{ config, lib, ... }: let cfg = config.kyouma.nginx; extraConfig = '' add_header Strict-Transport-Security $hsts_header; add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); forceSSL = true; #kTLS = true; http3 = true; quic = true; } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { enableACME = true; } // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { enableACME = false; useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; } // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); in { options = { kyouma.nginx.virtualHosts = lib.mkOption { type = with lib.types; nullOr anything; default = null; }; kyouma.nginx.defaultForbidden = lib.mkOption { type = with lib.types; nullOr str; default = null; }; }; config = { services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) ( builtins.mapAttrs (createHost) cfg.virtualHosts) // lib.optionalAttrs (cfg.defaultForbidden != null) { "redirect" = { quic = true; http3 = true; # reuseport has to be specified on the quic listener # when using worker_processes auto; reuseport = true; default = true; forceSSL = true; useACMEHost = cfg.defaultForbidden; extraConfig = '' return 403; ''; }; }; }; }