2 files changed, 58 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix
index ba8fc24..b983f2b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -81,6 +81,7 @@
        jellyfin = (import ./usecases/server/jellyfin.nix inputs);
        monitoringServer = (import ./usecases/server/monitoring-server.nix inputs);
        monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
+        nginx = (import ./usecases/server/nginx.nix inputs);
        radicale = (import ./usecases/server/radicale.nix inputs);
        smartd = (import ./usecases/server/smartd.nix inputs);
        zfs = (import ./usecases/server/zfs.nix inputs);
@@ -179,6 +180,7 @@
              self.nixosModules.usecases.server.hydraServer
              self.nixosModules.usecases.server.jellyfin
              self.nixosModules.usecases.server.monitoringServer
+              self.nixosModules.usecases.server.nginx
              self.nixosModules.usecases.server.radicale
              self.nixosModules.usecases.server.zfs
diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix
new file mode 100644
index 0000000..2057c87
--- /dev/null
+++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
+inputs:
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    # For the prometheus exporter
+    statusPage = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+      # Better to setup CSP, but nice default nonetheless
+      add_header X-XSS-Protection "1; mode=block";
+    '';
+    sslDhparam = config.security.dhparams.params.nginx.path;
+  };
+  security.dhparams = {
+    enable = true;
+    params = {
+      nginx = { };
+    };
+  };
+  services.prometheus.exporters.nginx = {
+    enable = true;
+    listenAddress = "${config.topology.mainVpn.currentNodeIP}";
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+    config.services.prometheus.exporters.nginx.port
+  ];
+}

diff --git a/flake.nix b/flake.nix index ba8fc24..b983f2b 100644 --- a/flake.nix +++ b/flake.nix
@@ -81,6 +81,7 @@
81	jellyfin = (import ./usecases/server/jellyfin.nix inputs);	81	jellyfin = (import ./usecases/server/jellyfin.nix inputs);
82	monitoringServer = (import ./usecases/server/monitoring-server.nix inputs);	82	monitoringServer = (import ./usecases/server/monitoring-server.nix inputs);
83	monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);	83	monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
		84	nginx = (import ./usecases/server/nginx.nix inputs);
84	radicale = (import ./usecases/server/radicale.nix inputs);	85	radicale = (import ./usecases/server/radicale.nix inputs);
85	smartd = (import ./usecases/server/smartd.nix inputs);	86	smartd = (import ./usecases/server/smartd.nix inputs);
86	zfs = (import ./usecases/server/zfs.nix inputs);	87	zfs = (import ./usecases/server/zfs.nix inputs);
@@ -179,6 +180,7 @@
179	self.nixosModules.usecases.server.hydraServer	180	self.nixosModules.usecases.server.hydraServer
180	self.nixosModules.usecases.server.jellyfin	181	self.nixosModules.usecases.server.jellyfin
181	self.nixosModules.usecases.server.monitoringServer	182	self.nixosModules.usecases.server.monitoringServer
		183	self.nixosModules.usecases.server.nginx
182	self.nixosModules.usecases.server.radicale	184	self.nixosModules.usecases.server.radicale
183	self.nixosModules.usecases.server.zfs	185	self.nixosModules.usecases.server.zfs
184		186


diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix new file mode 100644 index 0000000..2057c87 --- /dev/null +++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
		1	inputs:
		2
		3	{ config, ... }:
		4
		5	{
		6	services.nginx = {
		7	enable = true;
		8
		9	# For the prometheus exporter
		10	statusPage = true;
		11
		12	recommendedGzipSettings = true;
		13	recommendedOptimisation = true;
		14	recommendedProxySettings = true;
		15	recommendedTlsSettings = true;
		16
		17	commonHttpConfig = ''
		18	# Add HSTS header with preloading to HTTPS requests.
		19	# Adding this header to HTTP requests is discouraged
		20	map $scheme $hsts_header {
		21	https "max-age=31536000; includeSubdomains; preload";
		22	}
		23
		24	add_header Strict-Transport-Security $hsts_header;
		25
		26	add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
		27
		28	add_header X-Frame-Options DENY;
		29
		30	add_header X-Content-Type-Options nosniff;
		31
		32	# Better to setup CSP, but nice default nonetheless
		33	add_header X-XSS-Protection "1; mode=block";
		34	'';
		35
		36	sslDhparam = config.security.dhparams.params.nginx.path;
		37	};
		38
		39	security.dhparams = {
		40	enable = true;
		41	params = {
		42	nginx = { };
		43	};
		44	};
		45
		46	services.prometheus.exporters.nginx = {
		47	enable = true;
		48	listenAddress = "${config.topology.mainVpn.currentNodeIP}";
		49	};
		50
		51	networking.firewall.allowedTCPPorts = [ 80 443 ];
		52
		53	networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
		54	config.services.prometheus.exporters.nginx.port
		55	];
		56	}