mirror of
https://github.com/oddlama/nixos-extra-modules.git
synced 2025-10-10 13:50:39 +02:00
114 lines
3.6 KiB
Nix
114 lines
3.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkBefore
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
types
|
|
;
|
|
in
|
|
{
|
|
options.services.nginx = {
|
|
recommendedSetup = mkEnableOption "recommended setup parameters.";
|
|
recommendedSecurityHeaders = mkEnableOption "additional security headers by default in each location block. Can be overwritten in each location with `recommendedSecurityHeaders`.";
|
|
virtualHosts = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule {
|
|
options.locations = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule (submod: {
|
|
options = {
|
|
recommendedSecurityHeaders = mkOption {
|
|
type = types.bool;
|
|
default = config.services.nginx.recommendedSecurityHeaders;
|
|
description = "Whether to add additional security headers to this location.";
|
|
};
|
|
|
|
X-Frame-Options = mkOption {
|
|
type = types.str;
|
|
default = "DENY";
|
|
description = "The value to use for X-Frame-Options";
|
|
};
|
|
};
|
|
config = mkIf submod.config.recommendedSecurityHeaders {
|
|
extraConfig = mkBefore ''
|
|
# Enable HTTP Strict Transport Security (HSTS)
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header Referrer-Policy "origin-when-cross-origin";
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Frame-Options "${submod.config.X-Frame-Options}";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
'';
|
|
};
|
|
})
|
|
);
|
|
};
|
|
}
|
|
);
|
|
};
|
|
};
|
|
|
|
config = mkIf (config.services.nginx.enable && config.services.nginx.recommendedSetup) {
|
|
age.secrets."dhparams.pem" = mkIf (config ? age) {
|
|
generator.script = "dhparams";
|
|
mode = "440";
|
|
group = "nginx";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
# QUIC
|
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
|
|
|
# Sensible defaults for nginx
|
|
services.nginx = {
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedSecurityHeaders = true;
|
|
|
|
# SSL config
|
|
sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
|
|
sslDhparam = mkIf (config ? age) config.age.secrets."dhparams.pem".path;
|
|
commonHttpConfig = ''
|
|
log_format json_combined escape=json '{'
|
|
'"time": $msec,'
|
|
'"remote_addr":"$remote_addr",'
|
|
'"status":$status,'
|
|
'"method":"$request_method",'
|
|
'"host":"$host",'
|
|
'"uri":"$request_uri",'
|
|
'"request_size":$request_length,'
|
|
'"response_size":$body_bytes_sent,'
|
|
'"response_time":$request_time,'
|
|
'"referrer":"$http_referer",'
|
|
'"user_agent":"$http_user_agent"'
|
|
'}';
|
|
error_log syslog:server=unix:/dev/log,nohostname;
|
|
access_log syslog:server=unix:/dev/log,nohostname json_combined;
|
|
'';
|
|
|
|
# Default host that rejects everything.
|
|
# This is selected when no matching host is found for a request.
|
|
virtualHosts.dummy = {
|
|
default = true;
|
|
rejectSSL = true;
|
|
locations."/".extraConfig = ''
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|