{ services.nginx = { enable = true; # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; # Only allow PFS-enabled ciphers with AES256 sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # Enable XSS protection of the browser. # May be unnecessary when CSP is configured properly (see above) add_header X-XSS-Protection "1; mode=block"; # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; virtualHosts = { "graven.dev" = { useACMEHost = "graven.dev"; forceSSL = true; locations."/".root = "/var/www/graven.dev/public"; locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; locations."/_synapse".proxyPass = "http://127.0.0.1:8008"; locations."/.well-known/matrix/" = { root = "/var/www/matrix/public"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin "*"; add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy "origin-when-cross-origin"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; ''; }; }; "rss.graven.dev" = { useACMEHost = "graven.dev"; forceSSL = true; }; "git.graven.dev" = { useACMEHost = "graven.dev"; forceSSL = true; locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:"; }; "vault.graven.dev" = { forceSSL = true; useACMEHost = "graven.dev"; locations."/" = { proxyPass = "http://localhost:8812"; proxyWebsockets = true; }; locations."/notifications/hub" = { proxyPass = "http://localhost:3012"; proxyWebsockets = true; }; locations."/notifications/hub/negotiate" = { proxyPass = "http://localhost:8812"; proxyWebsockets = true; }; }; }; }; }