configuration.nix/sys/mailserver/web.nix

{ config, pkgs, ... }: {
  services = {
    nginx = {
      # Use recommended settings
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # Only allow PFS-enabled ciphers with AES256
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

      appendHttpConfig = ''
        # Add HSTS header with preloading to HTTPS requests.
        # Adding this header to HTTP requests is discouraged
        map $scheme $hsts_header {
            https   "max-age=31536000; includeSubdomains; preload";
        }
        add_header Strict-Transport-Security $hsts_header;

        # Enable CSP for your services.
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

        # Minimize information leaked to other domains
        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        # Disable embedding as a frame
        add_header X-Frame-Options DENY;

        # Prevent injection of code in other mime types (XSS Attacks)
        add_header X-Content-Type-Options nosniff;

        # This might create errors
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
      '';

      # Add any further config to match your needs, e.g.:
      virtualHosts =
        let
          base = locations: {
            inherit locations;

            forceSSL = true;
            enableACME = true;
          };
          proxy = port: base {
            "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
          };
        in
        {
          "idimitrov.dev" = proxy 3000 // { default = true; };
        };
    };
  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
  };

}
split mail and web 2023-09-15 20:24:17 +02:00			`{ config, pkgs, ... }: {`
			`services = {`
			`nginx = {`
			`# Use recommended settings`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`

			`# Only allow PFS-enabled ciphers with AES256`
			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`

			`appendHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`map $scheme $hsts_header {`
			`https "max-age=31536000; includeSubdomains; preload";`
			`}`
			`add_header Strict-Transport-Security $hsts_header;`

			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`

			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`

			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`

			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`

			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`

			`# Add any further config to match your needs, e.g.:`
			`virtualHosts =`
			`let`
			`base = locations: {`
			`inherit locations;`

			`forceSSL = true;`
			`enableACME = true;`
			`};`
			`proxy = port: base {`
			`"/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";`
			`};`
			`in`
			`{`
			`"idimitrov.dev" = proxy 3000 // { default = true; };`
			`};`
			`};`
			`};`
			`networking.firewall = {`
			`enable = true;`
			`allowedTCPPorts = [ 80 443 ];`
			`};`

			`}`