60 lines
2.3 KiB
Nix
60 lines
2.3 KiB
Nix
##############################################################################################
|
|
# Includes: #
|
|
# - Nginx + SSL config #
|
|
# - Gitea #
|
|
# - Hydra #
|
|
# - Nextcloud #
|
|
# - Mail ssl root #
|
|
##############################################################################################
|
|
{
|
|
options,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib;
|
|
with builtins;
|
|
mkIf (elem "nginx" config.machine.services) {
|
|
services.nginx = let
|
|
vHostConfigs = listToAttrs (map
|
|
(name: {
|
|
name = replaceStrings [".nix"] [""] name;
|
|
value = import (./. + (toPath "/nginx_vHosts/${name}")) {inherit options config lib pkgs;};
|
|
})
|
|
(attrNames (readDir ./nginx_vHosts)));
|
|
|
|
mkVHost = vHost: {
|
|
name = vHost.domain;
|
|
value =
|
|
{
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
acmeRoot = "/var/lib/acme/acme-challenge";
|
|
}
|
|
// vHostConfigs."${vHost.service}";
|
|
};
|
|
|
|
vHosts = listToAttrs (map mkVHost config.machine.vHosts);
|
|
in {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
|
|
sslProtocols = "TLSv1.3 TLSv1.2";
|
|
commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
# add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
'';
|
|
virtualHosts = vHosts;
|
|
};
|
|
}
|