feat: create module for nginx and prepare for fail2ban setup
* create new module for nginx * setup cloudflare real_ip_header forwarding for fail2ban setup * add hsts, improve qualys score Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
parent
48752f56b1
commit
d4dc50237a
69
modules/nixos/services/nginx/default.nix
Normal file
69
modules/nixos/services/nginx/default.nix
Normal file
@ -0,0 +1,69 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options.snowflake.services.nginx = {
|
||||
enable = lib.mkEnableOption "Enable nginx service";
|
||||
acmeEmail = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Email to use for ACME SSL certificates";
|
||||
};
|
||||
enableCloudflareRealIP = lib.mkEnableOption "Enable setting real_ip_header from Cloudflare IPs";
|
||||
};
|
||||
|
||||
config = let
|
||||
cfg = config.snowflake.services.nginx;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
security.acme.defaults.email = cfg.acmeEmail;
|
||||
security.dhparams = {
|
||||
enable = true;
|
||||
params.nginx = {};
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||
|
||||
# Disable default_server access and return HTTP 444.
|
||||
appendHttpConfig =
|
||||
''
|
||||
# Strict Transport Security (HSTS): Yes
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
|
||||
# Enable CSP
|
||||
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
server {
|
||||
listen 80 http2 default_server;
|
||||
listen 443 ssl http2 default_server;
|
||||
|
||||
ssl_reject_handshake on;
|
||||
return 444;
|
||||
}
|
||||
''
|
||||
++ lib.optionalString cfg.enableCloudflareRealIP ''
|
||||
${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n")
|
||||
(lib.filter (line: line != "")
|
||||
(lib.splitString "\n" ''
|
||||
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")}
|
||||
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")}
|
||||
''))}
|
||||
real_ip_header CF-Connecting-IP;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -31,32 +31,6 @@
|
||||
powerManagement.powertop.enable = true;
|
||||
services.thermald.enable = true;
|
||||
|
||||
# TODO: move to module
|
||||
security.acme.defaults.email = "chinmaydpai@gmail.com";
|
||||
security.dhparams = {
|
||||
enable = true;
|
||||
params.nginx = {};
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||
|
||||
# Disable default_server access and return HTTP 444.
|
||||
appendHttpConfig = ''
|
||||
server {
|
||||
listen 80 http2 default_server;
|
||||
listen 443 ssl http2 default_server;
|
||||
|
||||
ssl_reject_handshake on;
|
||||
return 444;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
snowflake = {
|
||||
stateVersion = "24.05";
|
||||
|
||||
@ -146,6 +120,12 @@
|
||||
adminTokenFile = userdata.secrets.services.miniflux.password;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
acmeEmail = "chinmaydpai@gmail.com";
|
||||
enableCloudflareRealIP = true;
|
||||
};
|
||||
|
||||
ntfy-sh = {
|
||||
enable = true;
|
||||
domain = "ntfy.deku.moe";
|
||||
|
Loading…
Reference in New Issue
Block a user