diff options
author | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
commit | e6ed60548397627bf10f561f9438201dbba0a36e (patch) | |
tree | f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/nixos/nginx.nix | |
parent | 9ac64328603d44bd272175942d3ea3eaadcabd04 (diff) |
2024-04-21
Diffstat (limited to 'modules/nixos/nginx.nix')
-rw-r--r-- | modules/nixos/nginx.nix | 122 |
1 files changed, 0 insertions, 122 deletions
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix deleted file mode 100644 index ed34237..0000000 --- a/modules/nixos/nginx.nix +++ /dev/null @@ -1,122 +0,0 @@ -{ - config, - lib, - pkgs, - this, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.nginx; -in -{ - options.nixfiles.modules.nginx = { - enable = mkEnableOption "Nginx"; - - upstreams = mkOption { - description = "Defines a group of servers to use as proxy target."; - type = with types; anything; - default = null; - }; - - virtualHosts = mkOption { - description = "Attrset of virtual hosts."; - type = with types; anything; - default = null; - }; - }; - - config = mkIf cfg.enable { - _module.args.libNginx.config = { - internalOnly = '' - if ($internal != 1) { - return 403; - } - access_log off; - ''; - appendHead = text: '' - sub_filter '</head>' '${lib.concatStrings text}</head>'; - sub_filter_once on; - ''; - noProxyBuffering = '' - proxy_buffering off; - proxy_cache off; - ''; - }; - - services = { - nginx = { - enable = true; - enableReload = true; - - package = pkgs.nginxMainline; - - statusPage = true; - - serverTokens = false; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - commonHttpConfig = concatStrings [ - '' - add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; - '' - (optionalString (hasAttr "wireguard" this) ( - with config.nixfiles.modules.wireguard; - '' - geo $internal { - default 0; - 127.0.0.1/32 1; - ::1/128 1; - ${ipv4.subnet} 1; - ${ipv6.subnet} 1; - } - '' - )) - ]; - - inherit (cfg) upstreams; - - virtualHosts = - { - default = { - default = true; - rejectSSL = true; - locations."/".return = "444"; - }; - } - // (mkIf (cfg.virtualHosts != null) ( - mapAttrs ( - _: attr: - mkMerge [ - attr - (mkIf config.nixfiles.modules.acme.enable { - enableACME = mkDefault true; - forceSSL = mkDefault true; - }) - ] - ) cfg.virtualHosts - )); - }; - - fail2ban.jails = { - nginx-http-auth.enabled = true; - nginx-botsearch.enabled = true; - }; - - prometheus.exporters.nginx = { - enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; - port = mkDefault 9113; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; -} |