cleanup flake
This commit is contained in:
parent
c63137efa5
commit
21071efdd5
65
flake.nix
65
flake.nix
@ -9,12 +9,7 @@
|
|||||||
outputs = { self, nixpkgs }:
|
outputs = { self, nixpkgs }:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
lib = pkgs.lib;
|
|
||||||
stdenv = pkgs.stdenv;
|
|
||||||
pname = "idimitrov-dev";
|
|
||||||
version = "1.0.0";
|
|
||||||
src = ./.;
|
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
coreutils-full
|
coreutils-full
|
||||||
nodejs_20
|
nodejs_20
|
||||||
@ -35,64 +30,6 @@
|
|||||||
${tmuxConfig}
|
${tmuxConfig}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
packages.${system}.default = pkgs.stdenv.mkDerivation rec {
|
|
||||||
inherit buildInputs pname version src;
|
|
||||||
buildPhase = ''
|
|
||||||
mkdir -p $out
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
nixosModules.default = { config, pkgs, ... }:
|
|
||||||
let cfg = config.website; in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
website = {
|
|
||||||
enable = lib.mkEnableOption "website";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
services = {
|
|
||||||
nginx = {
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
||||||
appendHttpConfig = ''
|
|
||||||
# Add HSTS header with preloading to HTTPS requests.
|
|
||||||
# Adding this header to HTTP requests is discouraged
|
|
||||||
map $scheme $hsts_header {
|
|
||||||
https "max-age=31536000; includeSubdomains; preload";
|
|
||||||
}
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
|
|
||||||
# Enable CSP for your services.
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
|
|
||||||
# Minimize information leaked to other domains
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
|
|
||||||
# Disable embedding as a frame
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
|
|
||||||
# Prevent injection of code in other mime types (XSS Attacks)
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
'';
|
|
||||||
virtualHosts = {
|
|
||||||
"idimitrov.dev" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
root = self.packages.${system}.default;
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user