From 4ba7866b3ff3cda05a7bebedc052b647b75c91bc Mon Sep 17 00:00:00 2001
From: EuAndreh <eu@euandre.org>
Date: Tue, 19 Sep 2023 05:48:19 -0300
Subject: system.scm: Enforce forward-secrecy cyphers on nginx

---
 src/infrastructure/guix/system.scm | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm
index 3c77f89..7e1e04b 100644
--- a/src/infrastructure/guix/system.scm
+++ b/src/infrastructure/guix/system.scm
@@ -417,6 +417,8 @@
                      # BearSSL still doesn't TLSv1.3, so we deem TLSv1.2 as
                      # acceptable
                      ssl_protocols TLSv1.2 TLSv1.3;
+                     ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+                     ssl_prefer_server_ciphers on;
                      gzip off;  # Disable compression altogether due to BREACH
                      include /opt/secrets/nginx.conf.txt;
                      charset utf-8;
-- 
cgit v1.2.3