nix-server/modules/nginx.nix

{
  lib,
  pkgs,
  config,
  ...
}:
{
  services.nginx = {
    enable = true;

    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    appendHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
      map $scheme $hsts_header {
          https   "max-age=63072000; includeSubDomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      add_header 'Referrer-Policy' 'same-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "hackerncoder+acme@encryptionin.space";
  };
}
Add forgejo 2024-09-20 15:10:06 +00:00			`{`
			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`
			`{`
			`services.nginx = {`
			`enable = true;`

			`recommendedTlsSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedOptimisation = true;`
			`recommendedGzipSettings = true;`

			`appendHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=63072000; includeSubDomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`add_header 'Referrer-Policy' 'same-origin';`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`
			`'';`
			`};`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "hackerncoder+acme@encryptionin.space";`
			`};`
			`}`