nixfiles/modules/nginx/default.nix

{ config, lib, ... }: let
  cfg = config.kyouma.nginx;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
    #add_header Content-Security-Policy   "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	  "nosniff" always;
    add_header X-XSS-Protection 		      "1; mode=block" always;
    add_header X-Frame-Options 		        "SAMEORIGIN" always;
    add_header Referrer-Policy 		        "same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
    extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
      vhostCfg.extraConfig + "\n" + extraConfig
    ) + lib.optionalString (
      if (vhostCfg ? "verifyClientCert") then 
        vhostCfg.verifyClientCert
      else false
    ) ''
      ssl_client_certificate ${./kyouma_Root_CA.pem};
      ssl_verify_client on;
      ssl_verify_depth 1;
    '';
    forceSSL = true;
  } //
  lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
    enableACME = true;
  } //
  lib.optionalAttrs (vhostCfg ? "redirectTo") {
    enableACME = false;
    useACMEHost = vhostCfg.redirectTo;
    globalRedirect = vhostCfg.redirectTo;
  } //
  lib.optionalAttrs (!vhostCfg ? "disableHttp3") {
    http3 = true;
    quic = true; 
  } //
  (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" "disableHttp3" ]);

in {
  options = {
    kyouma.nginx.virtualHosts = lib.mkOption {
      type = with lib.types; nullOr anything;
      default = null;
    };
    kyouma.nginx.defaultForbidden = lib.mkOption {
      type = with lib.types; nullOr str;
      default = null;
    };
  };
  config = {
    services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
      builtins.mapAttrs (createHost) cfg.virtualHosts
    ) // lib.optionalAttrs (cfg.defaultForbidden != null) {
      "redirect" = {
        quic = true;
        http3 = true;
        # reuseport has to be specified on the quic listener
        # when using worker_processes auto;
        reuseport = true;
        default = true;
        forceSSL = true;
        useACMEHost = cfg.defaultForbidden;
        extraConfig = ''
          return 403;
        '';
      };
    };
  };
}