muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2025-12-05 23:57:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
flake/modules/nixos/server/nginx.nix
muon 4edc6a8d5d Add cross content
2025-01-25 14:28:14 +00:00

92 lines
2.6 KiB
Nix
Raw Blame History

{ pkgs, lib, config, ... }:
let
cfg = config.mods.server.nginx;
in with lib; {
options.mods.server.nginx = {
enable = mkEnableOption {
default = false;
description = "enables nginx reverse proxy";
};
ip = mkOption {
type = types.str;
default = "10.0.0.3";
};
domain = mkOption {
type = types.str;
default = "muon.host";
};
ports = mkOption {
type = types.attrsOf (types.ints.u16);
default = { };
};
};
config = mkIf cfg.enable {
# ACME won't be able to authenticate your domain
# if ports 80 & 443 aren't open in your firewall.
networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
# sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# required when the server wants to use HTTP Authentication
proxy_pass_header Authorization;
# This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP;
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
};
proxy = port:
base { "/".proxyPass = "http://${cfg.ip}:${toString port}/"; };
in mapAttrs' (name: port:
nameValuePair ("${name}.${cfg.domain}")
# (proxy port // { default = true; })) cfg.ports;
(proxy port)) cfg.ports;
};
};
}
Reference in a new issue View git blame Copy permalink