From f380a60989362be38597098933ad81ec9db5b387 Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Sun, 30 May 2021 19:38:46 +0200
Subject: nginx: init

---
 usecases/server/nginx.nix | 56 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 usecases/server/nginx.nix

(limited to 'usecases')

diff --git a/usecases/server/nginx.nix b/usecases/server/nginx.nix
new file mode 100644
index 0000000..2057c87
--- /dev/null
+++ b/usecases/server/nginx.nix
@@ -0,0 +1,56 @@
+inputs:
+
+{ config, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    # For the prometheus exporter
+    statusPage = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+
+      add_header X-Frame-Options DENY;
+
+      add_header X-Content-Type-Options nosniff;
+
+      # Better to setup CSP, but nice default nonetheless
+      add_header X-XSS-Protection "1; mode=block";
+    '';
+
+    sslDhparam = config.security.dhparams.params.nginx.path;
+  };
+
+  security.dhparams = {
+    enable = true;
+    params = {
+      nginx = { };
+    };
+  };
+
+  services.prometheus.exporters.nginx = {
+    enable = true;
+    listenAddress = "${config.topology.mainVpn.currentNodeIP}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
+    config.services.prometheus.exporters.nginx.port
+  ];
+}
-- 
cgit v1.2.3