nixfiles-emily/modules/nginx/default.nix

{ config, lib, ... }: let
  cfg = config.kyouma.nginx;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	"nosniff" always;
    add_header X-XSS-Protection 		"1; mode=block" always;
    add_header X-Frame-Options 		"SAMEORIGIN" always;
    add_header Referrer-Policy 		"same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
    extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
    forceSSL = true;
    #kTLS = true;
    #http3 = true;
    #quic = true; 
  } //
  lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
    enableACME = true;
  } //
  lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
    enableACME = false;
    useACMEHost = vhostCfg.redirectTo;
    globalRedirect = vhostCfg.redirectTo;
  } //
  (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);

in {
  options = {
    kyouma.nginx.virtualHosts = lib.mkOption {
      type = with lib.types; nullOr anything;
      default = null;
    };
    kyouma.nginx.defaultForbidden = lib.mkOption {
      type = with lib.types; nullOr str;
      default = null;
    };
  };
  config = {
    services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
      builtins.mapAttrs (createHost) cfg.virtualHosts) //
      lib.optionalAttrs (cfg.defaultForbidden != null) {
        "redirect" = {
          default = true;
          forceSSL = true;
          reuseport = true;
          useACMEHost = cfg.defaultForbidden;
          extraConfig = ''
            return 403;
          '';
        };
      };
  };
}
added forgejo 2024-04-30 21:55:41 +02:00			`{ config, lib, ... }: let`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`cfg = config.kyouma.nginx;`
added forgejo 2024-04-30 21:55:41 +02:00			`extraConfig = ''`
			`add_header Strict-Transport-Security $hsts_header;`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header Referrer-Policy "same-origin" always;`
			`'';`
			`createHost = vhostName: vhostCfg: {`
			`extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;`
			`forceSSL = true;`
			`#kTLS = true;`
			`#http3 = true;`
			`#quic = true;`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`} //`
			`lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {`
added forgejo 2024-04-30 21:55:41 +02:00			`enableACME = true;`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`} //`
			`lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {`
added forgejo 2024-04-30 21:55:41 +02:00			`enableACME = false;`
			`useACMEHost = vhostCfg.redirectTo;`
			`globalRedirect = vhostCfg.redirectTo;`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`} //`
			`(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);`
added forgejo 2024-04-30 21:55:41 +02:00
			`in {`
			`options = {`
			`kyouma.nginx.virtualHosts = lib.mkOption {`
			`type = with lib.types; nullOr anything;`
			`default = null;`
			`};`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`kyouma.nginx.defaultForbidden = lib.mkOption {`
			`type = with lib.types; nullOr str;`
			`default = null;`
			`};`
added forgejo 2024-04-30 21:55:41 +02:00			`};`
			`config = {`
added binary cache and some fixes 2024-05-11 16:02:39 +02:00			`services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (`
			`builtins.mapAttrs (createHost) cfg.virtualHosts) //`
			`lib.optionalAttrs (cfg.defaultForbidden != null) {`
			`"redirect" = {`
			`default = true;`
			`forceSSL = true;`
			`reuseport = true;`
			`useACMEHost = cfg.defaultForbidden;`
			`extraConfig = ''`
			`return 403;`
			`'';`
			`};`
			`};`
added forgejo 2024-04-30 21:55:41 +02:00			`};`
			`}`