Initial file upload

Signed-off-by: Tommy <contact@tommytran.io>

etc/nginx/conf.d/http2.conf

@@ -0,0 +1,3 @@
+# This is all it takes to enable http2 globally
+
+http2 on;

etc/nginx/conf.d/sites_default.conf

@@ -0,0 +1,10 @@
+server {
+    listen ipv4_1:80 default_server;
+    listen [ipv6_1]:80 default_server;
+
+    include snippets/universal_paths.conf;
+
+    location / {
+        return 308 https://$host$request_uri;
+    }
+}

etc/nginx/conf.d/sites_uptime-kuma.conf

@@ -0,0 +1,27 @@
+# This file assumes you have an uptime kuma instance running on the server
+
+server {
+    listen ipv4_1:443 quic reuseport;
+    listen ipv4_1:443 ssl;
+    listen ipv6_1:443 quic reuseport;
+    listen ipv6_1:443 ssl;
+
+    server_name uptime.yourdomain.tld;
+
+    ssl_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
+    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/uptime.yourdomain.tld.der;
+
+    include snippets/universal_paths.conf;
+    include snippets/hsts.conf;
+    include snippets/security.conf;
+    include snippets/quic.conf;
+    include snippets/proxy.conf;
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; manifest-src 'self'; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'; upgrade-insecure-requests";
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+    }
+}

etc/nginx/conf.d/tls.conf

@@ -0,0 +1,31 @@
+# Shared TLS configuration
+
+## Use strong ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+
+## Configure ssl session cache
+## Improves performance but we don't wanna keep this forever
+## Session ticket creation and rotation is handled by GrapheneOS's scripts:
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
+
+ssl_session_cache shared:SSL:10m; # About 40000 sessions
+ssl_session_timeout 1d;
+ssl_session_ticket_key session-ticket-keys/4.key;
+ssl_session_ticket_key session-ticket-keys/3.key;
+ssl_session_ticket_key session-ticket-keys/2.key;
+ssl_session_ticket_key session-ticket-keys/1.key;
+
+## Enable OCSP Stapling
+## We will use GrapheneOS's OCSP Fetcher to get the stapling file: https://github.com/GrapheneOS/infrastructure/blob/main/certbot-ocsp-fetcher
+ssl_stapling on;
+ssl_stapling_verify on;
+
+## The following settings need to be declared manually per vhost:
+# ssl_certificate
+# ssl_certificate_key
+# ssl_trusted_certificate
+# ssl_stapling_file

etc/nginx/snippets/hsts.conf

@@ -0,0 +1,5 @@
+# Enable HSTS header
+# Only add this to server blocks with TLS
+
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

etc/nginx/snippets/proxy.conf

@@ -0,0 +1,27 @@
+# Proxy Header Settings
+# Use this with all reverse proxy vhosts
+
+# Force http 1.1, anything not supporting it shouldn't be used
+proxy_http_version 1.1;
+
+# Replay attack mitigation for early data
+proxy_set_header Early-Data $ssl_early_data;
+
+# Restore visitor IP
+proxy_set_header X-Real-IP $remote_addr;
+
+# Restore original method & URL
+proxy_set_header X-Original-Method $request_method;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+
+# Forward host header
+proxy_set_header Host $host;
+
+# Upgrade connection
+proxy_set_header   Upgrade $http_upgrade;
+proxy_set_header   Connection "upgrade";
+
+# Enable X-Forwarded headers
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Proto $scheme;

etc/nginx/snippets/quic.conf

@@ -0,0 +1,2 @@
+quic_retry on;
+add_header Alt-Svc 'h3=":443"; ma=86400';

etc/nginx/snippets/security.conf

@@ -0,0 +1,25 @@
+# Global security headers - apply everywhere
+
+# We do not set clipboard-write() here, because it is very commonly used
+proxy_hide_header Strict-Transport-Security;
+add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+proxy_hide_header Permissions-Policy;
+add_header Referrer-Policy "same-origin" always;
+
+proxy_hide_header X-Content-Type-Options;
+add_header X-Content-Type-Options "nosniff" always;
+
+proxy_hide_header X-Frame-Options;
+add_header X-Frame-Options "SAMEORIGIN" always;
+
+proxy_hide_header Cross-Origin-Resource-Policy;
+add_header Cross-Origin-Resource-Policy cross-origin;
+
+proxy_hide_header Cross-Origin-Opener-Policy;
+add_header Cross-Origin-Opener-Policy same-origin;
+
+# Obsolete and replaced by Content-Security-Policy
+# Only here to pass Hardenize checks
+proxy_hide_header X-XSS-Protection;
+add_header X-XSS-Protection "0" always;

etc/nginx/snippets/universal_paths.conf

@@ -0,0 +1,3 @@
+location /.well-known/acme-challenge/ {
+    root /srv/nginx;
+}

etc/sysctl.d/99-nonlocal-bind.conf

@@ -0,0 +1,2 @@
+net.ipv4.ip_nonlocal_bind = 1
+net.ipv6.ip_nonlocal_bind = 1

etc/systemd/system/certbot-renew.service.d/override.conf

@@ -0,0 +1,30 @@
+# Based on https://github.com/GrapheneOS/infrastructure/blob/main/systemd/system/certbot-renew.service.d/local.conf
+
+[Service]
+CapabilityBoundingSet=
+CPUSchedulingPolicy=batch
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateUsers=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/nginx -/var/cache/certbot-ocsp-fetcher
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @obsolete

etc/systemd/system/nginx.service.d/override.conf

@@ -0,0 +1,30 @@
+# Based on https://github.com/GrapheneOS/infrastructure/blob/main/systemd/system/nginx.service.d/local.conf
+
+[Service]
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=nginx
+RuntimeDirectoryMode=700
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@obsolete