flake/modules/nixos/server/nginx.nix

{ pkgs, lib, config, ... }: {
  options.mods.server.nginx = {
    enable = lib.mkEnableOption {
      default = false;
      description = "enables nginx reverse proxy";
    };
  };

  config = lib.mkIf config.mods.server.nginx.enable {
    # ACME won't be able to authenticate your domain
    # if ports 80 & 443 aren't open in your firewall.
    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
    security.acme.defaults.email = "acme@muon.host";
    security.acme.acceptTerms = true;

    services.nginx = {
      enable = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # Only allow PFS-enabled ciphers with AES256
      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

      appendHttpConfig = ''
        # Add HSTS header with preloading to HTTPS requests.
        # Adding this header to HTTP requests is discouraged
        # map $scheme $hsts_header {
            # https   "max-age=31536000; includeSubdomains; preload";
        # }
        # add_header Strict-Transport-Security $hsts_header;

        # Enable CSP for your services.
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

        # Minimize information leaked to other domains
        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        # Disable embedding as a frame
        add_header X-Frame-Options DENY;

        # Prevent injection of code in other mime types (XSS Attacks)
        add_header X-Content-Type-Options nosniff;

        # This might create errors
        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

        # required when the server wants to use HTTP Authentication
        proxy_pass_header Authorization;
      '';

      virtualHosts = let
        base = locations: {
          inherit locations;

          forceSSL = true;
          enableACME = true;
        };
        proxy = port:
          base { "/".proxyPass = "http://10.0.0.3:" + toString (port) + "/"; };
      in {
        # Define example.com as reverse-proxied service on 127.0.0.1:3000
        "photos.muon.host" = proxy 2283 // { default = true; };
      };
    };
  };
}