{ config, lib, ... }: let cfg = config.kyouma.nginx; extraConfig = '' add_header Strict-Transport-Security $hsts_header; add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { extraConfig = lib.optionalString (vhostCfg ? "extraConfig") ( vhostCfg.extraConfig + "\n" + extraConfig ) + lib.optionalString ( if (vhostCfg ? "verifyClientCert") then vhostCfg.verifyClientCert else false ) '' ssl_client_certificate ${./kyouma_Root_CA.pem}; ssl_verify_client on; ssl_verify_depth 1; ''; forceSSL = true; http3 = true; quic = true; } // lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) { enableACME = true; } // lib.optionalAttrs (vhostCfg ? "redirectTo") { enableACME = false; useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; } // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]); in { options = { kyouma.nginx.virtualHosts = lib.mkOption { type = with lib.types; nullOr anything; default = null; }; kyouma.nginx.defaultForbidden = lib.mkOption { type = with lib.types; nullOr str; default = null; }; }; config = { services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) ( builtins.mapAttrs (createHost) cfg.virtualHosts ) // lib.optionalAttrs (cfg.defaultForbidden != null) { "redirect" = { quic = true; http3 = true; # reuseport has to be specified on the quic listener # when using worker_processes auto; reuseport = true; default = true; forceSSL = true; useACMEHost = cfg.defaultForbidden; extraConfig = '' return 403; ''; }; }; }; }