thunderbottom/flakes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
164acc1042
flakes/modules/nixos/services/nginx/default.nix
Chinmay D. Pai d4dc50237a
feat: create module for nginx and prepare for fail2ban setup 
* create new module for nginx
* setup cloudflare real_ip_header forwarding for fail2ban setup
* add hsts, improve qualys score

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2024-10-05 20:52:11 +05:30

70 lines
2.2 KiB
Nix
Raw Blame History

{
config,
lib,
...
}: {
options.snowflake.services.nginx = {
enable = lib.mkEnableOption "Enable nginx service";
acmeEmail = lib.mkOption {
type = lib.types.str;
description = "Email to use for ACME SSL certificates";
};
enableCloudflareRealIP = lib.mkEnableOption "Enable setting real_ip_header from Cloudflare IPs";
};
config = let
cfg = config.snowflake.services.nginx;
in
lib.mkIf cfg.enable {
security.acme.defaults.email = cfg.acmeEmail;
security.dhparams = {
enable = true;
params.nginx = {};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
sslDhparam = config.security.dhparams.params.nginx.path;
# Disable default_server access and return HTTP 444.
appendHttpConfig =
''
# Strict Transport Security (HSTS): Yes
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# Enable CSP
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
server {
listen 80 http2 default_server;
listen 443 ssl http2 default_server;
ssl_reject_handshake on;
return 444;
}
''
++ lib.optionalString cfg.enableCloudflareRealIP ''
${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n")
(lib.filter (line: line != "")
(lib.splitString "\n" ''
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")}
${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")}
''))}
real_ip_header CF-Connecting-IP;
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink