mikael/nixfiles-emily
1
0
Fork 0
forked from emily/nixfiles
Code Pull requests Activity
nixfiles-emily/config/nginx.nix
emily 4dca4b43b5
first commit uwu
2023-11-28 08:19:49 +01:00

71 lines
1.8 KiB
Nix
Raw Blame History

{ pkgs, lib, ... }:
let
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
http3 = true;
quic = true;
};
mkRedirect = domain: virtHostCfg // {
useACMEHost = domain;
globalRedirect = domain;
inherit extraConfig;
};
mkHost = webroot: virtHostCfg // {
enableACME = true;
root = webroot;
inherit extraConfig;
};
in {
services.nginx = {
package = pkgs.nginxQuic;
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
sslProtocols = "TLSv1.3";
clientMaxBodySize = "0";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
${extraConfig}
'';
virtualHosts."redirect" = virtHostCfg // {
serverName = null;
default = true;
reuseport = true;
useACMEHost = "miau.zip";
extraConfig = ''
return 403;
${extraConfig}
'';
};
virtualHosts = {
"miau.zip" = (mkHost "/var/www/kyouma.net");
"www.miau.zip" = (mkRedirect "miau.zip");
};
};
security.acme = {
acceptTerms = true;
defaults = {
keyType = "ec384";
email = "noc@kyouma.net";
};
certs."miau.zip" = {
extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ];
};
};
}
View git blame Copy permalink