nixos/services/nginx.nix
2019-10-06 18:30:47 +02:00

52 lines
2.1 KiB
Nix

##############################################################################################
# Includes: #
# - Nginx + SSL config #
# - Gitea #
# - Hydra #
# - Nextcloud #
# - Mail ssl root #
##############################################################################################
{ options, config, lib, pkgs, ... }:
with lib;
with builtins;
mkIf (elem "nginx" config.machine.services) {
services.nginx = let
vHostConfigs = listToAttrs (map
(name: {
name = (replaceStrings [ ".nix" ] [ "" ] name);
value = (import (./. + (toPath "/nginx_vHosts/${name}")) { inherit options config lib pkgs; });})
(attrNames (readDir ./nginx_vHosts)));
mkVHost = vHost: {
name = vHost.domain;
value = {
enableACME = true;
forceSSL = true;
} // vHostConfigs."${vHost.service}"; };
vHosts = listToAttrs (map mkVHost config.machine.vHosts);
in {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
sslProtocols = "TLSv1.3 TLSv1.2";
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
'';
virtualHosts = vHosts;
};
}