# SPDX-FileCopyrightText: 2020-2023 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { config, lib, ... }: let cfg = config.sbruder.nginx; in { options.sbruder.nginx = { hardening.enable = lib.mkEnableOption "nginx hardening"; privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; }; recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; }; proxyv4 = { enable = (lib.mkEnableOption "PROXY protocol for IPv4 connections"); trustedAddresses = (lib.mkOption { type = lib.types.listOf lib.types.str; description = "Trusted addresses which can override the source address"; default = [ "10.0.0.0/8" "127.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; }); }; }; config = lib.mkMerge [ (lib.mkIf cfg.hardening.enable { services.nginx.commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000"; } add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy strict-origin; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; ''; }) (lib.mkIf cfg.privacy.enable { services.nginx = { logError = "stderr crit"; # error (the default severity) logs potential PII (IP addresses) on 404 errors commonHttpConfig = '' access_log off; ''; }; }) (lib.mkIf cfg.recommended.enable { services.nginx = { recommendedGzipSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; resolver.addresses = [ "9.9.9.9" "[2620:fe::fe]" "149.112.112.112" "[2620:fe::9]" ]; }; }) (lib.mkIf cfg.proxyv4.enable { services.nginx = { commonHttpConfig = (lib.concatMapStrings (address: '' set_real_ip_from ${address}; '') cfg.proxyv4.trustedAddresses) + '' real_ip_header proxy_protocol; ''; defaultListen = [ { addr = "[::]"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 80; proxyProtocol = true; ssl = false; } { addr = "[::]"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 443; proxyProtocol = true; ssl = true; } ]; }; }) ]; }