1 files changed, 55 insertions, 0 deletions

diff --git a/common/nginx.nix b/common/nginx.nix
new file mode 100644
index 0000000..1c4a6f1
--- /dev/null
+++ b/common/nginx.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginx.override {
+      modules = [
+        pkgs.nginxModules.moreheaders
+        pkgs.nginxModules.brotli
+      ];
+    };
+
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedUwsgiSettings = true;
+    recommendedProxySettings = true;
+    recommendedBrotliSettings = true;
+
+    sslCiphers = "EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL";
+
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      more_set_headers 'Strict-Transport-Security: $hsts_header';
+      more_set_headers 'Content-Security-Policy: upgrade-insecure-requests';
+      more_set_headers 'Referrer-Policy: origin-when-cross-origin';
+      more_set_headers 'X-Frame-Options: SAMEORIGIN';
+      more_set_headers 'X-Content-Type-Options: nosniff';
+      more_set_headers 'X-XSS-Protection: 0';
+    '';
+  };
+
+  services.phpfpm.pools.mypool = {
+    user = "nobody";
+    settings = {
+      "pm" = "dynamic";
+      "listen.owner" = config.services.nginx.user;
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "security@${config.customOps.domain.fqdn}";
+  };
+}