From d4dc50237a299fc2d77968a3c3ab2831933ca19a Mon Sep 17 00:00:00 2001 From: "Chinmay D. Pai" Date: Sat, 5 Oct 2024 20:52:11 +0530 Subject: [PATCH] feat: create module for nginx and prepare for fail2ban setup * create new module for nginx * setup cloudflare real_ip_header forwarding for fail2ban setup * add hsts, improve qualys score Signed-off-by: Chinmay D. Pai --- modules/nixos/services/nginx/default.nix | 69 ++++++++++++++++++++++++ systems/x86_64-linux/bicboye/default.nix | 32 +++-------- 2 files changed, 75 insertions(+), 26 deletions(-) create mode 100644 modules/nixos/services/nginx/default.nix diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix new file mode 100644 index 0000000..42c72c0 --- /dev/null +++ b/modules/nixos/services/nginx/default.nix @@ -0,0 +1,69 @@ +{ + config, + lib, + ... +}: { + options.snowflake.services.nginx = { + enable = lib.mkEnableOption "Enable nginx service"; + acmeEmail = lib.mkOption { + type = lib.types.str; + description = "Email to use for ACME SSL certificates"; + }; + enableCloudflareRealIP = lib.mkEnableOption "Enable setting real_ip_header from Cloudflare IPs"; + }; + + config = let + cfg = config.snowflake.services.nginx; + in + lib.mkIf cfg.enable { + security.acme.defaults.email = cfg.acmeEmail; + security.dhparams = { + enable = true; + params.nginx = {}; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + sslDhparam = config.security.dhparams.params.nginx.path; + + # Disable default_server access and return HTTP 444. + appendHttpConfig = + '' + # Strict Transport Security (HSTS): Yes + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + # Enable CSP + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + server { + listen 80 http2 default_server; + listen 443 ssl http2 default_server; + + ssl_reject_handshake on; + return 444; + } + '' + ++ lib.optionalString cfg.enableCloudflareRealIP '' + ${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n") + (lib.filter (line: line != "") + (lib.splitString "\n" '' + ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")} + ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")} + ''))} + real_ip_header CF-Connecting-IP; + ''; + }; + }; +} diff --git a/systems/x86_64-linux/bicboye/default.nix b/systems/x86_64-linux/bicboye/default.nix index 015a380..07df0fd 100644 --- a/systems/x86_64-linux/bicboye/default.nix +++ b/systems/x86_64-linux/bicboye/default.nix @@ -31,32 +31,6 @@ powerManagement.powertop.enable = true; services.thermald.enable = true; - # TODO: move to module - security.acme.defaults.email = "chinmaydpai@gmail.com"; - security.dhparams = { - enable = true; - params.nginx = {}; - }; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedTlsSettings = true; - sslDhparam = config.security.dhparams.params.nginx.path; - - # Disable default_server access and return HTTP 444. - appendHttpConfig = '' - server { - listen 80 http2 default_server; - listen 443 ssl http2 default_server; - - ssl_reject_handshake on; - return 444; - } - ''; - }; - snowflake = { stateVersion = "24.05"; @@ -146,6 +120,12 @@ adminTokenFile = userdata.secrets.services.miniflux.password; }; + nginx = { + enable = true; + acmeEmail = "chinmaydpai@gmail.com"; + enableCloudflareRealIP = true; + }; + ntfy-sh = { enable = true; domain = "ntfy.deku.moe";