init nginx

modules/default.nix

@@ -2,5 +2,6 @@
 {
   imports = [
     ./backup.nix
+    ./nginx.nix
   ];
 }

modules/nginx.nix

@@ -0,0 +1,28 @@
+{ config, lib, ...}:
+  let
+    cfg = config.my.nginx;
+  in
+  {
+  options.my.nginx = {
+    enable = lib.mkEnableOption "nginx";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedZstdSettings = true;
+      recommendedProxySettings = true;
+
+      # HSTS for all domains
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+      '';
+    };
+  };
+}