Add nginx hardening option

2021-03-05 15:57:21 +01:00 · 2021-03-05 15:57:21 +01:00 · 270f20d05b
parent bdda31a807
commit 270f20d05b
2 changed files with 19 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -47,6 +47,7 @@ in
    ./media-proxy.nix
    ./network-manager.nix
    ./nginx-interactive-index
+    ./nginx.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";
+
+  config = lib.mkIf config.sbruder.nginx.hardening.enable {
+    services.nginx.commonHttpConfig = ''
+      map $scheme $hsts_header {
+        https   "max-age=31536000";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header Referrer-Policy strict-origin;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options SAMEORIGIN;
+    '';
+  };
+}