From feac7c20bf5f681d7cb881a428236b17b6e578a9 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Thu, 26 Sep 2024 13:18:14 +0200 Subject: [PATCH] fixL certificates with acme for `*.liv.town` --- modules/services/nginx.nix | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 modules/services/nginx.nix diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix new file mode 100644 index 0000000..a44755a --- /dev/null +++ b/modules/services/nginx.nix @@ -0,0 +1,47 @@ +{ pkgs, config, lib, ... }: { + security.acme = { + acceptTerms = true; + defaults.email = lib.mkDefault "ahwx@ahwx.org"; + certs = { + "liv.town" = { + domain = "*.liv.town"; + extraDomainNames = [ "liv.town" ]; + group = config.services.nginx.group; + dnsProvider = "desec"; + environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] + webroot = null; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = false; + recommendedProxySettings = true; + clientMaxBodySize = lib.mkDefault "10G"; + + # Hardened TLS and HSTS preloading + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Do not add HSTS header to HTTP requests. + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # # Enable CSP for your services. (THIS BREAKS SHARKEY!!!!!!!) + # add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # # This might create errors + # # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; +}