From f380a60989362be38597098933ad81ec9db5b387 Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Sun, 30 May 2021 19:38:46 +0200
Subject: nginx: init

---
 flake.nix                 |  2 ++
 usecases/server/nginx.nix | 56 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 usecases/server/nginx.nix

diff --git a/flake.nix b/flake.nix
index ba8fc24..b983f2b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -81,6 +81,7 @@
         jellyfin = (import ./usecases/server/jellyfin.nix inputs);
         monitoringServer = (import ./usecases/server/monitoring-server.nix inputs);
         monitoringTarget = (import ./usecases/server/monitoring-target.nix inputs);
+        nginx = (import ./usecases/server/nginx.nix inputs);
         radicale = (import ./usecases/server/radicale.nix inputs);
         smartd = (import ./usecases/server/smartd.nix inputs);
         zfs = (import ./usecases/server/zfs.nix inputs);
@@ -179,6 +180,7 @@
               self.nixosModules.usecases.server.hydraServer
               self.nixosModules.usecases.server.jellyfin
               self.nixosModules.usecases.server.monitoringServer
+              self.nixosModules.usecases.server.nginx
               self.nixosModules.usecases.server.radicale
               self.nixosModules.usecases.server.zfs
 
diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix
new file mode 100644
index 0000000..2057c87
--- /dev/null
+++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
+inputs:
+
+{ config, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    # For the prometheus exporter
+    statusPage = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+      add_header X-Frame-Options DENY;
+
+      add_header X-Content-Type-Options nosniff;
+
+      # Better to setup CSP, but nice default nonetheless
+      add_header X-XSS-Protection "1; mode=block";
+    '';
+
+    sslDhparam = config.security.dhparams.params.nginx.path;
+  };
+
+  security.dhparams = {
+    enable = true;
+    params = {
+      nginx = { };
+    };
+  };
+
+  services.prometheus.exporters.nginx = {
+    enable = true;
+    listenAddress = "${config.topology.mainVpn.currentNodeIP}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+    config.services.prometheus.exporters.nginx.port
+  ];
+}
-- 
cgit v1.2.3