init commit

2026-01-19 21:47:18 +00:00 · 2026-01-19 21:47:18 +00:00 · 181e6f681e
commit 181e6f681e
22 changed files with 940 additions and 0 deletions
--- a/pkgs/nginx.nix
+++ b/pkgs/nginx.nix
@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    # recommendedProxySettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    appendHttpConfig = ''
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options SAMEORIGIN;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # error_log /var/log/nginx/error.log debug;
+      # error_log stderr;
+      # access_log syslog:server=unix:/dev/log combined;
+    '';
+  };
+
+   security.acme = {
+     acceptTerms = true;
+     defaults.email = "me@lukadeka.com";
+   };
+
+   networking.firewall = {
+     enable = true;
+     allowedTCPPorts = [ 80 443 ];
+   };
+}
+