{ config, pkgs, lib, ... }: { security.dhparams.enable = true; security.dhparams.params.nginx = {}; security.acme = { acceptTerms = true; defaults = { keyType = "ec256"; email = "noc@kyouma.net"; }; }; services.nginx = { enable = true; package = pkgs.nginxQuic; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslProtocols = lib.mkDefault "TLSv1.3"; sslDhparam = config.security.dhparams.params.nginx.path; clientMaxBodySize = "0"; commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; ''; }; }