sokai/mynixos-extra-modules2
1
1
Fork 0
mirror of https://git.mediani.de/mirrors_public/oddlama_nixos-extra-modules.git synced 2025-10-11 06:10:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: open firewall to allow QUIC

Browse source
This commit is contained in:
Patrick 2025-02-16 19:50:55 +01:00
parent 853c9e2a2d
commit c2dfcdd9f7
No known key found for this signature in database
GPG key ID: 451F95EFB8BECD0F
1 changed files with 44 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

78
modules/nginx.nix
View file

@ -2,52 +2,57 @@
config, config,
lib, lib,
... ...
}: let }:
inherit let
(lib) inherit (lib)
mkBefore mkBefore
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
types types
; ;
in { in
{
options.services.nginx = { options.services.nginx = {
recommendedSetup = mkEnableOption "recommended setup parameters."; recommendedSetup = mkEnableOption "recommended setup parameters.";
recommendedSecurityHeaders = mkEnableOption "additional security headers by default in each location block. Can be overwritten in each location with `recommendedSecurityHeaders`."; recommendedSecurityHeaders = mkEnableOption "additional security headers by default in each location block. Can be overwritten in each location with `recommendedSecurityHeaders`.";
virtualHosts = mkOption { virtualHosts = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (
options.locations = mkOption { types.submodule {
type = types.attrsOf (types.submodule (submod: { options.locations = mkOption {
options = { type = types.attrsOf (
recommendedSecurityHeaders = mkOption { types.submodule (submod: {
type = types.bool; options = {
default = config.services.nginx.recommendedSecurityHeaders; recommendedSecurityHeaders = mkOption {
description = "Whether to add additional security headers to this location."; type = types.bool;
}; default = config.services.nginx.recommendedSecurityHeaders;
description = "Whether to add additional security headers to this location.";
};
X-Frame-Options = mkOption { X-Frame-Options = mkOption {
type = types.str; type = types.str;
default = "DENY"; default = "DENY";
description = "The value to use for X-Frame-Options"; description = "The value to use for X-Frame-Options";
}; };
}; };
config = mkIf submod.config.recommendedSecurityHeaders { config = mkIf submod.config.recommendedSecurityHeaders {
extraConfig = mkBefore '' extraConfig = mkBefore ''
# Enable HTTP Strict Transport Security (HSTS) # Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin"; add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${submod.config.X-Frame-Options}"; add_header X-Frame-Options "${submod.config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
''; '';
}; };
})); })
}; );
}); };
}
);
}; };
}; };
@ -58,7 +63,12 @@ in {
group = "nginx"; group = "nginx";
}; };
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [
80
443
];
# QUIC
networking.firewall.allowedUDPPorts = [ 443 ];
# Sensible defaults for nginx # Sensible defaults for nginx
services.nginx = { services.nginx = {