{ pkgs, lib, config, ... }: { options.mods.server.nginx = { enable = lib.mkEnableOption { default = false; description = "enables nginx reverse proxy"; }; }; config = lib.mkIf config.mods.server.nginx.enable { # ACME won't be able to authenticate your domain # if ports 80 & 443 aren't open in your firewall. networking.firewall = { allowedTCPPorts = [ 443 80 ]; }; security.acme.defaults.email = "acme@muon.host"; security.acme.acceptTerms = true; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; # Only allow PFS-enabled ciphers with AES256 # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged # map $scheme $hsts_header { # https "max-age=31536000; includeSubdomains; preload"; # } # add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # This might create errors # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; # required when the server wants to use HTTP Authentication proxy_pass_header Authorization; ''; virtualHosts = let base = locations: { inherit locations; forceSSL = true; enableACME = true; }; proxy = port: base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; }; in { # Define example.com as reverse-proxied service on 127.0.0.1:3000 "photos.muon.host" = proxy 2283 // { default = true; }; }; }; }; }