1
0
Fork 0
forked from emily/nixfiles

moved things around mainly nginx

This commit is contained in:
emily 2024-01-10 13:32:18 +01:00
parent 5f8473d38c
commit bd0df11897
Signed by untrusted user: emily
GPG key ID: F6F4C66207FCF995
3 changed files with 58 additions and 0 deletions

17
config/common-lxc.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, lib, modulesPath, ... }:
with lib; {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
proxmoxLXC = {
manageNetwork = true;
manageHostName = true;
};
networking.useDHCP = false;
system.autoUpgrade.enable = true;
nix.optimise.automatic = true;
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 2d";
}

37
config/common-nginx.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }: {
security.dhparams.enable = true;
security.dhparams.params.nginx = {};
security.acme = {
acceptTerms = true;
defaults = {
keyType = "ec256";
email = "noc@kyouma.net";
};
};
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
sslProtocols = lib.mkDefault "TLSv1.3";
sslDhparam = config.security.dhparams.params.nginx.path;
clientMaxBodySize = "0";
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
};
}

4
config/headless.nix Normal file
View file

@ -0,0 +1,4 @@
{ config, lib, ... }: with lib; {
services.openssh.enable = mkDefault true;
}