ -531,81 +531,65 @@ in {
environment . systemPackages = [ occ ] ;
services . nginx = mkDefault {
enable = true ;
virtualHosts . ${ cfg . hostName } = {
root = cfg . package ;
locations = {
" = / r o b o t s . t x t " = {
priority = 100 ;
extraConfig = ''
allow all ;
log_not_found off ;
access_log off ;
'' ;
} ;
" / " = {
priority = 200 ;
extraConfig = " r e w r i t e ^ / i n d e x . p h p ; " ;
} ;
" ~ ^ / s t o r e - a p p s " = {
priority = 201 ;
extraConfig = " r o o t ${ cfg . home } ; " ;
} ;
" = / . w e l l - k n o w n / c a r d d a v " = {
priority = 210 ;
extraConfig = " r e t u r n 3 0 1 $ s c h e m e : / / $ h o s t / r e m o t e . p h p / d a v ; " ;
} ;
" = / . w e l l - k n o w n / c a l d a v " = {
priority = 210 ;
extraConfig = " r e t u r n 3 0 1 $ s c h e m e : / / $ h o s t / r e m o t e . p h p / d a v ; " ;
} ;
" ~ ^ \\ / ( ? : b u i l d | t e s t s | c o n f i g | l i b | 3 r d p a r t y | t e m p l a t e s | d a t a ) \\ / " = {
priority = 300 ;
extraConfig = " d e n y a l l ; " ;
} ;
" ~ ^ \\ / ( ? : \\ . | a u t o t e s t | o c c | i s s u e | i n d i e | d b _ | c o n s o l e ) " = {
priority = 300 ;
extraConfig = " d e n y a l l ; " ;
} ;
" ~ ^ \\ / ( ? : i n d e x | r e m o t e | p u b l i c | c r o n | c o r e / a j a x \\ / u p d a t e | s t a t u s | o c s \\ / v [ 1 2 ] | u p d a t e r \\ / . + | o c s - p r o v i d e r \\ / . + | o c m - p r o v i d e r \\ / . + ) \\ . p h p ( ? : $ | \\ / ) " = {
priority = 500 ;
extraConfig = ''
include $ { config . services . nginx . package } /conf/fastcgi.conf ;
fastcgi_split_path_info ^ ( . + \ . php ) ( \ \ /. * ) $ ;
try_files $ fastcgi_script_name = 404 ;
fastcgi_param PATH_INFO $ fastcgi_path_info ;
fastcgi_param HTTPS $ { if cfg . https then " o n " else " o f f " } ;
fastcgi_param modHeadersAvailable true ;
fastcgi_param front_controller_active true ;
fastcgi_pass unix:$ { fpm . socket } ;
fastcgi_intercept_errors on ;
fastcgi_request_buffering off ;
fastcgi_read_timeout 1 2 0 s ;
'' ;
} ;
" ~ ^ \\ / ( ? : u p d a t e r | o c s - p r o v i d e r | o c m - p r o v i d e r ) ( ? : $ | \\ / ) " . extraConfig = ''
try_files $ uri / = 404 ;
index index . php ;
'' ;
" ~ \\ . ( ? : c s s | j s | w o f f 2 ? | s v g | g i f ) $ " . extraConfig = ''
try_files $ uri /index.php $ request_uri ;
add_header Cache-Control " p u b l i c , m a x - a g e = 1 5 7 7 8 4 6 3 " ;
add_header X-Content-Type-Options nosniff ;
add_header X-XSS-Protection " 1 ; m o d e = b l o c k " ;
add_header X-Robots-Tag none ;
add_header X-Download-Options noopen ;
add_header X-Permitted-Cross-Domain-Policies none ;
add_header X-Frame-Options sameorigin ;
add_header Referrer-Policy no-referrer ;
services . nginx . enable = mkDefault true ;
services . nginx . virtualHosts . ${ cfg . hostName } = {
root = cfg . package ;
locations = {
" = / r o b o t s . t x t " = {
priority = 100 ;
extraConfig = ''
allow all ;
log_not_found off ;
access_log off ;
'' ;
" ~ \\ . ( ? : p n g | h t m l | t t f | i c o | j p g | j p e g | b c m a p | m p 4 | w e b m ) $ " . extraConfig = ''
try_files $ uri /index.php $ request_uri ;
access_log off ;
} ;
" / " = {
priority = 200 ;
extraConfig = " r e w r i t e ^ / i n d e x . p h p ; " ;
} ;
" ~ ^ / s t o r e - a p p s " = {
priority = 201 ;
extraConfig = " r o o t ${ cfg . home } ; " ;
} ;
" = / . w e l l - k n o w n / c a r d d a v " = {
priority = 210 ;
extraConfig = " r e t u r n 3 0 1 $ s c h e m e : / / $ h o s t / r e m o t e . p h p / d a v ; " ;
} ;
" = / . w e l l - k n o w n / c a l d a v " = {
priority = 210 ;
extraConfig = " r e t u r n 3 0 1 $ s c h e m e : / / $ h o s t / r e m o t e . p h p / d a v ; " ;
} ;
" ~ ^ \\ / ( ? : b u i l d | t e s t s | c o n f i g | l i b | 3 r d p a r t y | t e m p l a t e s | d a t a ) \\ / " = {
priority = 300 ;
extraConfig = " d e n y a l l ; " ;
} ;
" ~ ^ \\ / ( ? : \\ . | a u t o t e s t | o c c | i s s u e | i n d i e | d b _ | c o n s o l e ) " = {
priority = 300 ;
extraConfig = " d e n y a l l ; " ;
} ;
" ~ ^ \\ / ( ? : i n d e x | r e m o t e | p u b l i c | c r o n | c o r e / a j a x \\ / u p d a t e | s t a t u s | o c s \\ / v [ 1 2 ] | u p d a t e r \\ / . + | o c s - p r o v i d e r \\ / . + | o c m - p r o v i d e r \\ / . + ) \\ . p h p ( ? : $ | \\ / ) " = {
priority = 500 ;
extraConfig = ''
include $ { config . services . nginx . package } /conf/fastcgi.conf ;
fastcgi_split_path_info ^ ( . + \ . php ) ( \ \ /. * ) $ ;
try_files $ fastcgi_script_name = 404 ;
fastcgi_param PATH_INFO $ fastcgi_path_info ;
fastcgi_param HTTPS $ { if cfg . https then " o n " else " o f f " } ;
fastcgi_param modHeadersAvailable true ;
fastcgi_param front_controller_active true ;
fastcgi_pass unix:$ { fpm . socket } ;
fastcgi_intercept_errors on ;
fastcgi_request_buffering off ;
fastcgi_read_timeout 1 2 0 s ;
'' ;
} ;
extraConfig = ''
" ~ ^ \\ / ( ? : u p d a t e r | o c s - p r o v i d e r | o c m - p r o v i d e r ) ( ? : $ | \\ / ) " . extraConfig = ''
try_files $ uri / = 404 ;
index index . php ;
'' ;
" ~ \\ . ( ? : c s s | j s | w o f f 2 ? | s v g | g i f ) $ " . extraConfig = ''
try_files $ uri /index.php $ request_uri ;
add_header Cache-Control " p u b l i c , m a x - a g e = 1 5 7 7 8 4 6 3 " ;
add_header X-Content-Type-Options nosniff ;
add_header X-XSS-Protection " 1 ; m o d e = b l o c k " ;
add_header X-Robots-Tag none ;
@ -613,25 +597,39 @@ in {
add_header X-Permitted-Cross-Domain-Policies none ;
add_header X-Frame-Options sameorigin ;
add_header Referrer-Policy no-referrer ;
add_header Strict-Transport-Security " m a x - a g e = 1 5 5 5 2 0 0 0 ; i n c l u d e S u b D o m a i n s " always ;
error_page 403 /core/templates/403.php ;
error_page 404 /core/templates/404.php ;
client_max_body_size $ { cfg . maxUploadSize } ;
fastcgi_buffers 64 4 K ;
fastcgi_hide_header X-Powered-By ;
gzip on ;
gzip_vary on ;
gzip_comp_level 4 ;
gzip_min_length 256 ;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth ;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy ;
$ { optionalString cfg . webfinger ''
rewrite ^ /.well-known/host-meta /public.php ? service = host-meta last ;
rewrite ^ /.well-known/host-meta.json /public.php ? service = host-meta-json last ;
'' }
access_log off ;
'' ;
" ~ \\ . ( ? : p n g | h t m l | t t f | i c o | j p g | j p e g | b c m a p | m p 4 | w e b m ) $ " . extraConfig = ''
try_files $ uri /index.php $ request_uri ;
access_log off ;
'' ;
} ;
extraConfig = ''
add_header X-Content-Type-Options nosniff ;
add_header X-XSS-Protection " 1 ; m o d e = b l o c k " ;
add_header X-Robots-Tag none ;
add_header X-Download-Options noopen ;
add_header X-Permitted-Cross-Domain-Policies none ;
add_header X-Frame-Options sameorigin ;
add_header Referrer-Policy no-referrer ;
add_header Strict-Transport-Security " m a x - a g e = 1 5 5 5 2 0 0 0 ; i n c l u d e S u b D o m a i n s " always ;
error_page 403 /core/templates/403.php ;
error_page 404 /core/templates/404.php ;
client_max_body_size $ { cfg . maxUploadSize } ;
fastcgi_buffers 64 4 K ;
fastcgi_hide_header X-Powered-By ;
gzip on ;
gzip_vary on ;
gzip_comp_level 4 ;
gzip_min_length 256 ;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth ;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy ;
$ { optionalString cfg . webfinger ''
rewrite ^ /.well-known/host-meta /public.php ? service = host-meta last ;
rewrite ^ /.well-known/host-meta.json /public.php ? service = host-meta-json last ;
'' }
'' ;
} ;
}
] ) ;