nix-config/hosts/cloud/proxy/default.nix

{ config, ... }:
{
  imports = [
    ./auth.nix
    ./dav.nix
  ];

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    appendHttpConfig = ''
      # upgrade websockets
      map $http_upgrade $connection_upgrade_keepalive {
        default upgrade;
        '''      ''';
      }

      ### TLS
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      # add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
    '';
    # default vhost
    virtualHosts."oxapentane.com" = {
      forceSSL = true;
      enableACME = true;
      # default = true;
      locations."/" = {
        return = "503";
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@oxapentane.com";
  };
}
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00			`{ config, ... }:`
			`{`
			`imports = [`
yeet authentik, add keycloak and radicale 2025-01-14 21:24:05 +00:00			`./auth.nix`
proxy authentik and dav with sso 2025-01-21 00:16:31 +00:00			`./dav.nix`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00			`];`

treefmt 2025-01-19 20:47:09 +01:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00
			`services.nginx = {`
			`enable = true;`

			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedTlsSettings = true;`

			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`

			`appendHttpConfig = ''`
proxy authentik and dav with sso 2025-01-21 00:16:31 +00:00			`# upgrade websockets`
			`map $http_upgrade $connection_upgrade_keepalive {`
			`default upgrade;`
			`''' ''';`
			`}`
proxy radicale directly for the time being 2025-01-20 17:19:29 +00:00
proxy authentik 2025-01-13 22:39:06 +00:00			`### TLS`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Enable CSP for your services.`
yeet authentik, add keycloak and radicale 2025-01-14 21:24:05 +00:00			`# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00
			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
yeet authentik, add keycloak and radicale 2025-01-14 21:24:05 +00:00			`# add_header X-Frame-Options DENY;`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00
			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`
			`'';`
			`# default vhost`
			`virtualHosts."oxapentane.com" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`# default = true;`
			`locations."/" = {`
yeet authentik, add keycloak and radicale 2025-01-14 21:24:05 +00:00			`return = "503";`
cloud: basic nginx setup 2025-01-13 21:04:48 +01:00			`};`
			`};`
			`};`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "acme@oxapentane.com";`
			`};`
			`}`