forked from emily/nixfiles
72 lines
1.8 KiB
Nix
72 lines
1.8 KiB
Nix
|
{ pkgs, lib, ... }:
|
||
|
let
|
||
|
extraConfig = ''
|
||
|
add_header Strict-Transport-Security $hsts_header;
|
||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||
|
add_header X-Content-Type-Options "nosniff" always;
|
||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||
|
add_header Referrer-Policy "same-origin" always;
|
||
|
'';
|
||
|
virtHostCfg = {
|
||
|
forceSSL = true;
|
||
|
http3 = true;
|
||
|
quic = true;
|
||
|
};
|
||
|
mkRedirect = domain: virtHostCfg // {
|
||
|
useACMEHost = domain;
|
||
|
globalRedirect = domain;
|
||
|
inherit extraConfig;
|
||
|
};
|
||
|
mkHost = webroot: virtHostCfg // {
|
||
|
enableACME = true;
|
||
|
root = webroot;
|
||
|
inherit extraConfig;
|
||
|
};
|
||
|
in {
|
||
|
services.nginx = {
|
||
|
package = pkgs.nginxQuic;
|
||
|
enable = true;
|
||
|
|
||
|
recommendedOptimisation = true;
|
||
|
recommendedTlsSettings = true;
|
||
|
recommendedGzipSettings = true;
|
||
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||
|
sslProtocols = "TLSv1.3";
|
||
|
clientMaxBodySize = "0";
|
||
|
|
||
|
appendHttpConfig = ''
|
||
|
map $scheme $hsts_header {
|
||
|
https "max-age=31536000; includeSubdomains; preload";
|
||
|
}
|
||
|
${extraConfig}
|
||
|
'';
|
||
|
|
||
|
virtualHosts."redirect" = virtHostCfg // {
|
||
|
serverName = null;
|
||
|
default = true;
|
||
|
reuseport = true;
|
||
|
useACMEHost = "miau.zip";
|
||
|
extraConfig = ''
|
||
|
return 403;
|
||
|
${extraConfig}
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
virtualHosts = {
|
||
|
"miau.zip" = (mkHost "/var/www/kyouma.net");
|
||
|
"www.miau.zip" = (mkRedirect "miau.zip");
|
||
|
};
|
||
|
};
|
||
|
security.acme = {
|
||
|
acceptTerms = true;
|
||
|
defaults = {
|
||
|
keyType = "ec384";
|
||
|
email = "noc@kyouma.net";
|
||
|
};
|
||
|
certs."miau.zip" = {
|
||
|
extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
|
||
|
};
|
||
|
};
|
||
|
}
|