mirrors_public/oddlama_nixos-extra-modules
1
1
Fork 1
mirror of https://github.com/oddlama/nixos-extra-modules.git synced 2025-10-10 22:00:39 +02:00
Code Activity

feat: add nginx meta module

Browse source
This commit is contained in:
oddlama 2023-12-25 21:49:06 +01:00
parent bc948ad1ab
commit 4daf3ffd02
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 119 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -26,3 +26,12 @@ will be available.
}; };
} }
} }
```
## Requirements
Certain modules may require the use of additional flakes. In particular you might need:
- [impermanence](https://github.com/nix-community/impermanence)
- [agenix](https://github.com/ryantm/agenix)
- [agenix-rekey](https://github.com/oddlama/agenix-rekey)

3
flake.nix
View file

@ -48,6 +48,9 @@
}; };
}; };
# `nix fmt`
formatter = pkgs.alejandra;
# `nix develop` # `nix develop`
devShells.default = pkgs.devshell.mkShell { devShells.default = pkgs.devshell.mkShell {
name = "extra-modules"; name = "extra-modules";

1
modules/default.nix
View file

@ -2,5 +2,6 @@
imports = [ imports = [
./interface-naming.nix ./interface-naming.nix
./boot.nix ./boot.nix
./nginx.nix
]; ];
} }

106
modules/nginx.nix Normal file
View file

@ -0,0 +1,106 @@
{
config,
lib,
...
}: let
inherit
(lib)
mkBefore
mkEnableOption
mkIf
mkOption
types
;
in {
options.services.nginx = {
recommendedSetup = mkEnableOption "recommended setup parameters.";
recommendedSecurityHeaders = mkEnableOption "additional security headers by default in each location block. Can be overwritten in each location with `recommendedSecurityHeaders`.";
virtualHosts = mkOption {
type = types.attrsOf (types.submodule {
options.locations = mkOption {
type = types.attrsOf (types.submodule (submod: {
options = {
recommendedSecurityHeaders = mkOption {
type = types.bool;
default = config.services.nginx.recommendedSecurityHeaders;
description = "Whether to add additional security headers to this location.";
};
X-Frame-Options = mkOption {
type = types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
};
};
config = mkIf submod.config.recommendedSecurityHeaders {
extraConfig = mkBefore ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${submod.config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
'';
};
}));
};
});
};
};
config = mkIf (config.services.nginx.enable && config.services.nginx.recommendedSetup) {
age.secrets."dhparams.pem" = {
generator.script = "dhparams";
mode = "440";
group = "nginx";
};
networking.firewall.allowedTCPPorts = [80 443];
# Sensible defaults for nginx
services.nginx = {
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedSecurityHeaders = true;
# SSL config
sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
sslDhparam = config.age.secrets."dhparams.pem".path;
commonHttpConfig = ''
log_format json_combined escape=json '{'
'"time": $msec,'
'"remote_addr":"$remote_addr",'
'"status":$status,'
'"method":"$request_method",'
'"host":"$host",'
'"uri":"$request_uri",'
'"request_size":$request_length,'
'"response_size":$body_bytes_sent,'
'"response_time":$request_time,'
'"referrer":"$http_referer",'
'"user_agent":"$http_user_agent"'
'}';
error_log syslog:server=unix:/dev/log,nohostname;
access_log syslog:server=unix:/dev/log,nohostname json_combined;
ssl_ecdh_curve secp384r1;
'';
# Default host that rejects everything.
# This is selected when no matching host is found for a request.
virtualHosts.dummy = {
listenAddresses = ["127.0.0.1" "[::1]"];
default = true;
rejectSSL = true;
locations."/".extraConfig = ''
deny all;
'';
};
};
};
}