nix-server/modules/services/nginx-conf.nix

{ config, lib, pkgs, options, ... }:

with lib;
let
  cfg = config.modules.services.nginx-config;
in {
  options.modules.services.nginx-config = {
    enable = mkEnableOption "enable and configure nginx, a high performance web server";
  };

  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults.email = "reidlab325@gmail.com";
      # uncomment me for staging!
      #defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

    services.nginx = {
      enable = true;
      
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;

      commonHttpConfig = let
        realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
        fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
        cfipv4 = fileToList (pkgs.fetchurl {
          url = "https://www.cloudflare.com/ips-v4";
          sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
        });
        cfipv6 = fileToList (pkgs.fetchurl {
          url = "https://www.cloudflare.com/ips-v6";
          sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
        });
      in ''
        # add hsts header with preloading to https reqeusts
        # adding this header to http requests is discouraged
        map $scheme $hsts_header {
            https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security $hsts_header;

        # Enable CSP for your services.
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

        # Minimize information leaked to other domains
        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        # Disable embedding as a frame
        #add_header X-Frame-Options DENY;

        # Prevent injection of code in other mime types (XSS Attacks)
        #add_header X-Content-Type-Options nosniff;

        # Enable XSS protection of the browser.
        # May be unnecessary when CSP is configured properly (see above)
        #add_header X-XSS-Protection "1; mode=block";

        # This might create errors
        #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

        ${realIpsFromList cfipv4}
        ${realIpsFromList cfipv6}
        real_ip_header CF-Connecting-IP;
      '';

      # prevent leaking domain through direct ip access or no host
      # generally a good idea to keep this
      virtualHosts."_"= {
        default = true;
        rejectSSL = true;
        locations."/".return = 444;
      };
    };

    networking.firewall.allowedTCPPorts = [ 443 80 ];
    networking.firewall.allowedUDPPorts = [ 443 80 ];
  };
}