SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 7
Code Issues 32 Pull Requests 3 Projects Releases Wiki Activity
selfprivacy-nixos-config/webserver/nginx.nix

63 lines
2.5 KiB
Nix
Raw Normal View History

PoC working SP module system + simple-nixos-mailserver as an SP module
2023-11-10 05:10:06 +02:00
{ config, lib, ... }:
Initial commit
2021-11-15 12:02:05 +02:00
let
selfprivacy.userdata -> selfprivacy; SP modules -> selfprivacy.modules
2023-11-16 02:00:11 +02:00
domain = config.selfprivacy.domain;
Initial commit
2021-11-15 12:02:05 +02:00
in
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
sslCiphers = lib.mkForce "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL";
Initial commit
2021-11-15 12:02:05 +02:00
clientMaxBodySize = "1024m";
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
gitea: RequiresMountsFor and ConditionPathIsMountPoint @ /var/lib/gitea
2023-12-12 18:35:44 +02:00
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 512;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
'';
Initial commit
2021-11-15 12:02:05 +02:00
virtualHosts = {
"${domain}" = {
add wildcard ACME certificate
2023-12-18 23:07:05 +02:00
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
Initial commit
2021-11-15 12:02:05 +02:00
forceSSL = true;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
Temporarily disabled CSP headers as they tend to break some of our applications
2021-12-21 08:18:38 +02:00
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
Initial commit
2021-11-15 12:02:05 +02:00
};
"api.${domain}" = {
add wildcard ACME certificate
2023-12-18 23:07:05 +02:00
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
Initial commit
2021-11-15 12:02:05 +02:00
forceSSL = true;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
Temporarily disabled CSP headers as they tend to break some of our applications
2021-12-21 08:18:38 +02:00
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
Added Qualys A+ rated SSL/TLS settings
2021-12-17 19:17:23 +02:00
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
Initial commit
2021-11-15 12:02:05 +02:00
locations = {
"/" = {
proxyPass = "http://127.0.0.1:5050";
Switched to binds, volume management, new API
2022-08-26 13:21:05 +03:00
proxyWebsockets = true;
Initial commit
2021-11-15 12:02:05 +02:00
};
};
};
};
};
}