fixL certificates with acme for *.liv.town

2025-12-04 15:00:13 +01:00 · 2024-09-26 13:18:14 +02:00 · 2024-09-26 13:18:14 +02:00 · feac7c20bf
commit feac7c20bf
parent f62e354f7f
1 changed files with 47 additions and 0 deletions
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -0,0 +1,47 @@
+{ pkgs, config, lib, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkDefault "ahwx@ahwx.org";
+    certs = {
+      "liv.town" = {
+        domain = "*.liv.town";
+        extraDomainNames = [ "liv.town" ];
+        group = config.services.nginx.group;
+        dnsProvider = "desec";
+        environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
+        webroot = null;
+       };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = false;
+    recommendedProxySettings = true;
+    clientMaxBodySize = lib.mkDefault "10G";
+
+    # Hardened TLS and HSTS preloading
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Do not add HSTS header to HTTP requests.
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # # Enable CSP for your services. (THIS BREAKS SHARKEY!!!!!!!)
+      # add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      #   # This might create errors
+      #   # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}