feat: create module for nginx and prepare for fail2ban setup

* create new module for nginx * setup cloudflare real_ip_header forwarding for fail2ban setup * add hsts, improve qualys score Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2024-10-05 20:52:11 +05:30 · 2024-10-05 20:52:11 +05:30 · d4dc50237a
commit d4dc50237a
parent 48752f56b1
2 changed files with 75 additions and 26 deletions
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@ -0,0 +1,69 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options.snowflake.services.nginx = {
+    enable = lib.mkEnableOption "Enable nginx service";
+    acmeEmail = lib.mkOption {
+      type = lib.types.str;
+      description = "Email to use for ACME SSL certificates";
+    };
+    enableCloudflareRealIP = lib.mkEnableOption "Enable setting real_ip_header from Cloudflare IPs";
+  };
+
+  config = let
+    cfg = config.snowflake.services.nginx;
+  in
+    lib.mkIf cfg.enable {
+      security.acme.defaults.email = cfg.acmeEmail;
+      security.dhparams = {
+        enable = true;
+        params.nginx = {};
+      };
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedTlsSettings = true;
+        sslDhparam = config.security.dhparams.params.nginx.path;
+
+        # Disable default_server access and return HTTP 444.
+        appendHttpConfig =
+          ''
+            # Strict Transport Security (HSTS): Yes
+            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+
+            # Enable CSP
+            add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+            # Minimize information leaked to other domains
+            add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+            # Disable embedding as a frame
+            add_header X-Frame-Options DENY;
+
+            # Prevent injection of code in other mime types (XSS Attacks)
+            add_header X-Content-Type-Options nosniff;
+
+            server {
+              listen 80 http2 default_server;
+              listen 443 ssl http2 default_server;
+
+              ssl_reject_handshake on;
+              return 444;
+            }
+          ''
+          ++ lib.optionalString cfg.enableCloudflareRealIP ''
+            ${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n")
+              (lib.filter (line: line != "")
+                (lib.splitString "\n" ''
+                  ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")}
+                  ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")}
+                ''))}
+            real_ip_header CF-Connecting-IP;
+          '';
+      };
+    };
+}
--- a/systems/x86_64-linux/bicboye/default.nix
+++ b/systems/x86_64-linux/bicboye/default.nix
@ -31,32 +31,6 @@
  powerManagement.powertop.enable = true;
  services.thermald.enable = true;

-  # TODO: move to module
-  security.acme.defaults.email = "chinmaydpai@gmail.com";
-  security.dhparams = {
-    enable = true;
-    params.nginx = {};
-  };
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedTlsSettings = true;
-    sslDhparam = config.security.dhparams.params.nginx.path;
-
-    # Disable default_server access and return HTTP 444.
-    appendHttpConfig = ''
-      server {
-        listen 80 http2 default_server;
-        listen 443 ssl http2 default_server;
-
-        ssl_reject_handshake on;
-        return 444;
-      }
-    '';
-  };
-
  snowflake = {
    stateVersion = "24.05";

@ -146,6 +120,12 @@
        adminTokenFile = userdata.secrets.services.miniflux.password;
      };

+      nginx = {
+        enable = true;
+        acmeEmail = "chinmaydpai@gmail.com";
+        enableCloudflareRealIP = true;
+      };
+
      ntfy-sh = {
        enable = true;
        domain = "ntfy.deku.moe";