2024-05-25

author: Azat Bahawi <azat@bahawi.net> 2024-05-25 22:16:47 +0300
committer: Azat Bahawi <azat@bahawi.net> 2024-05-25 22:16:47 +0300
commit: 364e8a98ad25127f2a51696ec03729e3a783044f (patch)
tree: 1ac46553d1dca1259da539eddc7db100eaf5c137 /modules/nginx.nix
parent: 2024-05-05 (diff)
1 files changed, 14 insertions, 4 deletions
diff --git a/modules/nginx.nix b/modules/nginx.nix
index ed34237..b912e22 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -55,13 +55,16 @@ in
 
         serverTokens = false;
 
-        recommendedGzipSettings = true;
-        recommendedOptimisation = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
+        recommendedBrotliSettings = lib.mkDefault true;
+        recommendedGzipSettings = lib.mkDefault true;
+        recommendedOptimisation = lib.mkDefault true;
+        recommendedProxySettings = lib.mkDefault true;
+        recommendedTlsSettings = lib.mkDefault true;
+        recommendedZstdSettings = lib.mkDefault true;
 
         commonHttpConfig = concatStrings [
           ''
+            access_log syslog:server=unix:/dev/log;
             add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
           ''
           (optionalString (hasAttr "wireguard" this) (
@@ -100,6 +103,8 @@ in
               ]
             ) cfg.virtualHosts
           ));
+
+        sslDhparam = config.security.dhparams.params.nginx.path;
       };
 
       fail2ban.jails = {
@@ -114,6 +119,11 @@ in
       };
     };
 
+    security.dhparams = {
+      enable = true;
+      params.nginx = { };
+    };
+
     networking.firewall.allowedTCPPorts = [
       80
       443
author	Azat Bahawi <azat@bahawi.net>	2024-05-25 22:16:47 +0300
committer	Azat Bahawi <azat@bahawi.net>	2024-05-25 22:16:47 +0300
commit	364e8a98ad25127f2a51696ec03729e3a783044f (patch)
tree	1ac46553d1dca1259da539eddc7db100eaf5c137 /modules/nginx.nix
parent	2024-05-05 (diff)