############################################################################################## # Includes: # # - Nginx + SSL config # # - Gitea # # - Hydra # # - Nextcloud # # - Mail ssl root # ############################################################################################## { options, config, lib, pkgs, ... }: with lib; with builtins; mkIf (elem "nginx" config.machine.services) { services.nginx = let vHostConfigs = listToAttrs ( map (name: { name = replaceStrings [ ".nix" ] [ "" ] name; value = import (./. + (toPath "/nginx_vHosts/${name}")) { inherit options config lib pkgs ; }; }) (attrNames (readDir ./nginx_vHosts)) ); mkVHost = vHost: { name = vHost.domain; value = { enableACME = true; forceSSL = true; acmeRoot = "/var/lib/acme/acme-challenge"; } // vHostConfigs."${vHost.service}"; }; vHosts = listToAttrs (map mkVHost config.machine.vHosts); in { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslProtocols = "TLSv1.3 TLSv1.2"; commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; add_header 'Referrer-Policy' 'origin-when-cross-origin'; # add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ''; virtualHosts = vHosts; }; }