diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 54f7544..b480da3 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -9,5 +9,6 @@ ./wireguard.nix ./headscale.nix ./photoprism.nix + ./nginx.nix ]; } diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index 831a27e..fe792ae 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -7,14 +7,62 @@ }; config = lib.mkIf config.mods.server.nginx.enable { + # ACME won't be able to authenticate your domain + # if ports 80 & 443 aren't open in your firewall. + networking.firewall = { allowedTCPPorts = [ 443 80 ]; }; + security.acme.defaults.email = "acme@muon.host"; + security.acme.acceptTerms = true; + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; recommendedProxySettings = true; - virtualHosts."*.muon.host" = { - locations."/" = { - proxyPass = "http://100.112.114.27:443"; - proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = "proxy_ssl_server_name on;"; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + # map $scheme $hsts_header { + # https "max-age=31536000; includeSubdomains; preload"; + # } + # add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + # required when the server wants to use HTTP Authentication + proxy_pass_header Authorization; + ''; + + virtualHosts = let + base = locations: { + inherit locations; + + forceSSL = true; + enableACME = true; }; + proxy = port: + base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; }; + in { + # Define example.com as reverse-proxied service on 127.0.0.1:3000 + "photos.muon.host" = proxy 2283 // { default = true; }; }; }; }; diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix index 087615a..f49d998 100644 --- a/modules/nixos/server/wireguard.nix +++ b/modules/nixos/server/wireguard.nix @@ -44,13 +44,19 @@ ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE ''; - peers = [{ # peer0 - publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg="; - presharedKeyFile = "/home/muon/wireguard-keys/psk-muon"; - allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; - } - # More peers can be added here. - ]; + peers = [ + { # peer0 + publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg="; + presharedKeyFile = "/home/muon/wireguard-keys/psk-muon"; + allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; + } + { # peer1 + publicKey = "ohf/tGV9bjDDh/i9U5+DNvFtn+Glm8Wy1ieHoPvXfCo="; + presharedKeyFile = "/home/muon/wireguard-keys/psk-muho"; + allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ]; + } + # More peers can be added here. + ]; }; };