diff options
| author | seth <[email protected]> | 2023-05-11 15:17:04 -0400 |
|---|---|---|
| committer | seth <[email protected]> | 2023-05-11 15:17:04 -0400 |
| commit | 80b8b787317334c6b635555696832454c9417a17 (patch) | |
| tree | 1fd7c18bc71c2e767fe65c8d6f2e89fe474c7511 /hosts/p-body/nginx.nix | |
| parent | 0122e3ff143c08a80de296fc740874d5e824b8fd (diff) | |
p-body: caddy -> nginx
Diffstat (limited to 'hosts/p-body/nginx.nix')
| -rw-r--r-- | hosts/p-body/nginx.nix | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix new file mode 100644 index 0000000..328e6e4 --- /dev/null +++ b/hosts/p-body/nginx.nix @@ -0,0 +1,73 @@ +{config, ...}: let + inherit (config.networking) domain; +in { + security.acme = { + acceptTerms = true; + defaults.email = "[email protected]"; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + commonHttpConfig = '' + + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + + ''; + + virtualHosts = let + common = { + forceSSL = false; + enableACME = false; + }; + + mkProxy = endpoint: port: { + "${endpoint}".proxyPass = "http://127.0.0.1:${port}"; + }; + in { + "${domain}" = { + inherit (common) enableACME forceSSL; + + default = true; + serverAliases = ["www.${domain}"]; + + locations = mkProxy "/" config.services.guzzle-api.port; + #{ + # "/" = { + # root = "/var/www"; + # }; + #}; + #// mkProxy "/api" config.services.guzzle-api.port; + }; + }; + }; +} |