Simon Bruder
f945341668
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
44 lines
1.3 KiB
Nix
44 lines
1.3 KiB
Nix
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, ... }:
|
|
let
|
|
cfg = config.sbruder.nginx;
|
|
in
|
|
{
|
|
options.sbruder.nginx = {
|
|
hardening.enable = lib.mkEnableOption "nginx hardening";
|
|
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
|
|
recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
|
|
};
|
|
|
|
config = lib.mkMerge [
|
|
(lib.mkIf cfg.hardening.enable {
|
|
services.nginx.commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
add_header Referrer-Policy strict-origin;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
'';
|
|
})
|
|
(lib.mkIf cfg.privacy.enable {
|
|
services.nginx.commonHttpConfig = ''
|
|
access_log off;
|
|
'';
|
|
})
|
|
(lib.mkIf cfg.recommended.enable {
|
|
services.nginx = {
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
};
|
|
})
|
|
];
|
|
}
|