From 667912e732989d5f4fc7f89f5f6bb45cc24ec790 Mon Sep 17 00:00:00 2001
From: padreug <padreug@aiolabs.dev>
Date: Wed, 8 Oct 2025 17:16:33 +0200
Subject: [PATCH] Add recommended Nginx settings and enable automatic SSL with
 Let's Encrypt

Enhanced the shared Nix configuration by adding recommended settings for Nginx, including Gzip, optimization, and TLS settings. Disabled proxy settings to prevent interference with WebSocket. Additionally, enabled automatic SSL certificate generation using Let's Encrypt and configured fail2ban for improved security.

This update aims to strengthen the web application's security and performance while maintaining flexibility in the Nginx setup.
---
 config/shared.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/config/shared.nix b/config/shared.nix
index 29c0104..c9a426d 100644
--- a/config/shared.nix
+++ b/config/shared.nix
@@ -18,6 +18,12 @@
   services.nginx = {
     enable = true;
 
+    # Recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
+    recommendedTlsSettings = true;
+
     # Web-app service
     virtualHosts."app.${domain}" = {
       root = "/var/src/web-app-dist";
@@ -43,9 +49,28 @@
     };
   };
 
+  # Enable automatic SSL certificate generation with Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@aiolabs.dev";
+  };
+
   # Open firewall for HTTP/HTTPS
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  # Enable fail2ban for additional security
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        logpath = "/var/log/nginx/error.log";
+        backend = "systemd";
+      };
+    };
+  };
+
   # NixOS release version
   system.stateVersion = "25.05";
 }
\ No newline at end of file