mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
57 lines
1.6 KiB
Nix
57 lines
1.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf mkDefault;
|
|
cfg = config.services.nginx;
|
|
in {
|
|
networking.firewall.interfaces.local.allowedTCPPorts = let
|
|
inherit (cfg.ssl) preread;
|
|
in
|
|
mkIf cfg.enable [
|
|
(
|
|
if preread.enable
|
|
then preread.serverPort
|
|
else cfg.defaultSSLListenPort
|
|
)
|
|
cfg.defaultHTTPListenPort
|
|
];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = mkDefault true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = false;
|
|
headers.set = {
|
|
Referrer-Policy = mkDefault "origin-when-cross-origin";
|
|
#Strict-Transport-Security = "$hsts_header";
|
|
#Content-Security-Policy = ''"script-src 'self'; object-src 'none'; base-uri 'none';" always'';
|
|
#X-Frame-Options = "DENY";
|
|
#X-Content-Type-Options = "nosniff";
|
|
#X-XSS-Protection = "1; mode=block";
|
|
};
|
|
accessLog.format = mkDefault "combined_host";
|
|
commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
log_format combined_host '$remote_addr@$scheme'
|
|
' - $remote_user@$host@$server_name:$server_port'
|
|
' [$time_local]'
|
|
' "$request" $status $body_bytes_sent'
|
|
' "$http_referer" "$http_user_agent"';
|
|
'';
|
|
clientMaxBodySize = mkDefault "512m";
|
|
virtualHosts.fallback = {
|
|
serverName = null;
|
|
default = mkDefault true;
|
|
reuseport = mkDefault true;
|
|
locations."/".extraConfig = ''
|
|
return 404;
|
|
'';
|
|
};
|
|
};
|
|
}
|