1
0
Fork 0
forked from emily/nixfiles
nixfiles-emily/modules/vhost/default.nix

48 lines
1.5 KiB
Nix
Raw Normal View History

2024-01-09 15:46:18 +01:00
{ config, lib, ... }:
with lib; let
2024-04-04 14:42:48 +02:00
cfg = config.kyouma.nginx.virtualHosts;
2024-01-09 15:46:18 +01:00
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
virtHostCfg = {
forceSSL = true;
2024-04-04 14:42:48 +02:00
#kTLS = true;
#http3 = true;
#quic = true;
2024-01-09 15:46:18 +01:00
};
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
with lib; let
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
then {
useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo;
} else (
2024-01-09 16:23:24 +01:00
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
2024-01-09 15:46:18 +01:00
enableACME = true;
});
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
else { inherit extraConfig; };
in
virtHostCfg // mkRedirect // extraCfg //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
);
in {
options = {
2024-04-04 14:42:48 +02:00
kyouma.nginx.virtualHosts = mkOption {
2024-01-09 15:46:18 +01:00
type = with types; nullOr anything;
default = null;
};
};
config = {
2024-01-09 16:23:24 +01:00
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
2024-01-09 15:46:18 +01:00
};
}