nixfiles/modules/vhost/default.nix
2024-04-04 14:42:48 +02:00

47 lines
1.5 KiB
Nix

{ config, lib, ... }:
with lib; let
cfg = config.kyouma.nginx.virtualHosts;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
#kTLS = true;
#http3 = true;
#quic = true;
};
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
with lib; let
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} else (
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true;
});
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; };
in
virtHostCfg // mkRedirect // extraCfg //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
);
in {
options = {
kyouma.nginx.virtualHosts = mkOption {
type = with types; nullOr anything;
default = null;
};
};
config = {
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
};
}