From c2dfcdd9f7057ef810aa0ff28c4aa5d4be186ffb Mon Sep 17 00:00:00 2001 From: Patrick Date: Sun, 16 Feb 2025 19:50:55 +0100 Subject: [PATCH] feat: open firewall to allow QUIC --- modules/nginx.nix | 78 ++++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 34 deletions(-) diff --git a/modules/nginx.nix b/modules/nginx.nix index 3625318..d1ca2f8 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -2,52 +2,57 @@ config, lib, ... -}: let - inherit - (lib) +}: +let + inherit (lib) mkBefore mkEnableOption mkIf mkOption types ; -in { +in +{ options.services.nginx = { recommendedSetup = mkEnableOption "recommended setup parameters."; recommendedSecurityHeaders = mkEnableOption "additional security headers by default in each location block. Can be overwritten in each location with `recommendedSecurityHeaders`."; virtualHosts = mkOption { - type = types.attrsOf (types.submodule { - options.locations = mkOption { - type = types.attrsOf (types.submodule (submod: { - options = { - recommendedSecurityHeaders = mkOption { - type = types.bool; - default = config.services.nginx.recommendedSecurityHeaders; - description = "Whether to add additional security headers to this location."; - }; + type = types.attrsOf ( + types.submodule { + options.locations = mkOption { + type = types.attrsOf ( + types.submodule (submod: { + options = { + recommendedSecurityHeaders = mkOption { + type = types.bool; + default = config.services.nginx.recommendedSecurityHeaders; + description = "Whether to add additional security headers to this location."; + }; - X-Frame-Options = mkOption { - type = types.str; - default = "DENY"; - description = "The value to use for X-Frame-Options"; - }; - }; - config = mkIf submod.config.recommendedSecurityHeaders { - extraConfig = mkBefore '' - # Enable HTTP Strict Transport Security (HSTS) - add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; + X-Frame-Options = mkOption { + type = types.str; + default = "DENY"; + description = "The value to use for X-Frame-Options"; + }; + }; + config = mkIf submod.config.recommendedSecurityHeaders { + extraConfig = mkBefore '' + # Enable HTTP Strict Transport Security (HSTS) + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; - # Minimize information leaked to other domains - add_header Referrer-Policy "origin-when-cross-origin"; + # Minimize information leaked to other domains + add_header Referrer-Policy "origin-when-cross-origin"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "${submod.config.X-Frame-Options}"; - add_header X-Content-Type-Options "nosniff"; - ''; - }; - })); - }; - }); + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "${submod.config.X-Frame-Options}"; + add_header X-Content-Type-Options "nosniff"; + ''; + }; + }) + ); + }; + } + ); }; }; @@ -58,7 +63,12 @@ in { group = "nginx"; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + # QUIC + networking.firewall.allowedUDPPorts = [ 443 ]; # Sensible defaults for nginx services.nginx = {