2024-01-09 15:46:18 +01:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
with lib; let
|
2024-04-04 14:42:48 +02:00
|
|
|
cfg = config.kyouma.nginx.virtualHosts;
|
2024-01-09 15:46:18 +01:00
|
|
|
extraConfig = ''
|
|
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
add_header Referrer-Policy "same-origin" always;
|
|
|
|
'';
|
|
|
|
virtHostCfg = {
|
|
|
|
forceSSL = true;
|
2024-04-04 14:42:48 +02:00
|
|
|
#kTLS = true;
|
|
|
|
#http3 = true;
|
|
|
|
#quic = true;
|
2024-01-09 15:46:18 +01:00
|
|
|
};
|
|
|
|
createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
|
|
|
|
with lib; let
|
|
|
|
mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg
|
|
|
|
then {
|
|
|
|
useACMEHost = vhostCfg.redirectTo;
|
|
|
|
globalRedirect = vhostCfg.redirectTo;
|
|
|
|
} else (
|
2024-01-09 16:23:24 +01:00
|
|
|
optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
2024-01-09 15:46:18 +01:00
|
|
|
enableACME = true;
|
|
|
|
});
|
|
|
|
extraCfg = if builtins.hasAttr "extraConfig" vhostCfg
|
|
|
|
then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; }
|
|
|
|
else { inherit extraConfig; };
|
|
|
|
in
|
|
|
|
virtHostCfg // mkRedirect // extraCfg //
|
|
|
|
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ])
|
|
|
|
);
|
|
|
|
in {
|
|
|
|
options = {
|
2024-04-04 14:42:48 +02:00
|
|
|
kyouma.nginx.virtualHosts = mkOption {
|
2024-01-09 15:46:18 +01:00
|
|
|
type = with types; nullOr anything;
|
|
|
|
default = null;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
2024-01-09 16:23:24 +01:00
|
|
|
services.nginx.virtualHosts = mkIf (cfg != null) (createHostFunc (cfg));
|
2024-01-09 15:46:18 +01:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|