usecases/server/nginx.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

inputs:

{ config, ... }:

{
  services.nginx = {
    enable = true;

    # For the prometheus exporter
    statusPage = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    commonHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }

      add_header Strict-Transport-Security $hsts_header;

      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';

      add_header X-Frame-Options DENY;

      add_header X-Content-Type-Options nosniff;

      # Better to setup CSP, but nice default nonetheless
      add_header X-XSS-Protection "1; mode=block";
    '';

    sslDhparam = config.security.dhparams.params.nginx.path;
  };

  security.dhparams = {
    enable = true;
    params = {
      nginx = { };
    };
  };

  services.prometheus.exporters.nginx = {
    enable = true;
    listenAddress = "${config.topology.mainVpn.currentNodeIP}";
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
    config.services.prometheus.exporters.nginx.port
  ];
}