115 lines
3.9 KiB
Nix
Executable file
115 lines
3.9 KiB
Nix
Executable file
{ config, lib, pkgs, options, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.modules.services.nginx-config;
|
|
in {
|
|
options.modules.services.nginx-config = {
|
|
enable = mkEnableOption "enable and configure nginx, a high performance web server";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.openresty;
|
|
};
|
|
|
|
defaultLuaPackagePath = mkOption {
|
|
type = types.path;
|
|
default = null;
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = [
|
|
{ assertion = cfg.defaultLuaPackagePath != null;
|
|
description = "The defaultLuaPackagePath property *must* be explicitly specified.";
|
|
}
|
|
];
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "reidlab325@gmail.com";
|
|
# uncomment me for staging!
|
|
#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
package = cfg.package;
|
|
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
# TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
|
|
commonHttpConfig = let
|
|
# lua
|
|
lua-resty-template = pkgs.fetchFromGitHub {
|
|
owner = "bungle";
|
|
repo = "lua-resty-template";
|
|
rev = "v2.0";
|
|
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
|
|
};
|
|
lua-resty-redis = pkgs.fetchFromGitHub {
|
|
owner = "openresty";
|
|
repo = "lua-resty-redis";
|
|
rev = "v0.29";
|
|
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
|
|
};
|
|
lua-resty-websocket = pkgs.fetchFromGitHub {
|
|
owner = "openresty";
|
|
repo = "lua-resty-websocket";
|
|
rev = "v0.10";
|
|
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
|
|
};
|
|
|
|
# cloudflare
|
|
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
|
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
|
cfipv4 = fileToList (pkgs.fetchurl {
|
|
url = "https://www.cloudflare.com/ips-v4";
|
|
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
|
});
|
|
cfipv6 = fileToList (pkgs.fetchurl {
|
|
url = "https://www.cloudflare.com/ips-v6";
|
|
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
|
});
|
|
in ''
|
|
lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
|
|
|
|
# add hsts header with preloading to https reqeusts
|
|
# adding this header to http requests is
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
# Enable CSP for your services.
|
|
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
|
|
# Disable embedding as a frame
|
|
#add_header X-Frame-Options DENY;
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
|
#add_header X-Content-Type-Options nosniff;
|
|
|
|
# Enable XSS protection of the browser.
|
|
# May be unnecessary when CSP is configured properly (see above)
|
|
#add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# This might create errors
|
|
#proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
|
|
${realIpsFromList cfipv4}
|
|
${realIpsFromList cfipv6}
|
|
real_ip_header CF-Connecting-IP;
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
|
networking.firewall.allowedUDPPorts = [ 443 80 ];
|
|
};
|
|
}
|