From 1d55b0facf46881e3b5f09d90ae2414fc6131bf3 Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Mon, 13 Jan 2025 21:04:48 +0100
Subject: [PATCH] cloud: basic nginx setup

---
 hosts/cloud/default.nix              |  1 +
 hosts/cloud/proxy/default.nix        | 58 ++++++++++++++++++++++++++++
 hosts/cloud/proxy/proxy.nix          |  4 ++
 modules/basic-tools/multiplexers.nix |  3 ++
 4 files changed, 66 insertions(+)
 create mode 100644 hosts/cloud/proxy/default.nix
 create mode 100644 hosts/cloud/proxy/proxy.nix

diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix
index 78ebe7a..c848297 100644
--- a/hosts/cloud/default.nix
+++ b/hosts/cloud/default.nix
@@ -4,6 +4,7 @@
     ./configuration.nix
     ./hardware-configuration.nix
     ./networking.nix
+    ./proxy
     ./secrets.nix
   ];
 }
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
new file mode 100644
index 0000000..6d58845
--- /dev/null
+++ b/hosts/cloud/proxy/default.nix
@@ -0,0 +1,58 @@
+{ config, ... }:
+{
+  imports = [
+    ./proxy.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+    '';
+    # default vhost
+    virtualHosts."oxapentane.com" = {
+      forceSSL = true;
+      enableACME = true;
+      # default = true;
+      locations."/" = {
+        return = "200 '<html><body><h1>¯\\_(ツ)_/¯</h1></body></html>'";
+        extraConfig = ''
+          default_type text/html;
+        '';
+
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@oxapentane.com";
+  };
+}
diff --git a/hosts/cloud/proxy/proxy.nix b/hosts/cloud/proxy/proxy.nix
new file mode 100644
index 0000000..facb35d
--- /dev/null
+++ b/hosts/cloud/proxy/proxy.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}
diff --git a/modules/basic-tools/multiplexers.nix b/modules/basic-tools/multiplexers.nix
index b744942..027be2e 100644
--- a/modules/basic-tools/multiplexers.nix
+++ b/modules/basic-tools/multiplexers.nix
@@ -17,6 +17,9 @@
       # set focus events
       set-option -g focus-events on
 
+      # enable mouse
+      set -g mouse on
+
       # curlies
       set -as terminal-overrides ',*:Smulx=\E[4::%p1%dm'  # undercurl support
       set -as terminal-overrides ',*:Setulc=\E[58::2::%p1%{65536}%/%d::%p1%{256}%/%{255}%&%d::%p1%{255}%&%d%;m'  # underscore colours - needs tmux-3.0