feat: harden nginx
This commit is contained in:
parent
86722826de
commit
11e2fc2b1f
1 changed files with 14 additions and 1 deletions
|
@ -1,4 +1,8 @@
|
|||
{pkgs, ...}: let
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||
mkdir "$out"
|
||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||
|
@ -8,10 +12,12 @@ in {
|
|||
enable = true;
|
||||
package = pkgs.nginxMainline;
|
||||
|
||||
recommendedBrotliSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
|
||||
virtualHosts = {
|
||||
|
@ -32,6 +38,13 @@ in {
|
|||
sslCertificateKey = "${snakeoilCert}/cert.key";
|
||||
};
|
||||
};
|
||||
|
||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||
};
|
||||
|
||||
security.dhparams = {
|
||||
enable = true;
|
||||
params.nginx = {};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
|
|
Loading…
Reference in a new issue