feat: harden nginx

config/services/nginx.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
     mkdir "$out"
     openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
@@ -8,10 +12,12 @@ in {
     enable = true;
     package = pkgs.nginxMainline;
 
+    recommendedBrotliSettings = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    recommendedZstdSettings = true;
 
     # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
     virtualHosts = {
@@ -32,6 +38,13 @@ in {
         sslCertificateKey = "${snakeoilCert}/cert.key";
       };
     };
+
+    sslDhparam = config.security.dhparams.params.nginx.path;
+  };
+
+  security.dhparams = {
+    enable = true;
+    params.nginx = {};
   };
 
   networking.firewall.allowedTCPPorts = [80 443];