diff --git a/sys/mailserver/configuration.nix b/sys/mailserver/configuration.nix index 8d2a6d2..c5db5c3 100644 --- a/sys/mailserver/configuration.nix +++ b/sys/mailserver/configuration.nix @@ -2,6 +2,7 @@ { imports = [ ./vpsadminos.nix + ./web.nix ]; services.openssh.enable = true; diff --git a/sys/mailserver/mailserver.nix b/sys/mailserver/mailserver.nix index 8f32c44..9d46caa 100644 --- a/sys/mailserver/mailserver.nix +++ b/sys/mailserver/mailserver.nix @@ -15,65 +15,6 @@ ''; }; - services = { - nginx = { - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - # Add any further config to match your needs, e.g.: - virtualHosts = - let - base = locations: { - inherit locations; - - forceSSL = true; - enableACME = true; - }; - proxy = port: base { - "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; - }; - in - { - "idimitrov.dev" = proxy 3000 // { default = true; }; - }; - }; - }; - - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - mailserver = { enable = true; fqdn = "mail.idimitrov.dev"; diff --git a/sys/mailserver/web.nix b/sys/mailserver/web.nix new file mode 100644 index 0000000..0b95add --- /dev/null +++ b/sys/mailserver/web.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: { + services = { + nginx = { + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + + # Add any further config to match your needs, e.g.: + virtualHosts = + let + base = locations: { + inherit locations; + + forceSSL = true; + enableACME = true; + }; + proxy = port: base { + "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; + }; + in + { + "idimitrov.dev" = proxy 3000 // { default = true; }; + }; + }; + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + +}