nixfiles/modules/nginx/default.nix

69 lines
2.2 KiB
Nix
Raw Permalink Normal View History

2024-04-30 21:55:41 +02:00
{ config, lib, ... }: let
2024-05-11 16:02:39 +02:00
cfg = config.kyouma.nginx;
2024-04-30 21:55:41 +02:00
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
2024-11-04 18:51:13 +01:00
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
2024-11-04 21:19:57 +01:00
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
2024-04-30 21:55:41 +02:00
'';
createHost = vhostName: vhostCfg: {
2024-11-12 18:03:31 +01:00
extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
vhostCfg.extraConfig + "\n" + extraConfig
) + lib.optionalString (
if (vhostCfg ? "verifyClientCert") then
vhostCfg.verifyClientCert
else false
) ''
ssl_client_certificate ${./kyouma_Root_CA.pem};
ssl_verify_client on;
ssl_verify_depth 1;
'';
2024-04-30 21:55:41 +02:00
forceSSL = true;
2024-11-04 18:51:13 +01:00
http3 = true;
quic = true;
2024-05-11 16:02:39 +02:00
} //
2024-11-12 18:03:31 +01:00
lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
2024-04-30 21:55:41 +02:00
enableACME = true;
2024-05-11 16:02:39 +02:00
} //
2024-11-12 18:03:31 +01:00
lib.optionalAttrs (vhostCfg ? "redirectTo") {
2024-04-30 21:55:41 +02:00
enableACME = false;
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
2024-05-11 16:02:39 +02:00
} //
2024-11-12 18:03:31 +01:00
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]);
2024-04-30 21:55:41 +02:00
in {
options = {
kyouma.nginx.virtualHosts = lib.mkOption {
type = with lib.types; nullOr anything;
default = null;
};
2024-05-11 16:02:39 +02:00
kyouma.nginx.defaultForbidden = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
};
2024-04-30 21:55:41 +02:00
};
config = {
2024-05-11 16:02:39 +02:00
services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
2024-11-12 18:03:31 +01:00
builtins.mapAttrs (createHost) cfg.virtualHosts
) // lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = {
quic = true;
http3 = true;
# reuseport has to be specified on the quic listener
# when using worker_processes auto;
reuseport = true;
default = true;
forceSSL = true;
useACMEHost = cfg.defaultForbidden;
extraConfig = ''
return 403;
'';
2024-05-11 16:02:39 +02:00
};
2024-11-12 18:03:31 +01:00
};
2024-04-30 21:55:41 +02:00
};
}