From 270f20d05b3337bca759f116fe8db215fadbff27 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Fri, 5 Mar 2021 15:57:21 +0100
Subject: [PATCH] Add nginx hardening option

---
 modules/default.nix |  1 +
 modules/nginx.nix   | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 modules/nginx.nix

diff --git a/modules/default.nix b/modules/default.nix
index 25f7d95..8ecd4a3 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -47,6 +47,7 @@ in
     ./media-proxy.nix
     ./network-manager.nix
     ./nginx-interactive-index
+    ./nginx.nix
     ./office.nix
     ./prometheus/node_exporter.nix
     ./pubkeys.nix
diff --git a/modules/nginx.nix b/modules/nginx.nix
new file mode 100644
index 0000000..0931a21
--- /dev/null
+++ b/modules/nginx.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";
+
+  config = lib.mkIf config.sbruder.nginx.hardening.enable {
+    services.nginx.commonHttpConfig = ''
+      map $scheme $hsts_header {
+        https   "max-age=31536000";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header Referrer-Policy strict-origin;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options SAMEORIGIN;
+    '';
+  };
+}