From c58488dab643cd19092eea38684586f47b7e7f3c Mon Sep 17 00:00:00 2001
From: Ivan Dimitrov <ivan@idimitrov.dev>
Date: Fri, 15 Sep 2023 20:44:25 +0300
Subject: [PATCH] nginx config

---
 sys/mailserver/mailserver.nix | 57 +++++++++++++++++++++++++++++------
 1 file changed, 47 insertions(+), 10 deletions(-)

diff --git a/sys/mailserver/mailserver.nix b/sys/mailserver/mailserver.nix
index 82fc6ab..d67164b 100644
--- a/sys/mailserver/mailserver.nix
+++ b/sys/mailserver/mailserver.nix
@@ -17,18 +17,55 @@
 
   services = {
     nginx = {
-      virtualHosts = {
-        "idimitrov.dev" = {
-          addSSL = true;
-          enableACME = true;
-          locations = {
-            "/" = {
-              proxyPass = "http://localhost:3000/"; # Pointing to Next.js app
-              proxyWebsockets = true;
-            };
+      # Use recommended settings
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # Only allow PFS-enabled ciphers with AES256
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+
+      # Add any further config to match your needs, e.g.:
+      virtualHosts =
+        let
+          base = locations: {
+            inherit locations;
+
+            forceSSL = true;
+            enableACME = true;
           };
+          proxy = port: base {
+            "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
+          };
+        in
+        {
+          "idimitrov.dev" = proxy 3000 // { default = true; };
         };
-      };
     };
   };