nginx: init

author: Minijackson <minijackson@riseup.net> 2021-05-30 19:38:46 +0200
committer: Minijackson <minijackson@riseup.net> 2021-05-30 19:38:46 +0200
commit: f380a60989362be38597098933ad81ec9db5b387 (patch)
tree: 3573e7c2e1b8a5ff766890538e213a404c0a5ede /usecases/server
parent: 0ec97d1e7dc153634cabb0ba2cf7ab9a2b0e6df1 (diff)
download: nixos-config-reborn-f380a60989362be38597098933ad81ec9db5b387.tar.gz
nixos-config-reborn-f380a60989362be38597098933ad81ec9db5b387.zip
1 files changed, 56 insertions, 0 deletions
diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix
new file mode 100644
index 0000000..2057c87
--- /dev/null
+++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
+inputs:
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    # For the prometheus exporter
+    statusPage = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+      # Better to setup CSP, but nice default nonetheless
+      add_header X-XSS-Protection "1; mode=block";
+    '';
+    sslDhparam = config.security.dhparams.params.nginx.path;
+  };
+  security.dhparams = {
+    enable = true;
+    params = {
+      nginx = { };
+    };
+  };
+  services.prometheus.exporters.nginx = {
+    enable = true;
+    listenAddress = "${config.topology.mainVpn.currentNodeIP}";
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+    config.services.prometheus.exporters.nginx.port
+  ];
+}
author	Minijackson <minijackson@riseup.net>	2021-05-30 19:38:46 +0200
committer	Minijackson <minijackson@riseup.net>	2021-05-30 19:38:46 +0200
commit	f380a60989362be38597098933ad81ec9db5b387 (patch)
tree	3573e7c2e1b8a5ff766890538e213a404c0a5ede /usecases/server
parent	0ec97d1e7dc153634cabb0ba2cf7ab9a2b0e6df1 (diff)
download	nixos-config-reborn-f380a60989362be38597098933ad81ec9db5b387.tar.gz nixos-config-reborn-f380a60989362be38597098933ad81ec9db5b387.zip

diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix new file mode 100644 index 0000000..2057c87 --- /dev/null +++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
	1	inputs:
	2
	3	{ config, ... }:
	4
	5	{
	6	services.nginx = {
	7	enable = true;
	8
	9	# For the prometheus exporter
	10	statusPage = true;
	11
	12	recommendedGzipSettings = true;
	13	recommendedOptimisation = true;
	14	recommendedProxySettings = true;
	15	recommendedTlsSettings = true;
	16
	17	commonHttpConfig = ''
	18	# Add HSTS header with preloading to HTTPS requests.
	19	# Adding this header to HTTP requests is discouraged
	20	map $scheme $hsts_header {
	21	https "max-age=31536000; includeSubdomains; preload";
	22	}
	23
	24	add_header Strict-Transport-Security $hsts_header;
	25
	26	add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
	27
	28	add_header X-Frame-Options DENY;
	29
	30	add_header X-Content-Type-Options nosniff;
	31
	32	# Better to setup CSP, but nice default nonetheless
	33	add_header X-XSS-Protection "1; mode=block";
	34	'';
	35
	36	sslDhparam = config.security.dhparams.params.nginx.path;
	37	};
	38
	39	security.dhparams = {
	40	enable = true;
	41	params = {
	42	nginx = { };
	43	};
	44	};
	45
	46	services.prometheus.exporters.nginx = {
	47	enable = true;
	48	listenAddress = "${config.topology.mainVpn.currentNodeIP}";
	49	};
	50
	51	networking.firewall.allowedTCPPorts = [ 80 443 ];
	52
	53	networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
	54	config.services.prometheus.exporters.nginx.port
	55	];
	56	}