chore: migrate nginx and site

2025-07-27 18:17:44 +00:00 · 2025-02-23 00:35:35 +03:00 · 2025-02-23 00:35:35 +03:00 · 0dd43e11e9
commit 0dd43e11e9
parent 5a485ffa16
6 changed files with 129 additions and 11 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) enabled mkConst;
+in {
+  options.nginxSslTemplate = mkConst {
+    forceSSL    = true;
+    quic        = true;
+    useACMEHost = config.networking.domain;
+  };
+
+  options.nginxHeaders = mkConst ''
+    add_header Strict-Transport-Security $hsts_header;
+
+    add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+    add_header Referrer-Policy no-referrer;
+
+    add_header X-Frame-Options DENY;
+
+    add_header X-Content-Type-Options nosniff;
+  '';
+
+  config.networking.firewall = {
+    allowedTCPPorts = [ 443 80 ];
+    allowedUDPPorts = [ 443 ];
+  };
+
+  config.services.prometheus.exporters.nginx = enabled {
+    listenAddress = "[::]";
+  };
+
+  config.acmeUsers = [ "nginx" ];
+
+  config.services.nginx = enabled {
+    package = pkgs.nginxQuic;
+
+    statusPage = true;
+
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings   = true;
+    recommendedZstdSettings   = true;
+
+    recommendedOptimisation   = true;
+    recommendedProxySettings  = true;
+    recommendedTlsSettings    = true;
+
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+        https "max-age=31536000; includeSubdomains; preload";
+      }
+
+      ${config.nginxHeaders}
+
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}