mirror of
https://github.com/dump-dvb/nix-config.git
synced 2024-06-30 10:28:46 +02:00
30 lines
961 B
Nix
30 lines
961 B
Nix
{ pkgs, config, lib, ... }: {
|
|
security.acme.acceptTerms = true;
|
|
security.acme.email = "dump-dvb@protonmail.com";
|
|
services.nginx = {
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
commonHttpConfig = ''
|
|
# Permissions Policy - gps only
|
|
add_header Permissions-Policy "geolocation=()";
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
|
|
# Disable embedding as a frame
|
|
add_header X-Frame-Options DENY;
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
# Enable XSS protection of the browser.
|
|
# May be unnecessary when CSP is configured properly (see above)
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# STS
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
'';
|
|
};
|
|
}
|