hardened nginx

author: schererleander <leander@schererleander.de> 2025-05-30 04:48:59 +0200
committer: schererleander <leander@schererleander.de> 2025-05-30 04:48:59 +0200
commit: 431be28ebd439cffaf7c2cd9216e5ea14952aab8 (patch)
tree: c12db791dbd8ff65d40acc75985bf81495e50f70 /hosts/vps/configuration.nix
parent: 9de1f6c7d7a6861da2cac4da1be43132f4eb851e (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index 16c816f..3f0120f 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -43,6 +43,14 @@
 
   services.nginx = {
     enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
     virtualHosts."schererleander.de" = {
       root = "/var/www/site";
       sslCertificate    = "/etc/ssl/certs/schererleander.de.crt";
@@ -60,11 +68,15 @@
     enable = true;
     hostName = "cloud.schererleander.de";
     database.createLocally = true;
-    configureRedis = true;
     maxUploadSize = "16G";
     config.dbtype = "mysql";
     config.adminuser = "schererleander";
     config.adminpassFile = "/etc/nextcloud-admin-pass";
+
+    settings = {
+      maintenance_window_start = 2; # 02:00
+      default_phone_region = "de";
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 8693 ];
author	schererleander <leander@schererleander.de>	2025-05-30 04:48:59 +0200
committer	schererleander <leander@schererleander.de>	2025-05-30 04:48:59 +0200
commit	431be28ebd439cffaf7c2cd9216e5ea14952aab8 (patch)
tree	c12db791dbd8ff65d40acc75985bf81495e50f70 /hosts/vps/configuration.nix
parent	9de1f6c7d7a6861da2cac4da1be43132f4eb851e (diff)