emily/nixfiles
emily/nixfiles
1
0
Fork 0
Code Issues Pull requests Activity
nixfiles/modules/nginx/default.nix

55 lines
1.7 KiB
Nix
Raw Permalink Blame History

{ config, lib, ... }: let
cfg = config.kyouma.nginx;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
createHost = vhostName: vhostCfg: {
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
forceSSL = true;
#kTLS = true;
#http3 = true;
#quic = true;
} //
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true;
} //
lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
enableACME = false;
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
in {
options = {
kyouma.nginx.virtualHosts = lib.mkOption {
type = with lib.types; nullOr anything;
default = null;
};
kyouma.nginx.defaultForbidden = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
};
};
config = {
services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
builtins.mapAttrs (createHost) cfg.virtualHosts) //
lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = {
default = true;
forceSSL = true;
reuseport = true;
useACMEHost = cfg.defaultForbidden;
extraConfig = ''
return 403;
'';
};
};
};
}
Reference in a new issue View git blame Copy permalink