From 431be28ebd439cffaf7c2cd9216e5ea14952aab8 Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Fri, 30 May 2025 04:48:59 +0200
Subject: hardened nginx

---
 hosts/vps/configuration.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'hosts/vps')

diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index 16c816f..3f0120f 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -43,6 +43,14 @@
 
   services.nginx = {
     enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
     virtualHosts."schererleander.de" = {
       root = "/var/www/site";
       sslCertificate    = "/etc/ssl/certs/schererleander.de.crt";
@@ -60,11 +68,15 @@
     enable = true;
     hostName = "cloud.schererleander.de";
     database.createLocally = true;
-    configureRedis = true;
     maxUploadSize = "16G";
     config.dbtype = "mysql";
     config.adminuser = "schererleander";
     config.adminpassFile = "/etc/nextcloud-admin-pass";
+
+    settings = {
+      maintenance_window_start = 2; # 02:00
+      default_phone_region = "de";
+    };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 8693 ];
-- 
cgit v1.3.1