{ config, lib, ... }: with lib; { kyouma.deployment.tags = [ "web" ]; security.dhparams.enable = true; security.dhparams.params.nginx = {}; security.acme = { acceptTerms = true; defaults = { keyType = "ec256"; email = "noc@kyouma.net"; }; }; services.nginx = { enable = true; #package = pkgs.nginxQuic; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslProtocols = mkDefault "TLSv1.3"; sslDhparam = config.security.dhparams.params.nginx.path; clientMaxBodySize = mkDefault "128M"; commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; ''; }; }