blob: 1c4a6f17361ed027efee6b246d50ffd2dda4db96 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
{
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
package = pkgs.nginx.override {
modules = [
pkgs.nginxModules.moreheaders
pkgs.nginxModules.brotli
];
};
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedUwsgiSettings = true;
recommendedProxySettings = true;
recommendedBrotliSettings = true;
sslCiphers = "EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
more_set_headers 'Strict-Transport-Security: $hsts_header';
more_set_headers 'Content-Security-Policy: upgrade-insecure-requests';
more_set_headers 'Referrer-Policy: origin-when-cross-origin';
more_set_headers 'X-Frame-Options: SAMEORIGIN';
more_set_headers 'X-Content-Type-Options: nosniff';
more_set_headers 'X-XSS-Protection: 0';
'';
};
services.phpfpm.pools.mypool = {
user = "nobody";
settings = {
"pm" = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
};
};
security.acme = {
acceptTerms = true;
defaults.email = "security@${config.customOps.domain.fqdn}";
};
}
|
