feat: create module for nginx and prepare for fail2ban setup
* create new module for nginx * setup cloudflare real_ip_header forwarding for fail2ban setup * add hsts, improve qualys score Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
parent
48752f56b1
commit
d4dc50237a
69
modules/nixos/services/nginx/default.nix
Normal file
69
modules/nixos/services/nginx/default.nix
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options.snowflake.services.nginx = {
|
||||||
|
enable = lib.mkEnableOption "Enable nginx service";
|
||||||
|
acmeEmail = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Email to use for ACME SSL certificates";
|
||||||
|
};
|
||||||
|
enableCloudflareRealIP = lib.mkEnableOption "Enable setting real_ip_header from Cloudflare IPs";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = let
|
||||||
|
cfg = config.snowflake.services.nginx;
|
||||||
|
in
|
||||||
|
lib.mkIf cfg.enable {
|
||||||
|
security.acme.defaults.email = cfg.acmeEmail;
|
||||||
|
security.dhparams = {
|
||||||
|
enable = true;
|
||||||
|
params.nginx = {};
|
||||||
|
};
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||||
|
|
||||||
|
# Disable default_server access and return HTTP 444.
|
||||||
|
appendHttpConfig =
|
||||||
|
''
|
||||||
|
# Strict Transport Security (HSTS): Yes
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||||
|
|
||||||
|
# Enable CSP
|
||||||
|
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
|
||||||
|
# Minimize information leaked to other domains
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
|
||||||
|
# Disable embedding as a frame
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80 http2 default_server;
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
|
||||||
|
ssl_reject_handshake on;
|
||||||
|
return 444;
|
||||||
|
}
|
||||||
|
''
|
||||||
|
++ lib.optionalString cfg.enableCloudflareRealIP ''
|
||||||
|
${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n")
|
||||||
|
(lib.filter (line: line != "")
|
||||||
|
(lib.splitString "\n" ''
|
||||||
|
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")}
|
||||||
|
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")}
|
||||||
|
''))}
|
||||||
|
real_ip_header CF-Connecting-IP;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -31,32 +31,6 @@
|
|||||||
powerManagement.powertop.enable = true;
|
powerManagement.powertop.enable = true;
|
||||||
services.thermald.enable = true;
|
services.thermald.enable = true;
|
||||||
|
|
||||||
# TODO: move to module
|
|
||||||
security.acme.defaults.email = "chinmaydpai@gmail.com";
|
|
||||||
security.dhparams = {
|
|
||||||
enable = true;
|
|
||||||
params.nginx = {};
|
|
||||||
};
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
|
||||||
|
|
||||||
# Disable default_server access and return HTTP 444.
|
|
||||||
appendHttpConfig = ''
|
|
||||||
server {
|
|
||||||
listen 80 http2 default_server;
|
|
||||||
listen 443 ssl http2 default_server;
|
|
||||||
|
|
||||||
ssl_reject_handshake on;
|
|
||||||
return 444;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
snowflake = {
|
snowflake = {
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
|
|
||||||
@ -146,6 +120,12 @@
|
|||||||
adminTokenFile = userdata.secrets.services.miniflux.password;
|
adminTokenFile = userdata.secrets.services.miniflux.password;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nginx = {
|
||||||
|
enable = true;
|
||||||
|
acmeEmail = "chinmaydpai@gmail.com";
|
||||||
|
enableCloudflareRealIP = true;
|
||||||
|
};
|
||||||
|
|
||||||
ntfy-sh = {
|
ntfy-sh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "ntfy.deku.moe";
|
domain = "ntfy.deku.moe";
|
||||||
|
Loading…
Reference in New Issue
Block a user