feat: harden nginx
This commit is contained in:
parent
86722826de
commit
11e2fc2b1f
1 changed files with 14 additions and 1 deletions
|
@ -1,4 +1,8 @@
|
||||||
{pkgs, ...}: let
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||||
mkdir "$out"
|
mkdir "$out"
|
||||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||||
|
@ -8,10 +12,12 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nginxMainline;
|
package = pkgs.nginxMainline;
|
||||||
|
|
||||||
|
recommendedBrotliSettings = true;
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
recommendedZstdSettings = true;
|
||||||
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
|
# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
|
@ -32,6 +38,13 @@ in {
|
||||||
sslCertificateKey = "${snakeoilCert}/cert.key";
|
sslCertificateKey = "${snakeoilCert}/cert.key";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.dhparams = {
|
||||||
|
enable = true;
|
||||||
|
params.nginx = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
|
Loading…
Reference in a new issue