82 lines
2.7 KiB
Nix
Executable file
82 lines
2.7 KiB
Nix
Executable file
{ config, lib, pkgs, options, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.modules.services.nginx-config;
|
|
in {
|
|
options.modules.services.nginx-config = {
|
|
enable = mkEnableOption "enable and configure nginx, a high performance web server";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "reidlab325@gmail.com";
|
|
# uncomment me for staging!
|
|
#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
commonHttpConfig = let
|
|
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
|
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
|
cfipv4 = fileToList (pkgs.fetchurl {
|
|
url = "https://www.cloudflare.com/ips-v4";
|
|
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
|
});
|
|
cfipv6 = fileToList (pkgs.fetchurl {
|
|
url = "https://www.cloudflare.com/ips-v6";
|
|
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
|
});
|
|
in ''
|
|
# add hsts header with preloading to https reqeusts
|
|
# adding this header to http requests is discouraged
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
# Enable CSP for your services.
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
|
|
# Disable embedding as a frame
|
|
#add_header X-Frame-Options DENY;
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
|
#add_header X-Content-Type-Options nosniff;
|
|
|
|
# Enable XSS protection of the browser.
|
|
# May be unnecessary when CSP is configured properly (see above)
|
|
#add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# This might create errors
|
|
#proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
|
|
${realIpsFromList cfipv4}
|
|
${realIpsFromList cfipv6}
|
|
real_ip_header CF-Connecting-IP;
|
|
'';
|
|
|
|
# prevent leaking domain through direct ip access or no host
|
|
# generally a good idea to keep this
|
|
virtualHosts."_"= {
|
|
default = true;
|
|
rejectSSL = true;
|
|
locations."/".return = 444;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
|
networking.firewall.allowedUDPPorts = [ 443 80 ];
|
|
};
|
|
}
|