From 6174f3650cf42aaf008012e828d5a1f8e2ce037f Mon Sep 17 00:00:00 2001
From: Leander Scherer <leander@schererleander.de>
Date: Thu, 8 Jan 2026 02:48:11 +0100
Subject: refactor(modules): separate nixos/home-manager modules, use standard
 option conventions

---
 modules/hosts/server/nginx/default.nix | 56 ++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 modules/hosts/server/nginx/default.nix

(limited to 'modules/hosts/server/nginx')

diff --git a/modules/hosts/server/nginx/default.nix b/modules/hosts/server/nginx/default.nix
new file mode 100644
index 0000000..438ab49
--- /dev/null
+++ b/modules/hosts/server/nginx/default.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.nx.server.nginx;
+  inherit (lib) mkOption types mkIf;
+in
+{
+  options.nx.server.nginx = {
+    enable = mkOption {
+      description = "Setup nginx reverse proxy";
+      type = types.bool;
+      default = true;
+    };
+    hostName = mkOption {
+      description = "url of server";
+      type = types.str;
+      default = "schererleander.de";
+    };
+    sslCertificate = mkOption {
+      description = "ssl certificate to use";
+      type = types.nullOr types.str;
+      default = "/etc/ssl/${cfg.hostName}/fullchain.pem";
+    };
+    sslCertificateKey = mkOption {
+      description = "ssl certificate key to use";
+      type = types.nullOr types.str;
+      default = "/etc/ssl/${cfg.hostName}/privkey.key";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+        #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
+        add_header 'Referrer-Policy' 'same-origin';
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+      '';
+    };
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}
-- 
cgit v1.3.1