Add testbench and rudiger

2021-09-27 14:55:55 +02:00 · 2021-09-27 14:55:55 +02:00 · 6d318bddaa
commit 6d318bddaa
parent 0969b36564
21 changed files with 415 additions and 173 deletions
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
--- a/config/common/services/openssh.nix
+++ b/config/common/services/openssh.nix
@ -9,4 +9,16 @@
    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
 }