copy nb configuration and modules

2023-07-12 16:13:10 +02:00
parent 1af70a3095
commit 127eab91d5
114 changed files with 9070 additions and 0 deletions
--- a/utils/modules/web/default.nix
+++ b/utils/modules/web/default.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+
+{
+
+  imports = [
+    ./cloonar.dev.nix
+    ./diabetes-austria.cloonar.dev.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    imagemagick
+    ghostscript
+  ];
+
+  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+  
+}