about summary refs log tree commit diff
path: root/modules/nixos/nginx.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/nginx.nix')
-rw-r--r--modules/nixos/nginx.nix99
1 files changed, 99 insertions, 0 deletions
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
new file mode 100644
index 0000000..b8ab24d
--- /dev/null
+++ b/modules/nixos/nginx.nix
@@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  this,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.nginx;
+in {
+  options.nixfiles.modules.nginx = {
+    enable = mkEnableOption "Nginx";
+
+    upstreams = mkOption {
+      description = "Defines a group of servers to use as proxy target.";
+      type = with types; anything;
+      default = null;
+    };
+
+    virtualHosts = mkOption {
+      description = "Attrset of virtual hosts.";
+      type = with types; anything;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      nginx = {
+        enable = true;
+        enableReload = true;
+
+        package = pkgs.nginxMainline;
+
+        statusPage = true;
+
+        serverTokens = false;
+
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+
+        commonHttpConfig = concatStrings [
+          ''
+            add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
+          ''
+          (optionalString (hasAttr "wireguard" this)
+            (with config.nixfiles.modules.wireguard; ''
+              geo $internal {
+                default 0;
+                127.0.0.1/32 1;
+                ::1/128 1;
+                ${ipv4.subnet} 1;
+                ${ipv6.subnet} 1;
+              }
+            ''))
+        ];
+
+        inherit (cfg) upstreams;
+
+        virtualHosts =
+          {
+            default = {
+              default = true;
+              rejectSSL = true;
+              locations."/".return = "444";
+            };
+          }
+          // (mkIf (cfg.virtualHosts != null) (mapAttrs (_: attr:
+            mkMerge [
+              attr
+              (mkIf config.nixfiles.modules.acme.enable {
+                enableACME = true;
+                forceSSL = true;
+              })
+            ])
+          cfg.virtualHosts));
+      };
+
+      fail2ban.jails = {
+        nginx-http-auth = ''
+          enabled = true
+        '';
+        nginx-botsearch = ''
+          enabled = true
+        '';
+      };
+
+      prometheus.exporters.nginx = {
+        enable = true;
+        listenAddress = mkDefault this.wireguard.ipv4.address;
+        port = mkDefault 9113;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}

Consider giving Nix/NixOS a try! <3