nixos/services/nginx.nix

59 lines
2.3 KiB
Nix

##############################################################################################
# Includes: #
# - Nginx + SSL config #
# - Gitea #
# - Hydra #
# - Nextcloud #
# - Mail ssl root #
##############################################################################################
{
options,
config,
lib,
pkgs,
...
}:
with lib;
with builtins;
mkIf (elem "nginx" config.machine.services) {
services.nginx = let
vHostConfigs = listToAttrs (map
(name: {
name = replaceStrings [".nix"] [""] name;
value = import (./. + (toPath "/nginx_vHosts/${name}")) {inherit options config lib pkgs;};
})
(attrNames (readDir ./nginx_vHosts)));
mkVHost = vHost: {
name = vHost.domain;
value =
{
enableACME = true;
forceSSL = true;
acmeRoot = "/var/lib/acme/acme-challenge";
}
// vHostConfigs."${vHost.service}";
};
vHosts = listToAttrs (map mkVHost config.machine.vHosts);
in {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
sslProtocols = "TLSv1.3 TLSv1.2";
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
'';
virtualHosts = vHosts;
};
}