nixfiles-emily/modules/nginx/default.nix

{ config, lib, ... }: let
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	"nosniff" always;
    add_header X-XSS-Protection 		"1; mode=block" always;
    add_header X-Frame-Options 		"SAMEORIGIN" always;
    add_header Referrer-Policy 		"same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
    extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
    forceSSL = true;
    #kTLS = true;
    #http3 = true;
    #quic = true; 
  } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
    enableACME = true;
  } // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
    enableACME = false;
    useACMEHost = vhostCfg.redirectTo;
    globalRedirect = vhostCfg.redirectTo;
  } // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);

in {
  options = {
    kyouma.nginx.virtualHosts = lib.mkOption {
      type = with lib.types; nullOr anything;
      default = null;
    };
  };
  config = {
    services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) (
      builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts);
  };
}
added forgejo 2024-04-30 21:55:41 +02:00			`{ config, lib, ... }: let`
			`extraConfig = ''`
			`add_header Strict-Transport-Security $hsts_header;`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header Referrer-Policy "same-origin" always;`
			`'';`
			`createHost = vhostName: vhostCfg: {`
			`extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;`
			`forceSSL = true;`
			`#kTLS = true;`
			`#http3 = true;`
			`#quic = true;`
			`} // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {`
			`enableACME = true;`
			`} // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {`
			`enableACME = false;`
			`useACMEHost = vhostCfg.redirectTo;`
			`globalRedirect = vhostCfg.redirectTo;`
			`} // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);`

			`in {`
			`options = {`
			`kyouma.nginx.virtualHosts = lib.mkOption {`
			`type = with lib.types; nullOr anything;`
			`default = null;`
			`};`
			`};`
			`config = {`
			`services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) (`
			`builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts);`
			`};`
			`}`