nixos-config/modules/nginx.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

44 lines
1.3 KiB
Nix

# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
let
cfg = config.sbruder.nginx;
in
{
options.sbruder.nginx = {
hardening.enable = lib.mkEnableOption "nginx hardening";
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
};
config = lib.mkMerge [
(lib.mkIf cfg.hardening.enable {
services.nginx.commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000";
}
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy strict-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
'';
})
(lib.mkIf cfg.privacy.enable {
services.nginx.commonHttpConfig = ''
access_log off;
'';
})
(lib.mkIf cfg.recommended.enable {
services.nginx = {
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
};
})
];
}