2022-04-25 16:27:57 +02:00
|
|
|
{ pkgs, config, lib, ... }: {
|
2022-04-24 22:22:59 +02:00
|
|
|
security.acme.acceptTerms = true;
|
2022-04-24 22:33:03 +02:00
|
|
|
security.acme.email = "dump-dvb@protonmail.com";
|
2022-05-13 20:19:32 +02:00
|
|
|
services.nginx = {
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
commonHttpConfig = ''
|
2022-05-13 22:50:40 +02:00
|
|
|
# Permissions Policy - gps only
|
|
|
|
add_header Permissions-Policy "geolocation=()";
|
2022-05-13 19:42:30 +02:00
|
|
|
|
|
|
|
# Minimize information leaked to other domains
|
2022-05-13 22:50:40 +02:00
|
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
2022-05-13 19:42:30 +02:00
|
|
|
|
|
|
|
# Disable embedding as a frame
|
2022-05-13 22:50:40 +02:00
|
|
|
add_header X-Frame-Options DENY;
|
2022-05-13 19:42:30 +02:00
|
|
|
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
2022-05-13 22:50:40 +02:00
|
|
|
add_header X-Content-Type-Options nosniff;
|
2022-05-13 19:42:30 +02:00
|
|
|
|
|
|
|
# Enable XSS protection of the browser.
|
|
|
|
# May be unnecessary when CSP is configured properly (see above)
|
2022-05-13 22:50:40 +02:00
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
|
|
|
|
# STS
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
2022-05-13 20:19:32 +02:00
|
|
|
'';
|
|
|
|
};
|
2022-04-24 22:33:03 +02:00
|
|
|
}
|