inputs: { config, ... }: { services.nginx = { enable = true; # For the prometheus exporter statusPage = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # Better to setup CSP, but nice default nonetheless add_header X-XSS-Protection "1; mode=block"; ''; sslDhparam = config.security.dhparams.params.nginx.path; }; security.dhparams = { enable = true; params = { nginx = { }; }; }; services.prometheus.exporters.nginx = { enable = true; listenAddress = "${config.topology.mainVpn.currentNodeIP}"; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [ config.services.prometheus.exporters.nginx.port ]; }