68 lines
1.6 KiB
Nix
68 lines
1.6 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
customDomain = config.customOps.domain.fqdn;
|
|
in {
|
|
imports = [
|
|
./captiveportal.nix
|
|
./tor-snowflake.nix
|
|
./aur.nix
|
|
];
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
package = pkgs.nginx.override {
|
|
modules = [
|
|
pkgs.nginxModules.moreheaders
|
|
];
|
|
};
|
|
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedUwsgiSettings = true;
|
|
recommendedProxySettings = true;
|
|
recommendedBrotliSettings = true;
|
|
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
|
|
appendHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
more_set_headers 'Strict-Transport-Security: $hsts_header';
|
|
more_set_headers 'Content-Security-Policy: upgrade-insecure-requests; default-src "self"';
|
|
more_set_headers 'Referrer-Policy: origin-when-cross-origin';
|
|
more_set_headers 'X-Frame-Options: DENY';
|
|
more_set_headers 'X-Content-Type-Options: nosniff';
|
|
'';
|
|
|
|
virtualHosts.${customDomain} = {
|
|
default = true;
|
|
root = "/var/www/${customDomain}";
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
};
|
|
|
|
services.phpfpm.pools.mypool = {
|
|
user = "nobody";
|
|
settings = {
|
|
"pm" = "dynamic";
|
|
"listen.owner" = config.services.nginx.user;
|
|
"pm.max_children" = 75;
|
|
"pm.start_servers" = 10;
|
|
"pm.min_spare_servers" = 5;
|
|
"pm.max_spare_servers" = 20;
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "security@${config.mailserver.fqdn}";
|
|
};
|
|
}
|