From 89404e80d391c567971bad06cb56ed7e9acd4f1d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 16 Aug 2023 13:57:10 +0200
Subject: [PATCH] include uptsream nginx config for grav

---
 flake.nix           |  1 +
 modules/website.nix | 24 +++++++++++++++---------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/flake.nix b/flake.nix
index 2599e7c..d40efd1 100755
--- a/flake.nix
+++ b/flake.nix
@@ -72,6 +72,7 @@
             ./modules/stream.nix
             ./modules/sogo.nix
             ./modules/vm.nix
+            ./modules/website.nix
             "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
             {
               _module.args.buildVM = true;
diff --git a/modules/website.nix b/modules/website.nix
index 912eea5..bc02110 100644
--- a/modules/website.nix
+++ b/modules/website.nix
@@ -1,6 +1,5 @@
 { config, pkgs, lib, ... }:
 let
-  www-domain = "www.${config.fsr.domain}";
   user = "fsr-web";
   group = "fsr-web";
 in
@@ -30,29 +29,36 @@ in
     phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
   };
 
-  services.nginx = rec {
-    virtualHosts.${www-domain} = {
+  services.nginx = {
+    virtualHosts."${config.fsr.domain}" = {
       enableACME = true;
       forceSSL = true;
       root = "/srv/web/ifsrde";
       locations = {
-        "= /" = {
-          extraConfig = ''
-            rewrite ^ /index.php;
-          '';
+        "/" = {
+          tryFiles = "$uri $uri/ /index.php?$query_string;";
         };
         "~ \.php$" = {
           extraConfig = ''
             try_files $uri =404;
             fastcgi_pass unix:${config.services.phpfpm.pools.ifsrde.socket};
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_index index.php;
             include ${pkgs.nginx}/conf/fastcgi_params;
             include ${pkgs.nginx}/conf/fastcgi.conf;
+            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
           '';
         };
+        # security
+        "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
+        # deny running scripts inside core system folders
+        "~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
+        # deny running scripts inside user folder
+        "~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
+        # deny access to specific files in the root folder
+        "~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
+        ## End - Security
       };
     };
-    # ifsr.de without www
-    virtualHosts.${config.fsr.domain} = virtualHosts.${www-domain};
   };
 }