diff options
| author | Azat Bahawi <azat@bahawi.net> | 2024-07-29 20:51:57 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2024-07-29 20:51:57 +0300 |
| commit | dcfd2ba0054c110a982e8276f224d84954ca135f (patch) | |
| tree | 6e02c7b693bb2f0aba2157aee4924a80ff9235c7 /modules | |
| parent | 40e1c1da0ab384440043424a1988f8d7f57cf879 (diff) | |
2024-07-29
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/nginx.nix | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/modules/nginx.nix b/modules/nginx.nix index 2ac6d1b..6cb47b4 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -29,13 +29,16 @@ in config = mkIf cfg.enable { _module.args.libNginx.config = { internalOnly = '' + add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; + access_log off; if ($internal != 1) { return 403; } - access_log off; ''; - # FIXME This stopped working. appendHead = text: '' + brotli off; + gzip off; + zstd off; sub_filter '</head>' '${lib.concatStrings text}</head>'; sub_filter_once on; ''; @@ -48,25 +51,36 @@ in services = { nginx = { enable = true; + enableReload = true; package = pkgs.nginxMainline; - statusPage = true; + statusPage = mkDefault true; + + recommendedOptimisation = mkDefault true; + recommendedProxySettings = mkDefault true; + recommendedTlsSettings = mkDefault true; - serverTokens = false; + recommendedBrotliSettings = mkDefault true; + recommendedGzipSettings = mkDefault true; + recommendedZstdSettings = mkDefault true; - recommendedBrotliSettings = lib.mkDefault true; - recommendedGzipSettings = lib.mkDefault true; - recommendedOptimisation = lib.mkDefault true; - recommendedProxySettings = lib.mkDefault true; - recommendedTlsSettings = lib.mkDefault true; - recommendedZstdSettings = lib.mkDefault true; + resolver.addresses = + let + isIPv6 = addr: builtins.match ".*:.*:.*" addr != null; + escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr; + resolvers = + if config.networking.nameservers != [ ] then + config.networking.nameservers + else + dns.const.quad9.default; + in + map escapeIPv6 resolvers; commonHttpConfig = concatStrings [ '' access_log syslog:server=unix:/dev/log; - add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) ( with config.nixfiles.modules.wireguard; |