nginx: improve hardening, tweak headers

Still not quite where I want it to be but it's better

common/nginx.nix

@@ -7,17 +7,13 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
     appendHttpConfig = ''
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      add_header Content-Security-Policy "default-src https: data: 'unsafe-inline'; object-src 'none'; base-uri 'none';" always;
+      add_header Referrer-Policy strict-origin-when-cross-origin;
       add_header X-Frame-Options SAMEORIGIN;
       add_header X-Content-Type-Options nosniff;
+      add_header X-Clacks-Overhead "GNU Terry Pratchett";
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
   };