53 lines
2.1 KiB
Nix
53 lines
2.1 KiB
Nix
##############################################################################################
|
|
# Includes: #
|
|
# - Nginx + SSL config #
|
|
# - Gitea #
|
|
# - Hydra #
|
|
# - Nextcloud #
|
|
# - Mail ssl root #
|
|
##############################################################################################
|
|
|
|
{ options, config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
with builtins;
|
|
|
|
mkIf (elem "nginx" config.machine.services) {
|
|
services.nginx = let
|
|
vHostConfigs = listToAttrs (map
|
|
(name: {
|
|
name = (replaceStrings [ ".nix" ] [ "" ] name);
|
|
value = (import (./. + (toPath "/nginx_vHosts/${name}")) { inherit options config lib pkgs; });})
|
|
(attrNames (readDir ./nginx_vHosts)));
|
|
|
|
mkVHost = vHost: {
|
|
name = vHost.domain;
|
|
value = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
} // vHostConfigs."${vHost.service}"; };
|
|
|
|
vHosts = listToAttrs (map mkVHost config.machine.vHosts);
|
|
|
|
in {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
|
|
sslProtocols = "TLSv1.3 TLSv1.2";
|
|
commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
# add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
'';
|
|
virtualHosts = vHosts;
|
|
};
|
|
}
|