2021-03-05 15:57:21 +01:00
|
|
|
{ config, lib, ... }:
|
2021-09-08 01:12:56 +02:00
|
|
|
let
|
|
|
|
cfg = config.sbruder.nginx;
|
|
|
|
in
|
2021-03-05 15:57:21 +01:00
|
|
|
{
|
2021-09-08 01:12:56 +02:00
|
|
|
options.sbruder.nginx = {
|
|
|
|
hardening.enable = lib.mkEnableOption "nginx hardening";
|
|
|
|
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
|
2023-12-16 10:19:20 +01:00
|
|
|
recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
|
2021-09-08 01:12:56 +02:00
|
|
|
};
|
2021-03-05 15:57:21 +01:00
|
|
|
|
2021-09-08 01:12:56 +02:00
|
|
|
config = lib.mkMerge [
|
|
|
|
(lib.mkIf cfg.hardening.enable {
|
|
|
|
services.nginx.commonHttpConfig = ''
|
|
|
|
map $scheme $hsts_header {
|
|
|
|
https "max-age=31536000";
|
|
|
|
}
|
|
|
|
add_header Strict-Transport-Security $hsts_header;
|
2021-03-05 15:57:21 +01:00
|
|
|
|
2021-09-08 01:12:56 +02:00
|
|
|
add_header Referrer-Policy strict-origin;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
'';
|
|
|
|
})
|
|
|
|
(lib.mkIf cfg.privacy.enable {
|
|
|
|
services.nginx.commonHttpConfig = ''
|
|
|
|
access_log off;
|
|
|
|
'';
|
|
|
|
})
|
2023-12-16 10:19:20 +01:00
|
|
|
(lib.mkIf cfg.recommended.enable {
|
|
|
|
services.nginx = {
|
|
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
|
|
};
|
|
|
|
})
|
2021-09-08 01:12:56 +02:00
|
|
|
];
|
2021-03-05 15:57:21 +01:00
|
|
|
}
|