From bd0df118971345910b843957c67425b39f94a7d4 Mon Sep 17 00:00:00 2001
From: emily <ek@kyouma.net>
Date: Wed, 10 Jan 2024 13:32:18 +0100
Subject: [PATCH] moved things around mainly nginx

---
 config/common-lxc.nix   | 17 +++++++++++++++++
 config/common-nginx.nix | 37 +++++++++++++++++++++++++++++++++++++
 config/headless.nix     |  4 ++++
 3 files changed, 58 insertions(+)
 create mode 100644 config/common-lxc.nix
 create mode 100644 config/common-nginx.nix
 create mode 100644 config/headless.nix

diff --git a/config/common-lxc.nix b/config/common-lxc.nix
new file mode 100644
index 0000000..3f46f36
--- /dev/null
+++ b/config/common-lxc.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+with lib; {
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+  proxmoxLXC = {
+    manageNetwork = true;
+    manageHostName = true;
+  };
+  networking.useDHCP = false;
+
+  system.autoUpgrade.enable = true;
+  nix.optimise.automatic = true;
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 2d";
+}
diff --git a/config/common-nginx.nix b/config/common-nginx.nix
new file mode 100644
index 0000000..c9d3d63
--- /dev/null
+++ b/config/common-nginx.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }: {
+  security.dhparams.enable = true;
+  security.dhparams.params.nginx = {};
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      keyType = "ec256";
+      email = "noc@kyouma.net";
+    };
+  };
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginxQuic;
+    
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    sslProtocols = lib.mkDefault "TLSv1.3";
+    sslDhparam = config.security.dhparams.params.nginx.path;
+
+    clientMaxBodySize = "0";
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+    add_header Strict-Transport-Security 	$hsts_header;
+    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    add_header X-Content-Type-Options 	"nosniff" always;
+    add_header X-XSS-Protection 		"1; mode=block" always;
+    add_header X-Frame-Options 		"SAMEORIGIN" always;
+    add_header Referrer-Policy 		"same-origin" always;
+    '';
+  };
+}
diff --git a/config/headless.nix b/config/headless.nix
new file mode 100644
index 0000000..7804616
--- /dev/null
+++ b/config/headless.nix
@@ -0,0 +1,4 @@
+{ config, lib, ... }: with lib; {
+  services.openssh.enable = mkDefault true;
+
+}