cloud: basic nginx setup
This commit is contained in:
parent
c1ec242ef0
commit
1d55b0facf
4 changed files with 66 additions and 0 deletions
|
|
@ -4,6 +4,7 @@
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
|
./proxy
|
||||||
./secrets.nix
|
./secrets.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
58
hosts/cloud/proxy/default.nix
Normal file
58
hosts/cloud/proxy/default.nix
Normal file
|
|
@ -0,0 +1,58 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./proxy.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||||
|
|
||||||
|
appendHttpConfig = ''
|
||||||
|
# Add HSTS header with preloading to HTTPS requests.
|
||||||
|
# Adding this header to HTTP requests is discouraged
|
||||||
|
map $scheme $hsts_header {
|
||||||
|
https "max-age=31536000; includeSubdomains; preload";
|
||||||
|
}
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
||||||
|
# Enable CSP for your services.
|
||||||
|
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
|
||||||
|
# Minimize information leaked to other domains
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
|
||||||
|
# Disable embedding as a frame
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
'';
|
||||||
|
# default vhost
|
||||||
|
virtualHosts."oxapentane.com" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
# default = true;
|
||||||
|
locations."/" = {
|
||||||
|
return = "200 '<html><body><h1>¯\\_(ツ)_/¯</h1></body></html>'";
|
||||||
|
extraConfig = ''
|
||||||
|
default_type text/html;
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "acme@oxapentane.com";
|
||||||
|
};
|
||||||
|
}
|
||||||
4
hosts/cloud/proxy/proxy.nix
Normal file
4
hosts/cloud/proxy/proxy.nix
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -17,6 +17,9 @@
|
||||||
# set focus events
|
# set focus events
|
||||||
set-option -g focus-events on
|
set-option -g focus-events on
|
||||||
|
|
||||||
|
# enable mouse
|
||||||
|
set -g mouse on
|
||||||
|
|
||||||
# curlies
|
# curlies
|
||||||
set -as terminal-overrides ',*:Smulx=\E[4::%p1%dm' # undercurl support
|
set -as terminal-overrides ',*:Smulx=\E[4::%p1%dm' # undercurl support
|
||||||
set -as terminal-overrides ',*:Setulc=\E[58::2::%p1%{65536}%/%d::%p1%{256}%/%{255}%&%d::%p1%{255}%&%d%;m' # underscore colours - needs tmux-3.0
|
set -as terminal-overrides ',*:Setulc=\E[58::2::%p1%{65536}%/%d::%p1%{256}%/%{255}%&%d::%p1%{255}%&%d%;m' # underscore colours - needs tmux-3.0
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue