cloud: basic nginx setup

2025-01-13 21:04:48 +01:00 · 2025-01-13 21:04:48 +01:00 · 1d55b0facf
commit 1d55b0facf
parent c1ec242ef0
4 changed files with 66 additions and 0 deletions
--- a/hosts/cloud/default.nix
+++ b/hosts/cloud/default.nix
@ -4,6 +4,7 @@
    ./configuration.nix
    ./hardware-configuration.nix
    ./networking.nix
+    ./proxy
    ./secrets.nix
  ];
 }
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -0,0 +1,58 @@
+{ config, ... }:
+{
+  imports = [
+    ./proxy.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+    '';
+    # default vhost
+    virtualHosts."oxapentane.com" = {
+      forceSSL = true;
+      enableACME = true;
+      # default = true;
+      locations."/" = {
+        return = "200 '<html><body><h1>¯\\_(ツ)_/¯</h1></body></html>'";
+        extraConfig = ''
+          default_type text/html;
+        '';
+
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@oxapentane.com";
+  };
+}
--- a/hosts/cloud/proxy/proxy.nix
+++ b/hosts/cloud/proxy/proxy.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}
--- a/modules/basic-tools/multiplexers.nix
+++ b/modules/basic-tools/multiplexers.nix
@ -17,6 +17,9 @@
      # set focus events
      set-option -g focus-events on

+      # enable mouse
+      set -g mouse on
+
      # curlies
      set -as terminal-overrides ',*:Smulx=\E[4::%p1%dm'  # undercurl support
      set -as terminal-overrides ',*:Setulc=\E[58::2::%p1%{65536}%/%d::%p1%{256}%/%{255}%&%d::%p1%{255}%&%d%;m'  # underscore colours - needs tmux-3.0