feat: added nginx shared config

2023-12-05 03:05:22 +01:00 · 2023-12-05 03:05:22 +01:00 · 640cfafe3f
parent 1297ce409f
commit 640cfafe3f
1 changed files with 100 additions and 0 deletions
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -0,0 +1,100 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit
+    (lib)
+    mkBefore
+    mkIf
+    mkOption
+    types
+    ;
+in {
+  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule {
+      options.locations = mkOption {
+        type = types.attrsOf (types.submodule ({config, ...}: {
+          options = {
+            recommendedSecurityHeaders = mkOption {
+              type = types.bool;
+              default = true;
+              description = "Whether to add additional security headers to this location.";
+            };
+
+            X-Frame-Options = mkOption {
+              type = types.str;
+              default = "DENY";
+              description = "The value to use for X-Frame-Options";
+            };
+          };
+          config = mkIf config.recommendedSecurityHeaders {
+            extraConfig = mkBefore ''
+              # Enable HTTP Strict Transport Security (HSTS)
+              add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+              # Minimize information leaked to other domains
+              add_header Referrer-Policy "origin-when-cross-origin";
+
+              add_header X-XSS-Protection "1; mode=block";
+              add_header X-Frame-Options "${config.X-Frame-Options}";
+              add_header X-Content-Type-Options "nosniff";
+            '';
+          };
+        }));
+      };
+    });
+  };
+
+  config = mkIf config.services.nginx.enable {
+    age.secrets."dhparams.pem" = {
+      generator.script = "dhparams";
+      mode = "440";
+      group = "nginx";
+    };
+
+    # Sensible defaults for nginx
+    services.nginx = {
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # SSL config
+      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
+      sslDhparam = config.age.secrets."dhparams.pem".path;
+      commonHttpConfig = ''
+        log_format json_combined escape=json '{'
+          '"time": $msec,'
+          '"remote_addr":"$remote_addr",'
+          '"status":$status,'
+          '"method":"$request_method",'
+          '"host":"$host",'
+          '"uri":"$request_uri",'
+          '"request_size":$request_length,'
+          '"response_size":$body_bytes_sent,'
+          '"response_time":$request_time,'
+          '"referrer":"$http_referer",'
+          '"user_agent":"$http_user_agent"'
+        '}';
+        error_log syslog:server=unix:/dev/log,nohostname;
+        access_log syslog:server=unix:/dev/log,nohostname json_combined;
+        ssl_ecdh_curve secp384r1;
+      '';
+
+      # Default host that rejects everything.
+      # This is selected when no matching host is found for a request.
+      virtualHosts.dummy = {
+        listenAddresses = ["127.0.0.1" "[::1]"];
+        default = true;
+        rejectSSL = true;
+        locations."/".extraConfig = ''
+          deny all;
+        '';
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}