host/tatos: move miniflux from canigou

hosts/tatos/services/default.nix

@@ -2,7 +2,9 @@
 
 {
   imports = [
+    ./miniflux
     ./wireguard
+    ./nginx.nix
     ./dns.nix
   ];
 }

hosts/tatos/services/miniflux/default.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+let
+  port = 33001;
+  addr = "127.0.0.1:${toString port}";
+
+in
+{
+  age.secrets.miniflux-admin-credentials.file = ./miniflux-admin-credentials.age;
+
+  services.miniflux = {
+    enable = true;
+    package = pkgs.unstable.miniflux;
+    adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
+    config.LISTEN_ADDR = addr;
+  };
+
+  services.nginx.virtualHosts."miniflux.pleshevski.ru" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${addr}";
+  };
+}

hosts/tatos/services/nginx.nix

@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dmitriy@pleshevski.ru";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}