forked from emily/nixfiles
70 lines
2.3 KiB
Nix
70 lines
2.3 KiB
Nix
{ config, lib, ... }: let
|
|
cfg = config.kyouma.nginx;
|
|
extraConfig = ''
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Referrer-Policy "same-origin" always;
|
|
'';
|
|
createHost = vhostName: vhostCfg: {
|
|
extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
|
|
vhostCfg.extraConfig + "\n" + extraConfig
|
|
) + lib.optionalString (
|
|
if (vhostCfg ? "verifyClientCert") then
|
|
vhostCfg.verifyClientCert
|
|
else false
|
|
) ''
|
|
ssl_client_certificate ${./kyouma_Root_CA.pem};
|
|
ssl_verify_client on;
|
|
ssl_verify_depth 1;
|
|
'';
|
|
forceSSL = true;
|
|
} //
|
|
lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
|
|
enableACME = true;
|
|
} //
|
|
lib.optionalAttrs (vhostCfg ? "redirectTo") {
|
|
enableACME = false;
|
|
useACMEHost = vhostCfg.redirectTo;
|
|
globalRedirect = vhostCfg.redirectTo;
|
|
} //
|
|
lib.optionalAttrs (!vhostCfg ? "disableHttp3") {
|
|
http3 = true;
|
|
quic = true;
|
|
} //
|
|
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" "disableHttp3" ]);
|
|
|
|
in {
|
|
options = {
|
|
kyouma.nginx.virtualHosts = lib.mkOption {
|
|
type = with lib.types; nullOr anything;
|
|
default = null;
|
|
};
|
|
kyouma.nginx.defaultForbidden = lib.mkOption {
|
|
type = with lib.types; nullOr str;
|
|
default = null;
|
|
};
|
|
};
|
|
config = {
|
|
services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
|
|
builtins.mapAttrs (createHost) cfg.virtualHosts
|
|
) // lib.optionalAttrs (cfg.defaultForbidden != null) {
|
|
"redirect" = {
|
|
quic = true;
|
|
http3 = true;
|
|
# reuseport has to be specified on the quic listener
|
|
# when using worker_processes auto;
|
|
reuseport = true;
|
|
default = true;
|
|
forceSSL = true;
|
|
useACMEHost = cfg.defaultForbidden;
|
|
extraConfig = ''
|
|
return 403;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|